Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy show correct client ip

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 2 Posters 11.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trumee
      last edited by

      Hi,

      I want the set several options in HAProxy for my nginx to show the correct ip address. I came across the following post https://philio.me/showing-the-correct-client-ip-in-logs-and-scripts-when-using-nginx-behind-a-reverse-proxy/  to do this.

      Where can i find the options to set in the pfsense UI:

      option http-server-close
      option forwardfor
      real_ip_header X-Forwarded-For

      At the moment the moment my conf looks like this:

      
global
        maxconn                 100
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        chroot                  /tmp/haproxy_chroot
        daemon

listen HAProxyLocalStats
        bind 127.0.0.1:2200 name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats uri /haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend frontend
        bind                    mypubip:443 name mypubip:443
        mode                    tcp
        log                     global
        maxconn                 100
        timeout client          30000
        tcp-request inspect-delay       5s
        acl                     web1-acl       req.ssl_sni -i web1.mydomain.com
        acl                     web2-acl     req.ssl_sni -i web2.mydomain.com
        tcp-request content accept if { req.ssl_hello_type 1 }

        use_backend web1backend_https_ipvANY  if  web1-acl
        use_backend web2_https_ipvANY  if  web2-acl
        default_backend web1backend_https_ipvANY

backend web1backend_https_ipvANY
        mode                    tcp
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  mywebsite 192.168.1.2:443 check-ssl check inter 1000  weight 10 verify none

backend web2_https_ipvANY
        mode                    tcp
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk GET /
        server                  web2 192.168.1.3:443 check-ssl check inter 1000  verify none
      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Hi Trumee,

        The 'Use "forwardfor" option' and 'Use "httpclose" option' in the frontend settings are likely what your looking for.
        b.t.w. it should not be required for haproxy to use httpclose when using 1.5 or above the default is to inspect and modify all http requests, where 1.4 switched to tunnelmode after 1 request.. Anyway should be easy enough to test if nginx keeps logging the correct client ip for a keepalive connection.

        Of course if all GUI options fail its always possible to use the 'advanced' sections to insert some custom configuration options of your own :). But i dont think you need to in this case.

        The third setting real_ip_header is something you must configure inside nginx.

        Regards,
        PiBa-NL

        1 Reply Last reply Reply Quote 0
        • T
          trumee
          last edited by

          Hi PiBa-NL,

          I dont see these options in the frontend with the HAProxy-devel package. In which block should these options appear, Actions/Stats options/Advanced settings?

          My frontend type is set to SSL/HTTPS(TCP mode).

          Thanks

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            Hi Trumee,

            Ah i overlooked that indeed, if your using TCP mode it is not possible to modify the http content inside the encrypted ssl connection.
            1- So to use the options i wrote you need to perform offloading on haproxy and load the certificates on pfSense.

            Other options are:
            2- proxy-protocol (on the server line you could add a advanced setting "send-proxy" or -v2 -v2-ssl -v2-ssl-cn , but the backend must be configured to expect those..) http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#5.2-send-proxy
            3- Transparent-Client-IP (this is a setting on the backend, but do read the warnings.!.)

            If you dont want to decrypt ssl traffic on haproxy then option 2 would probably be best if your nginx supports it..

            Regards,
            PiBa-NL

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.