Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LoadBalancers and client IP

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    5 Posts 2 Posters 916 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zerros
      last edited by

      Hi,

      I have some trouble to get tthe client IP in logs when using the loadbalancer service.
      This is my infra:

      • pfsense 2.4.4-RELEASE (amd64). 1 WAN connected to the internet and 1 LAN.
      • The LB sends all requests to HTTP and HTTPS (tcp) to an ingress controller (traefik) on a kubernetes.
      • This traefik sends requests to the correct app.

      If I test one page of my application using curl with the correct headers, it works:

      curl -k -H "x-forwarded-for: xxx.xxx.xxx.xxx" http://xxxxx.net/
      curl -k -H "x-forwarded-for: xxx.xxx.xxx.xxx" https://xxxxx.net/
      

      When I use a browser this header is not set at all. Is it possible to add this header using the LB service ?

      I have tried to use haproxy. It works with HTTP only. The forwardfor" option can not be set in TCP.

      Any idea ?

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @zerros
        last edited by PiBa

        @zerros
        The 'x-forwarded-for' is a http header.. The building loadbalancer cannot modify traffic afaik.. And haproxy can insert http headers IF it is working with 'mode http' Otherwise your https traffic is just a encrypted stream of unmodifiable bytes.. So that needs to be decrypted if you want to modify the http layer of the traffic.

        On the other side, the loadbalacer traffic send to your treafik actually gets the TCP connection from the actual client ip.. Can you not use that.?

        Other option would be to load the certificates into haproxy and decrypt SSL there then insert the desired header, and perhaps re-encrypt when send to the backend-server.

        1 Reply Last reply Reply Quote 0
        • Z
          zerros
          last edited by

          yess I can use haproxy in ssl terminaison to do what I need, but i wanted to use traefik to manage all ssl certificates using let's encrypt. I will have to put manually in haproxy the new certificates priodically, i loose a full managed system provided by traefik. Not good at all :'(

          Is haproxy can run in pass-through mode for HTTP and HTTPS requests ? Maybe it will be the good solution ?

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @zerros
            last edited by

            @zerros
            The transparent-client-ip option of haproxy package works for all cases http/https/tcp, which would show the actual client-ip to the backend-server (on the tcp/ip connection). But then again treafik needs to use that IP for its logs/accescontrol or whatever you need it for. In that regard not that different from the build-in loadbalancer or a simple portforward. (do read and understand the issues of that transparent-client-ip feature though)

            1 Reply Last reply Reply Quote 0
            • Z
              zerros
              last edited by

              OK I will read about transparent client ip, thanks.

              The source client ip should be used by traefik with a simple LB in TCP mode.

              I have tried to create an apache server with a simple port forwarding and I can get the client ip using the Remote-Addr headers and set the x-forwarded-for header to pass it through ProxyPass. The app server logs the correct IPs.

              I will try with the loadblancer tomorrow. After that if it works, there is a traefik miss-configuration/issue ?!!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.