hAproxy hands over client IP to apache2 logs [SOLVED]


  • hi,
    im tryin to get this fixed but hittin hy head hard ;(

    how can i tell haProxy to hand over the client IPs to apache2 logs
    eg ssl_access.log

    the log is pretty useless ;) when there is only the IP of the pfS ;)

    hope someone can shed some light here

    brNP

  • LAYER 8 Netgate

    Did you enable this in the frontend settings? You might need to instruct apache to log it as desired.

    0cb20502-f44a-48f7-a5c1-07f220d485ed-image.png


  • @Derelict

    yes done that already before the post
    now checked again and added

    Advanced pass thru
    http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]

    now checking again.
    brNP


  • @noplan
    What you're looking for is called "transparent proxy mode".

    You can enable it in the backend advanced settings: Transparent ClientIP.

  • LAYER 8 Netgate

    Transparent proxy mode is a hack. I would avoid it.


  • @Derelict
    What exactly is the drawback of the transparent mode?

    I'm evaluating HAProxy for my purposes these days and did some tests so far.
    The impossibility to distinguish the origin clients IP was a thing which was bothering me. And I had also no luck with the forwardfor option.

    However, in the meantime I found that the webservers do not take over the clients IP into the log by default, though forwardfor is enabled. The websers logging need to be configured to do that.


  • @Derelict

    same here. not gonna use it.


  • @viragomann

    The websers logging need to be configured to do that.

    true ... any luck ?
    and what option on HAproxy did u use ?


  • @noplan
    I needed to add

    %{X-Forwarded-For}i
    

    to the log format config (mod_log_config.conf).


  • @viragomann

    thx
    im gonna try this asap

  • LAYER 8 Netgate

    @viragomann

    @viragomann said in hAproxy hands over client IP to apache2 logs:

    @Derelict
    What exactly is the drawback of the transparent mode?

    I'm evaluating HAProxy for my purposes these days and did some tests so far.
    The impossibility to distinguish the origin clients IP was a thing which was bothering me. And I had also no luck with the forwardfor option.

    However, in the meantime I found that the webservers do not take over the clients IP into the log by default, though forwardfor is enabled. The websers logging need to be configured to do that.

    It tries to warn you in the GUI. I have seen it break other things in weird, hard-to-diagnose ways.

    WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.
    Workaround exists only by configuring a second port or IP on the destination server for direct access of the website.
    Having this option enabled also means that a client on the same subnet as the server wont be able to connect.
    Use Client-IP to connect to backend servers. By default, failed health check are logged if server is UP and successful health checks are logged if server is DOWN, so the amount of additional information is limited.
    Interface that will connect to the backend server. (this will generally be your LAN or OPT1(dmz) interface)
    Connect transparently to the backend server's so the connection seams to come straight from the client ip address. To work properly this requires the reply traffic to pass through pfSense by means of correct routing.
    When using IPv6 only routable ip addresses can be used, host names or link-local addresses (FE80) will not work.
    (uses the option "source 0.0.0.0 usesrc clientip" or "source ipv6@ usesrc clientip")

    Note : When this is enabled for any backend HAProxy will run as 'root' instead of chrooting to a lower privileged user, this reduces security in case a vulnerability is found.


  • @Derelict
    I have read the warnings and hints, but I'm not able to evaluate the real drawbacks.

    • CaptivePortal is not in use here.
    • Accessing the webserver directly is still possible by split DNS and bypassing HAProxy.
    • Slopy rule - don't know, what it really allows. The rule seems to be hidden.
    • Running HAProxy as root - this is what I'm a bit worry about.

    Anyway, since I've got it made to see the clients IP in the webservers log, there is no need for me to run HAProxy in transparent mode now.


  • i m gonna mark this as solved

    cuz first when u r able to read ;)

    apache2.conf .... you find this

    aea435f0-197a-4779-a95e-b98684906c0f-grafik.png

    and second you put this in haProxy

    b4c661d3-4f8f-4ab4-8b86-599f18b1f1b4-grafik.png
    and (for the fun this)
    0a532dc4-9423-4dfa-9207-6fdd584fd8d4-grafik.png

    3b726d19-5356-4330-9491-412ed6e05c39-grafik.png
    http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]

    !!but be aware as @Derelict mentioned !!bd26226c-b163-44c7-9065-511e464b60fd-grafik.png

    DONE DEAL !
    thanx all for the help ... nP


  • @noplan said in hAproxy hands over client IP to apache2 logs [SOLVED]:

    and second you put this in haProxy

    http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]

    🙄
    The X-Forward-For header option is just a simple checkbox in haproxy frontend settings as @Derelict illustrated above by a screenshot.

  • LAYER 8 Netgate

    @viragomann said in hAproxy hands over client IP to apache2 logs [SOLVED]:

    @noplan said in hAproxy hands over client IP to apache2 logs [SOLVED]:

    and second you put this in haProxy

    http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]

    🙄
    The X-Forward-For header option is just a simple checkbox in haproxy frontend settings as @Derelict illustrated above by a screenshot.

    In the first reply to your question.

    When you use advanced options like that you remove the ability of the pfSense developers to migrate your configuration as things change in the upstream package.


  • @Derelict

    i think not tested yet but on the toDo list
    that the problem was that apache log format was not changed.

    so that either the gui option nor the advanced option
    was processed by apache
    so next step is to check if its workin without advanced setting.
    keep you posted NP