HAProxy + Ubuntu 18.04 + 2x WordPress Servers + 1x MySQL Server



  • Hi, I've implemented a DMZ consisting of frontend for webservers and a backend for database. For pre-production test I've configured HAProxy with the following configuration environment:

    • Internal VIP address of 10.1.1.50 (go-live will be WAN IP)
    • Internal DNS A record www.domain.com -> 10.1.1.50
    • Webservers address 10.1.1.11 and 10.1.1.12
    • Database server address 10.1.2.10 (only allow webservers access to DB)
    • Private Frontend using VIP address 10.1.1.50
    • Private Backend -> Webservers (WordPress on Apache2)
    • GlusterFS sync's WordPress content directory (works awesomely)

    The load-balancing/reverse proxy works as expected and I've tested the redundancy; no issues. However, my problem is with HAProxy not passing the client IP address to the Apache logs; even with "forwarded-for" box checked. I've searched google, read several articles, but most reference older versions of Apache and Apache2 has been rewritten...at least for Ubuntu 18.04.

    I know this doesn't seem to be a PF issue, but rather Apache2 log formatting. I just wanted to cover all bases especially since the "Transparent Client IP" setting in HAProxy sound to create a security risk and possibly much more which I'm not willing to risk. If anyone can offer a little guidance on overcoming this issue or point me to a good article, I'd be more than grateful. I've been using Digital Ocean's articles which have been quite possibly the best I've seen; except with this.



  • Ok, I just got the Forwarded-For issue resolved. The log format change is in the

    /etc/apache2/apache2.conf file where I changed the following line:

     LogFormat "**%h** %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
     (%h to %a)
     LogFormat "**%a** %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
    

    Then I add these directives in the /etc/apache2/sites-availables/mywebsite.conf file

        RemoteIPHeader X-Forwarded-For
        RemoteIPInternalProxy 10.1.1.1
    

    I guess I'll have to add "RemoteIPTrustedProxy with WAN IP" when I go-live.


Log in to reply