LoadBalancers and client IP

  • Hi,

    I have some trouble to get tthe client IP in logs when using the loadbalancer service.
    This is my infra:

    • pfsense 2.4.4-RELEASE (amd64). 1 WAN connected to the internet and 1 LAN.
    • The LB sends all requests to HTTP and HTTPS (tcp) to an ingress controller (traefik) on a kubernetes.
    • This traefik sends requests to the correct app.

    If I test one page of my application using curl with the correct headers, it works:

    curl -k -H "x-forwarded-for: xxx.xxx.xxx.xxx" http://xxxxx.net/
    curl -k -H "x-forwarded-for: xxx.xxx.xxx.xxx" https://xxxxx.net/

    When I use a browser this header is not set at all. Is it possible to add this header using the LB service ?

    I have tried to use haproxy. It works with HTTP only. The forwardfor" option can not be set in TCP.

    Any idea ?

  • @zerros
    The 'x-forwarded-for' is a http header.. The building loadbalancer cannot modify traffic afaik.. And haproxy can insert http headers IF it is working with 'mode http' Otherwise your https traffic is just a encrypted stream of unmodifiable bytes.. So that needs to be decrypted if you want to modify the http layer of the traffic.

    On the other side, the loadbalacer traffic send to your treafik actually gets the TCP connection from the actual client ip.. Can you not use that.?

    Other option would be to load the certificates into haproxy and decrypt SSL there then insert the desired header, and perhaps re-encrypt when send to the backend-server.

  • yess I can use haproxy in ssl terminaison to do what I need, but i wanted to use traefik to manage all ssl certificates using let's encrypt. I will have to put manually in haproxy the new certificates priodically, i loose a full managed system provided by traefik. Not good at all :'(

    Is haproxy can run in pass-through mode for HTTP and HTTPS requests ? Maybe it will be the good solution ?

  • @zerros
    The transparent-client-ip option of haproxy package works for all cases http/https/tcp, which would show the actual client-ip to the backend-server (on the tcp/ip connection). But then again treafik needs to use that IP for its logs/accescontrol or whatever you need it for. In that regard not that different from the build-in loadbalancer or a simple portforward. (do read and understand the issues of that transparent-client-ip feature though)

  • OK I will read about transparent client ip, thanks.

    The source client ip should be used by traefik with a simple LB in TCP mode.

    I have tried to create an apache server with a simple port forwarding and I can get the client ip using the Remote-Addr headers and set the x-forwarded-for header to pass it through ProxyPass. The app server logs the correct IPs.

    I will try with the loadblancer tomorrow. After that if it works, there is a traefik miss-configuration/issue ?!!

Log in to reply