• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] How to configure HAProxy to forward client IP's to backend web servers

Scheduled Pinned Locked Moved pfSense Packages
2 Posts 1 Posters 6.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    snow
    last edited by snow Jul 5, 2019, 7:44 AM Jul 2, 2019, 7:34 AM

    Hi guys,

    Currently I have a problem with forwarding client IP's to backend web servers.
    This means I only see the HAProxy IP address in my apache access log.

    Please find below my config:

    2.4.4-RELEASE-p3 (amd64)

    global
    maxconn 1000
    log /var/run/log local0 info
    stats socket /tmp/haproxy.socket level admin
    uid 80
    gid 80
    nbproc 1
    hard-stop-after 15m
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 2048
    server-state-file /tmp/haproxy_server_state
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend http-to-https
    bind my WAN IP:80 name my WAN IP:80
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    http-request redirect scheme https

    frontend shared-frontend-merged
    bind my WAN IP:443 name my WAN IP:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
    acl ACL1 var(txn.txnhost) -m str -i my.sub.domain
    acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^.]*).my.domain(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend my.domain_ipvANY if ACL1

    backend my.sub.domain_ipvANY
    mode http
    id 100
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server my.sub.domain my.backend.ip:443 id 101 ssl check inter 1000 verify none

    As shown above, I'm currently using 3 frontends and 1 backend:

    1. frontend http-to-https = to redirect http requests to https
    2. frontend shared-frontend = to provide a wildcard ssl certificate for all of my subdomains (currently I'm using only one sub domain/backend)
    3. frontend my.sub.domain = to forward all appropriate requests to the sub.domain backend
    4. backend my.sub.domain = receives all requests from frontend my.sub.domain

    I hope I could clearly describe my current environment.

    As also shown above in config file, I added "http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]" to Advanced pass thru box in frontend shared-frontend but without success.
    I also enabled the apache module mod_rpaf on my apache web server with below site config:

    <IfModule mod_rpaf.c>
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips my HAProxy IP
    </IfModule>

    Do you know what needs to be set exactly in HAProxy config to forward client IP's to backend web servers?

    Thanks in advance.

    Philipp

    1 Reply Last reply Reply Quote 0
    • S
      snow
      last edited by snow Jul 5, 2019, 7:50 AM Jul 5, 2019, 7:49 AM

      There was no issue with HAProxy.
      The issue was related with my Apache config, sorry for that.
      I'm now using mod_remoteip instead of deprecated mod_rpaf and appropriate log format options.

      On HAProxy side, it's only required to select option 'Use "forwardfor" option' in the frontend, as described in below documentation:
      https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received