[Solved] How to configure HAProxy to forward client IP's to backend web servers



  • Hi guys,

    Currently I have a problem with forwarding client IP's to backend web servers.
    This means I only see the HAProxy IP address in my apache access log.

    Please find below my config:

    2.4.4-RELEASE-p3 (amd64)

    global
    maxconn 1000
    log /var/run/log local0 info
    stats socket /tmp/haproxy.socket level admin
    uid 80
    gid 80
    nbproc 1
    hard-stop-after 15m
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 2048
    server-state-file /tmp/haproxy_server_state
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend http-to-https
    bind my WAN IP:80 name my WAN IP:80
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    http-request redirect scheme https

    frontend shared-frontend-merged
    bind my WAN IP:443 name my WAN IP:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
    acl ACL1 var(txn.txnhost) -m str -i my.sub.domain
    acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^.]*).my.domain(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend my.domain_ipvANY if ACL1

    backend my.sub.domain_ipvANY
    mode http
    id 100
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server my.sub.domain my.backend.ip:443 id 101 ssl check inter 1000 verify none

    As shown above, I'm currently using 3 frontends and 1 backend:

    1. frontend http-to-https = to redirect http requests to https
    2. frontend shared-frontend = to provide a wildcard ssl certificate for all of my subdomains (currently I'm using only one sub domain/backend)
    3. frontend my.sub.domain = to forward all appropriate requests to the sub.domain backend
    4. backend my.sub.domain = receives all requests from frontend my.sub.domain

    I hope I could clearly describe my current environment.

    As also shown above in config file, I added "http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]" to Advanced pass thru box in frontend shared-frontend but without success.
    I also enabled the apache module mod_rpaf on my apache web server with below site config:

    <IfModule mod_rpaf.c>
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips my HAProxy IP
    </IfModule>

    Do you know what needs to be set exactly in HAProxy config to forward client IP's to backend web servers?

    Thanks in advance.

    Philipp



  • There was no issue with HAProxy.
    The issue was related with my Apache config, sorry for that.
    I'm now using mod_remoteip instead of deprecated mod_rpaf and appropriate log format options.

    On HAProxy side, it's only required to select option 'Use "forwardfor" option' in the frontend, as described in below documentation:
    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver


Log in to reply