Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy with SSL offloading and X-Forward-For

    HA/CARP/VIPs
    2
    3
    603
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      border
      last edited by

      Searching for several hours, I could not find a solutions so I am trying the forum...

      On my SG-3100 I have installed HAProxy and configured it to handle traffic for several webservers in the backend. The proxy uses a Letsencrypt certificate and connects to backends with self-signed certificates. Works great!

      However, I would like to use the X-Forward-For header to better monitor traffic on the backend servers. I understand that SSL traffic cannot be modified but since I am using SSL offloading I expected HAProxy to be able to set this header when connecting to the self-signed backend.

      I tried the checkbox option but without result.
      I added "http-request header add" with name "X-Forwarded-For" and fmt "%[src]" to both the http to https redirect and the https frontend. No luck.

      Any suggestions on how to get this X-Forward-For working with SSL?

      Another issue is that I need to disable HAProxy to update the Letsencrypt certificates (using HTTP standalone mode). Not practical so any suggestion on this are also welcome...

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @border
        last edited by

        @border
        X-Forward-For, in 'mode http' haproxy will insert the header with the configuration options you have set, but are you sure the webserver is using those headers.? Most of the time some configuration needs to be made on the webserver/webapplication to use these headers.

        As for Letsencrypt with standalone mode, you could try running the standalone LE service on a different port than the :80 like :1080 or whatever, and define that as a separate server in a LE-backend (without healthchecks) in haproxy. Then when on the frontend if a request for the /.well-known/acme-challenge path is found with a acl direct the request to this specific acme LE-backend. That way haproxy can keep listening for requests, and the LE-validation-servers can check if the challenge token file is found. (b.t.w. you could also use a lua script with http-01 webroot method.. that works for sure 😉 )

        B 1 Reply Last reply Reply Quote 0
        • B
          border @PiBa
          last edited by

          @piba Thanks for the reply!
          I will try the suggestion for Letsencrypt

          The Apache2 server has been configured to capture the X-Forward-For in the log file but only the gateway IP address is donut in the log file. I think it has to do with the SSL part...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.