Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] HaProxy forward client IP

    Cache/Proxy
    1
    2
    255
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • manjotsc
      manjotsc last edited by manjotsc

      Hi,

      I am running haproxy -> (192.168.80.90) on pfsense -> (192.168.80.1), In frontend I have checked the “Use “forwardfor” option.” But instead haproxy forwards the 192.168.80.1 address, instead of the clients ip.

      Look for frontend FrontEndProxy

      Thanks,

      # Automaticaly generated, dont edit manually.
      # Generated on: 2020-12-31 02:42
      global
      	maxconn			1000
      	log			/var/run/log	local0	info
      	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
      	uid			80
      	gid			80
      	nbproc			1
      	nbthread			1
      	hard-stop-after		15m
      	chroot				/tmp/haproxy_chroot
      	daemon
      	tune.ssl.default-dh-param	2048
      	server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
      	bind 127.0.0.1:2200 name localstats
      	mode http
      	stats enable
      	stats admin if TRUE
      	stats show-legends
      	stats uri /haproxy/haproxy_stats.php?haproxystats=1
      	timeout client 5000
      	timeout connect 5000
      	timeout server 5000
      
      frontend FrontEndProxy
      	bind			192.168.80.90:443 name 192.168.80.90:443   ssl crt-list /var/etc/haproxy/FrontEndProxy.crt_list  
      	mode			http
      	log			global
      	option			socket-stats
      	option			http-keep-alive
      	option			forwardfor
      	acl https ssl_fc
      	http-request set-header		X-Forwarded-Proto http if !https
      	http-request set-header		X-Forwarded-Proto https if https
      	timeout client		30000
      	acl			speed	var(txn.txnhost) -m str -i speed.manjot.net
      	acl			auth	var(txn.txnhost) -m str -i auth.manjot.net
      	acl			jellyfin	var(txn.txnhost) -m str -i jellyfin.manjot.net
      	acl			aclcrt_FrontEndProxy	var(txn.txnhost) -m reg -i ^speed\.manjot\.net(:([0-9]){1,5})?$
      	acl			aclcrt_FrontEndProxy	var(txn.txnhost) -m reg -i ^auth\.manjot\.net(:([0-9]){1,5})?$
      	acl			aclcrt_FrontEndProxy	var(txn.txnhost) -m reg -i ^jellyfin\.manjot\.net(:([0-9]){1,5})?$
      	http-request set-var(txn.txnhost) hdr(host)
      	use_backend Speed_ipvANY  if  speed aclcrt_FrontEndProxy
      	use_backend Auth_ipvANY  if  auth aclcrt_FrontEndProxy
      	use_backend Jellyfin_ipvANY  if  jellyfin aclcrt_FrontEndProxy
      
      frontend HTTP-TO-HTTPS
      	bind			192.168.80.90:80 name 192.168.80.90:80   
      	mode			http
      	log			global
      	option			http-keep-alive
      	option			forwardfor
      	acl https ssl_fc
      	http-request set-header		X-Forwarded-Proto http if !https
      	http-request set-header		X-Forwarded-Proto https if https
      	timeout client		30000
      	http-request redirect scheme https 
      
      frontend GMFrontEndProxy
      	bind			192.168.80.39:443 name 192.168.80.39:443   ssl crt-list /var/etc/haproxy/GMFrontEndProxy.crt_list  
      	mode			http
      	log			global
      	option			http-keep-alive
      	timeout client		30000
      	acl			gm	var(txn.txnhost) -m str -i gm.manjot.net
      	acl			aclcrt_GMFrontEndProxy	var(txn.txnhost) -m reg -i ^gm\.manjot\.net(:([0-9]){1,5})?$
      	http-request set-var(txn.txnhost) hdr(host)
      	use_backend GM_ipvANY  if  gm aclcrt_GMFrontEndProxy
      
      frontend GM-HTTP-TO-HTTPS
      	bind			192.168.80.39:80 name 192.168.80.39:80   
      	mode			http
      	log			global
      	option			http-keep-alive
      	timeout client		30000
      	http-request redirect scheme https 
      
      backend Speed_ipvANY
      	mode			http
      	id			100
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			speed 192.168.80.74:443 id 101 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5f5d1c960d78a.pem 
      
      backend Auth_ipvANY
      	mode			http
      	id			104
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			Auth 192.168.80.73:443 id 105 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5f5f10b443a8f.pem 
      
      backend Jellyfin_ipvANY
      	mode			http
      	id			106
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			jellyfin 192.168.80.18:8920 id 107 ssl check-ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5f8a7e8154947.pem 
      
      backend GM_ipvANY
      	mode			http
      	id			102
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS /si/home.do 
      	server			GM 192.168.80.38:9001 id 103 check inter 1000
      
      manjotsc 1 Reply Last reply Reply Quote 0
      • manjotsc
        manjotsc @manjotsc last edited by manjotsc

        Solved

        Guide : https://www.digitalocean.com/community/questions/get-client-public-ip-on-apache-server-used-behind-load-balancer

        First you need to set option forwardfor in each backend to have in HaProxy, under Advanced Settings then in Backend pass thru box put option forwardfor and hit save, Don't set forwardfor in frontend, then you need to enable "sudo a2enmod remoteip" in your apache2 server and edit config /etc/apache2/apache2.conf and add the following line at bottom of config, RemoteIPHeader X-Forwarded-For and in that same config locate the log file line : LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined and change %h to %a to see the ip in logs, like this LogFormat "%a %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined and restart your apache2 server and you are done and check your apache access logs and you should see public ip of clients.

        Screenshot 2021-01-02 114223.png

        [root@cPanel ~]# a2enmod remoteip
        Enabling module remoteip.
        To activate the new configuration, you need to run:
          systemctl restart apache2
        [root@cPanel ~]# systemctl restart apache2
        [root@cPanel ~]#
        [root@cPanel ~]# nano /etc/apache2/apache2.conf 
        
        LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
        
        # HaProxy Forward for Enable
        
        RemoteIPHeader X-Forwarded-For
        
        [root@cPanel ~]# systemctl restart apache2
        
        

        Screenshot 2021-01-02 114051.png

        ------------Before--------------- 
        
        192.168.80.1 - - [02/Jan/2021:11:10:00 -0500] "GET / HTTP/1.1" 200 623 "-" "Mozilla/5.0 (Linux; Android 10; SM-G975W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36"
        192.168.80.1 - - [02/Jan/2021:11:10:00 -0500] "GET /style.css HTTP/1.1" 200 277 "https://speed.manjot.net/" "Mozilla/5.0 (Linux; Android 10; SM-G975W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36"
        192.168.80.1 - - [02/Jan/2021:11:10:02 -0500] "GET /favicon.ico HTTP/1.1" 200 112448 "https://speed.manjot.net/" "Mozilla/5.0 (Linux; Android 10; SM-G975W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36"
        
        ---------- After --------------  
        
        204.48.93.246 - - [02/Jan/2021:11:11:05 -0500] "GET / HTTP/1.1" 200 623 "-" "Mozilla/5.0 (Linux; Android 10; SM-G975W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36"
        204.48.93.246 - - [02/Jan/2021:11:11:06 -0500] "GET /favicon.ico HTTP/1.1" 200 112448 "https://speed.manjot.net/" "Mozilla/5.0 (Linux; Android 10; SM-G975W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36"
        
        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy