Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Stripping spoofed ip from Forwarded-for

    Scheduled Pinned Locked Moved Cache/Proxy
    5 Posts 2 Posters 812 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pr3dict
      last edited by

      I can't seem to find any documentation on how to correctly impliment this. In the HAProxy docs it says to strip any client-provided IP address information from the header before sending to the backend server the following syntax should be used:

      reqidel ^X-Forwarded-For:.*
      

      However, I do not see where I should add that in the frontend of the PFSense HAProxy GUI.

      For context, I had a downstream server that had it's own ACL rules based on client IP from a forwardedfor header that was sent from HAProxy. From my understanding HAproxy as configured with the Forwarded-for checkbox just forwards whatever is provided by the connecting client even if it's spoofed. I want to stop that from happening.

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @pr3dict
        last edited by

        @pr3dict can’t be passed through the front end using advanced pass through?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        P 1 Reply Last reply Reply Quote 0
        • P
          pr3dict @michmoor
          last edited by

          @michmoor I guess it could but before I do that I was looking for clarification as I don't really have a way to test if it's working hah.

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @pr3dict
            last edited by

            @pr3dict
            This option doesnt work for you?

            c749aadd-131e-4336-9beb-f54aa8774b39-image.png

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            P 1 Reply Last reply Reply Quote 0
            • P
              pr3dict @michmoor
              last edited by

              @michmoor so that option allows the possiblity for a client to provide their own header that might include an IP address that isn't the real source IP. This allows for the possiblity for a backend to be connected by a client that is pretending to be a different IP then it really is.

              The line I added above tells the proxy to strip any IP address provided by the client and forwards only the real IP.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.