[Solved] How to configure HAProxy to forward client IP's to backend web servers
-
Hi guys,
Currently I have a problem with forwarding client IP's to backend web servers.
This means I only see the HAProxy IP address in my apache access log.Please find below my config:
2.4.4-RELEASE-p3 (amd64)
global
maxconn 1000
log /var/run/log local0 info
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHlisten HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000frontend http-to-https
bind my WAN IP:80 name my WAN IP:80
mode http
log global
option http-keep-alive
timeout client 30000
http-request redirect scheme httpsfrontend shared-frontend-merged
bind my WAN IP:443 name my WAN IP:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
acl ACL1 var(txn.txnhost) -m str -i my.sub.domain
acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^.]*).my.domain(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend my.domain_ipvANY if ACL1backend my.sub.domain_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
server my.sub.domain my.backend.ip:443 id 101 ssl check inter 1000 verify noneAs shown above, I'm currently using 3 frontends and 1 backend:
- frontend http-to-https = to redirect http requests to https
- frontend shared-frontend = to provide a wildcard ssl certificate for all of my subdomains (currently I'm using only one sub domain/backend)
- frontend my.sub.domain = to forward all appropriate requests to the sub.domain backend
- backend my.sub.domain = receives all requests from frontend my.sub.domain
I hope I could clearly describe my current environment.
As also shown above in config file, I added "http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]" to Advanced pass thru box in frontend shared-frontend but without success.
I also enabled the apache module mod_rpaf on my apache web server with below site config:<IfModule mod_rpaf.c>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips my HAProxy IP
</IfModule>Do you know what needs to be set exactly in HAProxy config to forward client IP's to backend web servers?
Thanks in advance.
Philipp
-
There was no issue with HAProxy.
The issue was related with my Apache config, sorry for that.
I'm now using mod_remoteip instead of deprecated mod_rpaf and appropriate log format options.On HAProxy side, it's only required to select option 'Use "forwardfor" option' in the frontend, as described in below documentation:
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver