HAProxy/IIS Real Client IP issue



  • Hello,

    I'm in the process of testing HAProxy 1.6 on A virtualized pfSense 2.3.2_1 box in front of a couple Windows/IIS 8.5 servers. I've successfully tested both HTTP/HTTPS offloading and TCP/SSL load balancing. However, throughout my various tests I've never been able to get IIS to see the clients true IP. I've searched up and down both these forums and elsewhere. I've tried enabling X-FORWARDED-FOR in HAProxy config as well as passing the option explicitly in the advanced settings with no luck. Furthermore, I've configured IIS to look for the request header per: https://www.iis.net/learn/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85

    Also already referenced: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver

    I've reduced my previous configuration to just a single site on HTTP only to rule out any extraneous factors, but I still can't seem to get it working:

    global
            stats socket /tmp/haproxy.socket level admin
            gid                     80
            nbproc                  1
            chroot                  /tmp/haproxy_chroot
            daemon
            tune.ssl.default-dh-param 2048
    
    listen HAProxyLocalStats
            bind 127.0.0.1:2200 name localstats
            mode http
            stats enable
            stats admin if TRUE
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    
    frontend NAME
            bind                    X.X.X.X:80 name X.X.X.X:80
            mode                    http
            log                     global
            option                  http-keep-alive
            option                  forwardfor
            acl https ssl_fc
            http-request set-header         X-Forwarded-Proto http if !https
            http-request set-header         X-Forwarded-Proto https if https
            timeout client          30000
            default_backend NAME_http_ipv4
    
    backend NAME_http_ipv4
            mode                    http
            log                     global
            cookie JSESSIONID insert nocache
            timeout connect         30000
            timeout server          30000
            retries                 3
            source ipv4@ usesrc clientip
            server                  server2.NAME 172.16.16.3:80 cookie server2_NAME check inter 1000
    

    IIS log:

    2016-10-19 17:45:04 172.16.16.3 GET / - 80 - 172.16.16.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.143+Safari/537.36 - 304 0 0 0
    

    Any help or guidance is greatly appreciated.



  • Are you sure the request is going through haproxy (check counters on the stats page)? No outbound-nat rules on lan? No portforwards catching traffic away? Anything else that might interfere?
    With the "source ipv4@ usesrc clientip" IF it works, there is almost no chance to get the pfSense ip in the logs.. usually..



  • I can confirm the requests are going through HAProxy. No, nothing special configured. Just to verify, I completely reset my pfSense box, assigned the same public IP, and configured nothing but HAProxy. See images.

    Is there a chance that IIS isn't receiving the client IP for some reason? Any other way to test X-FORWARDED-FOR ?

    ![Screen Shot 2016-10-20 at 9.14.23 AM.png](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.14.23 AM.png)
    ![Screen Shot 2016-10-20 at 9.14.23 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.14.23 AM.png_thumb)
    ![Screen Shot 2016-10-20 at 9.15.42 AM.png](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.15.42 AM.png)
    ![Screen Shot 2016-10-20 at 9.15.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.15.42 AM.png_thumb)
    ![Screen Shot 2016-10-20 at 9.16.12 AM.png](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.16.12 AM.png)
    ![Screen Shot 2016-10-20 at 9.16.12 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.16.12 AM.png_thumb)
    ![Screen Shot 2016-10-20 at 9.16.48 AM.png](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.16.48 AM.png)
    ![Screen Shot 2016-10-20 at 9.16.48 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.16.48 AM.png_thumb)
    ![Screen Shot 2016-10-20 at 9.20.01 AM.png](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.20.01 AM.png)
    ![Screen Shot 2016-10-20 at 9.20.01 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-10-20 at 9.20.01 AM.png_thumb)



  • So I think it's definitely an IIS logging issue specifically. I found an ASP script to return the X-FORWARDED-FOR IP.

    <%= Request.ServerVariables("HTTP_X_FORWARDED_FOR") %>
    

    When the XFF option is un-checked in HAProxy, and the script is ran, the page returns blank.

    However, when XFF is checked in HAProxy and the ASP script is ran, it returns the IP in my browsers.



  • Yes the forward-for would insert the clientip, but even without it a wireshark should show the packets coming from the correct client-ip address if you have the 'source ipv4@ usesrc clientip' in the haproxy config. Its almost impossible for IIS to then see that traffic came from pfSense itself..

    Also make sure youve got the name exactly right. HTTP_X_FORWARDED_FOR v.s. X-FORWARDED-FOR in the online screenshot might make the difference.?