HAProxyD Issue in PFsense+ - I am unable to get actual of IP of client in backend NGINX server

ShahidAkhter

Hi!
I am stuck in an issue and unable to solve it ,any help in this matter will mean a lot to me.
I am unable to get actual of IP of client in backend server after trying:
Option Forwardfor
Transparent Client IP
Advanced Pass Thru for option ForwardFor
tried all logging format kind of help available on this platform
None of these work. here's config file

Automaticaly generated, dont edit manually.

Generated on: 2023-05-18 12:51

global
maxconn 100000
log ssp.mydomain.com:514 syslog emerg
stats socket /tmp/haproxy.socket level admin expose-fd listeners
gid 80
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname SSP
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend share_domain_ca-merged
bind 0.0.0.0:80 name 0.0.0.0:80
mode http
log global
option http-keep-alive
timeout client 30000
acl ips_host_acl var(txn.txnhost) -m str -i ips.mydomain.com
acl dev_domain_ca_acl var(txn.txnhost) -m sub -i dev
acl stagingHTTP var(txn.txnhost) -m sub -i staging
http-request set-var(txn.txnhost) hdr(host)
use_backend Ips_domain_ca_ipvANY if ips_host_acl
use_backend httpdev_ipvANY if dev_domain_ca_acl
use_backend Staging-HTTP_ipv4 if stagingHTTP

frontend share_domain_caHTTPS-merged
bind name ssl crt-list /var/etc/haproxy/share_domain_caHTTPS.crt_list crt-ignore-err all
mode http
log global
option http-keep-alive
timeout client 30000
acl ips_host_acl var(txn.txnhost) -m str -i ips.mydomain.com
acl aclcrt_share_domain_caHTTPS var(txn.txnhost) -m reg -i ^ips.domain.ca(:([0-9]){1,5})?$
acl dev_domain_ca_aclHTTPS var(txn.txnhost) -m sub -i dev
acl StagingONHTTPS var(txn.txnhost) -m beg -i staging
acl BapStagingONHTTPS var(txn.txnhost) -m sub -i bapv4.staging.mydomain.com
acl New.StagingOnHttps var(txn.txnhost) -m sub -i new.staging.admin.mydomain.com
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^bapv4.staging.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^new.staging.admin.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.account.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.admin.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.brand.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.business.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.deploy.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.reward.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.service.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.bapv4.staging.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.new.staging.admin.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.account.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.admin.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.brand.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.business.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.deploy.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.reward.domain.ca(:([0-9]){1,5})?$
acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.service.domain.ca(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend IPShttps_ipvANY if ips_host_acl aclcrt_share_domain_caHTTPS
use_backend SSLdev_domain_caHTTPS_ipvANY if dev_domain_ca_aclHTTPS
use_backend Staging-HTTPS_ipvANY if StagingONHTTPS aclcrt_StagingonHTTPSFrontend
use_backend Staging-HTTPS_ipvANY if BapStagingONHTTPS aclcrt_StagingonHTTPSFrontend
use_backend Staging-HTTPS_ipvANY if New.StagingOnHttps aclcrt_StagingonHTTPSFrontend

backend Ips_domain_ca_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
option forwardfor
server ips 172.31.4.245:80 id 101 check inter 1000

backend httpdev_ipvANY
mode http
id 104
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
option forwardfor
server devhttp 172.31.7.108:80 id 101 check inter 1000

backend Staging-HTTP_ipv4
mode http
id 10110
log global
balance roundrobin
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
source ipv4@ usesrc clientip
server StagingHTTP serverip:80 id 10111 check inter 1000

backend IPShttps_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
option forwardfor
server IPShttps 172.31.4.245:443 id 103 ssl check-ssl check inter 1000 verify none

backend SSLdev_domain_caHTTPS_ipvANY
mode http
id 105
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
server SSLdev_domain_caHTTPS 172.31.7.108:443 id 103 ssl check-ssl check inter 1000 verify none

backend Staging-HTTPS_ipvANY
mode http
id 108
log global
balance roundrobin
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
option forwardfor
server StagingHTTPS serverip:443 id 109 ssl check-ssl check inter 1000 verify none

viragomann

@shahidakhter said in HAProxyD Issue in PFsense+ - I am unable to get actual of IP of client in backend NGINX server:

I am unable to get actual of IP of client in backend server after trying:
Option Forwardfor
Transparent Client IP

These are different ways to get the client IP on the backend.

ForwardFor inserts the "X-Forwarded-For" header with the origin client IP into the request to the backend.
You have to configure your backend server to utilize it.

In transparent mode HAproxy sends requests with the source of the origin client IP to the backend.
But this is a pretty hack. I'd recommend to rather use ForwardFor.

But you have to state the ForwardFor option in the frontend, not in the backend. On the frontend settings page there is a checkbox to enable it.

Also I'm wondering, why you frontends are listening on the loopback address. Did you forward the incoming traffic to it?

ShahidAkhter

@viragomann Hi! Thanks for the response.
I tried configurations on the actual server , e.g; nginx, and turned on x-forwarder header from there, and it worked.
I have a simple setup, Listening on WAN:443 and then forwarding to server.
If you have any suggestions , do let me know.
I appreciate your support.
Thanks again.

viragomann

@shahidakhter said in HAProxyD Issue in PFsense+ - I am unable to get actual of IP of client in backend NGINX server:

e.g; nginx, and turned on x-forwarder header from there, and it worked.
If you have any suggestions , do let me know.

So did you see the client IP in the log now? If not, what do you see in the X-Forwarded-For column?

ShahidAkhter

@viragomann It is working. Just need to configure NGINX for header.
But i am facing speed issue, simple webpage is taking 30+ seconds to load.
It's on aws , i dont know what to do now.

viragomann

@shahidakhter
Does this also happen if you bypass HAproxy?
Simply add a NAT port forwarding rule on WAN to the backend server for testing.