HAProxy forwardfor trouble

aviz129

Hello everyone,

I'm running into trouble with a feature of HAProxy on my pfsense 2.1 cluster.  The issue I am running into is related to the "forwardfor" option of HAProxy frontends, where it sets the X-Forwarded-For header for http requests.  Unfortunately even though this option is enabled, it still does not set it.  I've tried for two days to get this to work without success.

I'm running these versions:

Version 2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD 8.3-RELEASE-p11

HAProxy package:

1.4.24 pkg v 1.1

I'm running nginx on the actual webservers that serve the request.

PiBa

Hey Aviz,
Can you post (anonymized) what the /var/etc/haproxy.conf file looks like?
Also make sure your using mode 'http' as that is the only mode that supports changing contents.
Or maybe give haproxy-devel package a try..
Greets PiBa-NL

aviz129

Hi Piba,

Thanks for your reply.  Here it is:

global
maxconn 9999999
uid 80
gid 80
nbproc 8
chroot /var/empty
daemon

listen db_lb
bind 10.255.1.242:3306
mode tcp
log global
option dontlognull
maxconn 10000
clitimeout 30000
balance roundrobin
contimeout 30000
srvtimeout 30000
server db2a x:3306  check inter 1000 weight 10
server db2b x:3306  check inter 1000 weight 10 backup

listen a_lb
bind 10.255.1.240:9802
mode tcp
log global
option dontlognull
maxconn 1000
clitimeout 30000
balance source
contimeout 30000
srvtimeout 30000
server aa a:9802  check inter 1000 weight 10
server ab a:9802  check inter 1000 weight 10

listen x_lb_http
bind x:80
mode http
log global
option dontlognull
option httpclose
option forwardfor
maxconn 10000
clitimeout 30000
balance roundrobin
contimeout 30000
srvtimeout 30000
server xa_http x:80  check inter 1000 weight 10
server xb_http x:80  check inter 1000 weight 10 backup

listen x_lb_https
bind x:443
mode tcp
log global
option dontlognull
option httpclose
option forwardfor
maxconn 10000
clitimeout 30000
balance roundrobin
contimeout 30000
srvtimeout 30000
server xa_ssl x:443  check inter 1000 weight 10
server xb_ssl x:443  check inter 1000 weight 10 backup

The last one, "listen x_lb_https" is the one I'm having trouble with.  Note that the mode is in tcp right now, but I've also had it in https with the exact same result.

PiBa

Hey Aviz,

When using "mode tcp" haproxy cannot modify headers send through the encrypted SSL connection.

You only option when needing to modify https traffic would be to switch to the haproxy-devel package and configure a certificate to perform ssl-offloading/decryption on haproxy, and then modify headers before sending to the backends. You can choose whether or not you want that backend connection to be encrypted again. Which might be required for the application to work properly, though plain http to the backend would take less CPU power. (You might also accomplish this with putting 'stunnel' in front of haproxy 1.4.. But i would not recommend that..)

Another option when using haproxy-devel would be to use its transparent client-ip option. So the backend sees the connection coming in from the actual client-ip.. Please note that backend then 'must' use pfSense as a default-gateway for reply traffic to be properly processed by HAProxy. And that connections directly to the backend will fail with the current 'fwd' rules used in ipfw..

Greets PiBa-NL