HAProxy/IIS Real Client IP issue
-
Hello,
I'm in the process of testing HAProxy 1.6 on A virtualized pfSense 2.3.2_1 box in front of a couple Windows/IIS 8.5 servers. I've successfully tested both HTTP/HTTPS offloading and TCP/SSL load balancing. However, throughout my various tests I've never been able to get IIS to see the clients true IP. I've searched up and down both these forums and elsewhere. I've tried enabling X-FORWARDED-FOR in HAProxy config as well as passing the option explicitly in the advanced settings with no luck. Furthermore, I've configured IIS to look for the request header per: https://www.iis.net/learn/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85
Also already referenced: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver
I've reduced my previous configuration to just a single site on HTTP only to rule out any extraneous factors, but I still can't seem to get it working:
global stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend NAME bind X.X.X.X:80 name X.X.X.X:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 default_backend NAME_http_ipv4 backend NAME_http_ipv4 mode http log global cookie JSESSIONID insert nocache timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip server server2.NAME 172.16.16.3:80 cookie server2_NAME check inter 1000IIS log:
2016-10-19 17:45:04 172.16.16.3 GET / - 80 - 172.16.16.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/53.0.2785.143+Safari/537.36 - 304 0 0 0Any help or guidance is greatly appreciated.
-
Are you sure the request is going through haproxy (check counters on the stats page)? No outbound-nat rules on lan? No portforwards catching traffic away? Anything else that might interfere?
With the "source ipv4@ usesrc clientip" IF it works, there is almost no chance to get the pfSense ip in the logs.. usually.. -
I can confirm the requests are going through HAProxy. No, nothing special configured. Just to verify, I completely reset my pfSense box, assigned the same public IP, and configured nothing but HAProxy. See images.
Is there a chance that IIS isn't receiving the client IP for some reason? Any other way to test X-FORWARDED-FOR ?
 -
So I think it's definitely an IIS logging issue specifically. I found an ASP script to return the X-FORWARDED-FOR IP.
<%= Request.ServerVariables("HTTP_X_FORWARDED_FOR") %>When the XFF option is un-checked in HAProxy, and the script is ran, the page returns blank.
However, when XFF is checked in HAProxy and the ASP script is ran, it returns the IP in my browsers.
-
Yes the forward-for would insert the clientip, but even without it a wireshark should show the packets coming from the correct client-ip address if you have the 'source ipv4@ usesrc clientip' in the haproxy config. Its almost impossible for IIS to then see that traffic came from pfSense itself..
Also make sure youve got the name exactly right. HTTP_X_FORWARDED_FOR v.s. X-FORWARDED-FOR in the online screenshot might make the difference.?