[Solved] How to configure HAProxy to forward client IP's to backend web servers

snow

Hi guys,

Currently I have a problem with forwarding client IP's to backend web servers.
This means I only see the HAProxy IP address in my apache access log.

Please find below my config:

2.4.4-RELEASE-p3 (amd64)

global
maxconn 1000
log /var/run/log local0 info
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend http-to-https
bind my WAN IP:80 name my WAN IP:80
mode http
log global
option http-keep-alive
timeout client 30000
http-request redirect scheme https

frontend shared-frontend-merged
bind my WAN IP:443 name my WAN IP:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
acl ACL1 var(txn.txnhost) -m str -i my.sub.domain
acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^.]*).my.domain(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend my.domain_ipvANY if ACL1

backend my.sub.domain_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
server my.sub.domain my.backend.ip:443 id 101 ssl check inter 1000 verify none

As shown above, I'm currently using 3 frontends and 1 backend:

1. frontend http-to-https = to redirect http requests to https
2. frontend shared-frontend = to provide a wildcard ssl certificate for all of my subdomains (currently I'm using only one sub domain/backend)
3. frontend my.sub.domain = to forward all appropriate requests to the sub.domain backend
4. backend my.sub.domain = receives all requests from frontend my.sub.domain

I hope I could clearly describe my current environment.

As also shown above in config file, I added "http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]" to Advanced pass thru box in frontend shared-frontend but without success.
I also enabled the apache module mod_rpaf on my apache web server with below site config:

<IfModule mod_rpaf.c>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips my HAProxy IP
</IfModule>

Do you know what needs to be set exactly in HAProxy config to forward client IP's to backend web servers?

Thanks in advance.

Philipp

snow

There was no issue with HAProxy.
The issue was related with my Apache config, sorry for that.
I'm now using mod_remoteip instead of deprecated mod_rpaf and appropriate log format options.

On HAProxy side, it's only required to select option 'Use "forwardfor" option' in the frontend, as described in below documentation:
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver