HAProxy with SSL offloading and X-Forward-For


  • Searching for several hours, I could not find a solutions so I am trying the forum...

    On my SG-3100 I have installed HAProxy and configured it to handle traffic for several webservers in the backend. The proxy uses a Letsencrypt certificate and connects to backends with self-signed certificates. Works great!

    However, I would like to use the X-Forward-For header to better monitor traffic on the backend servers. I understand that SSL traffic cannot be modified but since I am using SSL offloading I expected HAProxy to be able to set this header when connecting to the self-signed backend.

    I tried the checkbox option but without result.
    I added "http-request header add" with name "X-Forwarded-For" and fmt "%[src]" to both the http to https redirect and the https frontend. No luck.

    Any suggestions on how to get this X-Forward-For working with SSL?

    Another issue is that I need to disable HAProxy to update the Letsencrypt certificates (using HTTP standalone mode). Not practical so any suggestion on this are also welcome...


  • @border
    X-Forward-For, in 'mode http' haproxy will insert the header with the configuration options you have set, but are you sure the webserver is using those headers.? Most of the time some configuration needs to be made on the webserver/webapplication to use these headers.

    As for Letsencrypt with standalone mode, you could try running the standalone LE service on a different port than the :80 like :1080 or whatever, and define that as a separate server in a LE-backend (without healthchecks) in haproxy. Then when on the frontend if a request for the /.well-known/acme-challenge path is found with a acl direct the request to this specific acme LE-backend. That way haproxy can keep listening for requests, and the LE-validation-servers can check if the challenge token file is found. (b.t.w. you could also use a lua script with http-01 webroot method.. that works for sure 😉 )


  • @piba Thanks for the reply!
    I will try the suggestion for Letsencrypt

    The Apache2 server has been configured to capture the X-Forward-For in the log file but only the gateway IP address is donut in the log file. I think it has to do with the SSL part...