HAProxy + Ubuntu 18.04 + 2x WordPress Servers + 1x MySQL Server

  • Hi, I've implemented a DMZ consisting of frontend for webservers and a backend for database. For pre-production test I've configured HAProxy with the following configuration environment:

    • Internal VIP address of (go-live will be WAN IP)
    • Internal DNS A record www.domain.com ->
    • Webservers address and
    • Database server address (only allow webservers access to DB)
    • Private Frontend using VIP address
    • Private Backend -> Webservers (WordPress on Apache2)
    • GlusterFS sync's WordPress content directory (works awesomely)

    The load-balancing/reverse proxy works as expected and I've tested the redundancy; no issues. However, my problem is with HAProxy not passing the client IP address to the Apache logs; even with "forwarded-for" box checked. I've searched google, read several articles, but most reference older versions of Apache and Apache2 has been rewritten...at least for Ubuntu 18.04.

    I know this doesn't seem to be a PF issue, but rather Apache2 log formatting. I just wanted to cover all bases especially since the "Transparent Client IP" setting in HAProxy sound to create a security risk and possibly much more which I'm not willing to risk. If anyone can offer a little guidance on overcoming this issue or point me to a good article, I'd be more than grateful. I've been using Digital Ocean's articles which have been quite possibly the best I've seen; except with this.

  • Ok, I just got the Forwarded-For issue resolved. The log format change is in the

    /etc/apache2/apache2.conf file where I changed the following line:

     LogFormat "**%h** %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
     (%h to %a)
     LogFormat "**%a** %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

    Then I add these directives in the /etc/apache2/sites-availables/mywebsite.conf file

        RemoteIPHeader X-Forwarded-For

    I guess I'll have to add "RemoteIPTrustedProxy with WAN IP" when I go-live.

  • hi Crazybrain,

    might i ask how you got wordpress to work behind HAproxy? for some reason i am unable to login when going true the HAproxy, but when i try to acces the local ip adres everything works.

    made a new post about this, > https://forum.netgate.com/topic/152756/haproxy-unable-to-login-on-wordpress-wp-admin-page

    Thanks in advance!