HAProxy forwardfor trouble



  • Hello everyone,

    I'm running into trouble with a feature of HAProxy on my pfsense 2.1 cluster.  The issue I am running into is related to the "forwardfor" option of HAProxy frontends, where it sets the X-Forwarded-For header for http requests.  Unfortunately even though this option is enabled, it still does not set it.  I've tried for two days to get this to work without success.

    I'm running these versions:

    Version 2.1-RELEASE (amd64)
    built on Wed Sep 11 18:17:37 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    HAProxy package:

    1.4.24 pkg v 1.1

    I'm running nginx on the actual webservers that serve the request.



  • Hey Aviz,
    Can you post (anonymized) what the /var/etc/haproxy.conf file looks like?
    Also make sure your using mode 'http' as that is the only mode that supports changing contents.
    Or maybe give haproxy-devel package a try..
    Greets PiBa-NL



  • Hi Piba,

    Thanks for your reply.  Here it is:

    global
    maxconn 9999999
    uid 80
    gid 80
    nbproc 8
    chroot /var/empty
    daemon

    listen db_lb
    bind 10.255.1.242:3306
    mode tcp
    log global
    option dontlognull
    maxconn 10000
    clitimeout 30000
    balance roundrobin
    contimeout 30000
    srvtimeout 30000
    server db2a x:3306  check inter 1000 weight 10
    server db2b x:3306  check inter 1000 weight 10 backup

    listen a_lb
    bind 10.255.1.240:9802
    mode tcp
    log global
    option dontlognull
    maxconn 1000
    clitimeout 30000
    balance source
    contimeout 30000
    srvtimeout 30000
    server aa a:9802  check inter 1000 weight 10
    server ab a:9802  check inter 1000 weight 10

    listen x_lb_http
    bind x:80
    mode http
    log global
    option dontlognull
    option httpclose
    option forwardfor
    maxconn 10000
    clitimeout 30000
    balance roundrobin
    contimeout 30000
    srvtimeout 30000
    server xa_http x:80  check inter 1000 weight 10
    server xb_http x:80  check inter 1000 weight 10 backup

    listen x_lb_https
    bind x:443
    mode tcp
    log global
    option dontlognull
    option httpclose
    option forwardfor
    maxconn 10000
    clitimeout 30000
    balance roundrobin
    contimeout 30000
    srvtimeout 30000
    server xa_ssl x:443  check inter 1000 weight 10
    server xb_ssl x:443  check inter 1000 weight 10 backup

    The last one, "listen x_lb_https" is the one I'm having trouble with.  Note that the mode is in tcp right now, but I've also had it in https with the exact same result.



  • Hey Aviz,

    When using "mode tcp" haproxy cannot modify headers send through the encrypted SSL connection.

    You only option when needing to modify https traffic would be to switch to the haproxy-devel package and configure a certificate to perform ssl-offloading/decryption on haproxy, and then modify headers before sending to the backends. You can choose whether or not you want that backend connection to be encrypted again. Which might be required for the application to work properly, though plain http to the backend would take less CPU power. (You might also accomplish this with putting 'stunnel' in front of haproxy 1.4.. But i would not recommend that..)

    Another option when using haproxy-devel would be to use its transparent client-ip option. So the backend sees the connection coming in from the actual client-ip.. Please note that backend then 'must' use pfSense as a default-gateway for reply traffic to be properly processed by HAProxy. And that connections directly to the backend will fail with the current 'fwd' rules used in ipfw..

    Greets PiBa-NL