• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxyD Issue in PFsense+ - I am unable to get actual of IP of client in backend NGINX server

Scheduled Pinned Locked Moved pfSense Packages
6 Posts 2 Posters 786 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    ShahidAkhter
    last edited by May 18, 2023, 8:23 AM

    Hi!
    I am stuck in an issue and unable to solve it ,any help in this matter will mean a lot to me.
    I am unable to get actual of IP of client in backend server after trying:
    Option Forwardfor
    Transparent Client IP
    Advanced Pass Thru for option ForwardFor
    tried all logging format kind of help available on this platform
    None of these work. here's config file

    Automaticaly generated, dont edit manually.

    Generated on: 2023-05-18 12:51

    global
    maxconn 100000
    log ssp.mydomain.com:514 syslog emerg
    stats socket /tmp/haproxy.socket level admin expose-fd listeners
    gid 80
    nbthread 1
    hard-stop-after 15m
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 2048
    log-send-hostname SSP
    server-state-file /tmp/haproxy_server_state

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend share_domain_ca-merged
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    acl ips_host_acl var(txn.txnhost) -m str -i ips.mydomain.com
    acl dev_domain_ca_acl var(txn.txnhost) -m sub -i dev
    acl stagingHTTP var(txn.txnhost) -m sub -i staging
    http-request set-var(txn.txnhost) hdr(host)
    use_backend Ips_domain_ca_ipvANY if ips_host_acl
    use_backend httpdev_ipvANY if dev_domain_ca_acl
    use_backend Staging-HTTP_ipv4 if stagingHTTP

    frontend share_domain_caHTTPS-merged
    bind name ssl crt-list /var/etc/haproxy/share_domain_caHTTPS.crt_list crt-ignore-err all
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    acl ips_host_acl var(txn.txnhost) -m str -i ips.mydomain.com
    acl aclcrt_share_domain_caHTTPS var(txn.txnhost) -m reg -i ^ips.domain.ca(:([0-9]){1,5})?$
    acl dev_domain_ca_aclHTTPS var(txn.txnhost) -m sub -i dev
    acl StagingONHTTPS var(txn.txnhost) -m beg -i staging
    acl BapStagingONHTTPS var(txn.txnhost) -m sub -i bapv4.staging.mydomain.com
    acl New.StagingOnHttps var(txn.txnhost) -m sub -i new.staging.admin.mydomain.com
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^bapv4.staging.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^new.staging.admin.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.account.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.admin.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.brand.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.business.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.deploy.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.reward.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^staging.service.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.bapv4.staging.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.new.staging.admin.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.account.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.admin.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.brand.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.business.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.deploy.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.reward.domain.ca(:([0-9]){1,5})?$
    acl aclcrt_StagingonHTTPSFrontend var(txn.txnhost) -m reg -i ^www.staging.service.domain.ca(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend IPShttps_ipvANY if ips_host_acl aclcrt_share_domain_caHTTPS
    use_backend SSLdev_domain_caHTTPS_ipvANY if dev_domain_ca_aclHTTPS
    use_backend Staging-HTTPS_ipvANY if StagingONHTTPS aclcrt_StagingonHTTPSFrontend
    use_backend Staging-HTTPS_ipvANY if BapStagingONHTTPS aclcrt_StagingonHTTPSFrontend
    use_backend Staging-HTTPS_ipvANY if New.StagingOnHttps aclcrt_StagingonHTTPSFrontend

    backend Ips_domain_ca_ipvANY
    mode http
    id 100
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    load-server-state-from-file global
    option forwardfor
    server ips 172.31.4.245:80 id 101 check inter 1000

    backend httpdev_ipvANY
    mode http
    id 104
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    load-server-state-from-file global
    option forwardfor
    server devhttp 172.31.7.108:80 id 101 check inter 1000

    backend Staging-HTTP_ipv4
    mode http
    id 10110
    log global
    balance roundrobin
    timeout connect 30000
    timeout server 30000
    retries 3
    load-server-state-from-file global
    source ipv4@ usesrc clientip
    server StagingHTTP serverip:80 id 10111 check inter 1000

    backend IPShttps_ipvANY
    mode http
    id 102
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    load-server-state-from-file global
    option forwardfor
    server IPShttps 172.31.4.245:443 id 103 ssl check-ssl check inter 1000 verify none

    backend SSLdev_domain_caHTTPS_ipvANY
    mode http
    id 105
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    load-server-state-from-file global
    server SSLdev_domain_caHTTPS 172.31.7.108:443 id 103 ssl check-ssl check inter 1000 verify none

    backend Staging-HTTPS_ipvANY
    mode http
    id 108
    log global
    balance roundrobin
    timeout connect 30000
    timeout server 30000
    retries 3
    load-server-state-from-file global
    option forwardfor
    server StagingHTTPS serverip:443 id 109 ssl check-ssl check inter 1000 verify none

    V 1 Reply Last reply May 18, 2023, 1:21 PM Reply Quote 0
    • V
      viragomann @ShahidAkhter
      last edited by May 18, 2023, 1:21 PM

      @shahidakhter said in HAProxyD Issue in PFsense+ - I am unable to get actual of IP of client in backend NGINX server:

      I am unable to get actual of IP of client in backend server after trying:
      Option Forwardfor
      Transparent Client IP

      These are different ways to get the client IP on the backend.

      ForwardFor inserts the "X-Forwarded-For" header with the origin client IP into the request to the backend.
      You have to configure your backend server to utilize it.

      In transparent mode HAproxy sends requests with the source of the origin client IP to the backend.
      But this is a pretty hack. I'd recommend to rather use ForwardFor.

      But you have to state the ForwardFor option in the frontend, not in the backend. On the frontend settings page there is a checkbox to enable it.

      Also I'm wondering, why you frontends are listening on the loopback address. Did you forward the incoming traffic to it?

      S 1 Reply Last reply May 18, 2023, 1:25 PM Reply Quote 1
      • S
        ShahidAkhter @viragomann
        last edited by May 18, 2023, 1:25 PM

        @viragomann Hi! Thanks for the response.
        I tried configurations on the actual server , e.g; nginx, and turned on x-forwarder header from there, and it worked.
        I have a simple setup, Listening on WAN:443 and then forwarding to server.
        If you have any suggestions , do let me know.
        I appreciate your support.
        Thanks again.

        V 1 Reply Last reply May 18, 2023, 2:36 PM Reply Quote 0
        • V
          viragomann @ShahidAkhter
          last edited by May 18, 2023, 2:36 PM

          @shahidakhter said in HAProxyD Issue in PFsense+ - I am unable to get actual of IP of client in backend NGINX server:

          e.g; nginx, and turned on x-forwarder header from there, and it worked.
          If you have any suggestions , do let me know.

          So did you see the client IP in the log now? If not, what do you see in the X-Forwarded-For column?

          S 1 Reply Last reply May 18, 2023, 3:32 PM Reply Quote 1
          • S
            ShahidAkhter @viragomann
            last edited by May 18, 2023, 3:32 PM

            @viragomann It is working. Just need to configure NGINX for header.
            But i am facing speed issue, simple webpage is taking 30+ seconds to load.
            It's on aws , i dont know what to do now.

            V 1 Reply Last reply May 18, 2023, 8:46 PM Reply Quote 0
            • V
              viragomann @ShahidAkhter
              last edited by May 18, 2023, 8:46 PM

              @shahidakhter
              Does this also happen if you bypass HAproxy?
              Simply add a NAT port forwarding rule on WAN to the backend server for testing.

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received