Haproxy-devel (0.27): tcp-request rule after reqadd rules



  • Hi everyone,

    since our last update (to haproxy-devel 0.27), we're getting multiple warnings on applying haproxy-rules.

    
    [WARNING] 216/165751 (67472) : parsing [/var/etc/haproxy/haproxy.cfg:57] : a 'tcp-request' rule placed after a 'reqadd' rule will still be processed before
    ...
    [WARNING] 216/165751 (67472) : parsing [/var/etc/haproxy/haproxy.cfg:144] : a 'tcp-request' rule placed after a 'reqadd' rule will still be processed before. 
    
    

    Here's a snippet of our config:

    
    ...
    
    reqadd X-Forwarded-Proto:\ https if https
    reqadd X-Forwarded-Proto:\ http if !https
    
    stick-table type ip size 1m expire 30s store gpc0,http_req_rate(10s),conn_cur,conn_rate(3s)
    
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    tcp-request connection accept if { src m.n.o.p }
    
    tcp-request connection track-sc1 src
    
    tcp-request connection reject if { src_get_gpc0(frontend) gt 10 }
    
    tcp-request connection reject if { src_conn_cur gt 40 }
    
    tcp-request connection reject if { src_conn_rate gt 40 }
    
    ...
    
    

    As you can see, these two reqadd X-Forwarded-Proto rules appear before the tcp-request rules and cause the warnings.

    My question is now: what settings add these reqadd X-Forwarded-Proto rules?
    Is there a way to skip these settings and instead add those rules manually into the Advanced pass thru field?

    Best regards
    Thomas



  • Its part of the "Use 'forwardfor' option" on the frontend. It creates rules like these:

    
    	option			forwardfor
    	acl https ssl_fc
    	reqadd X-Forwarded-Proto:\ http if !https
    	reqadd X-Forwarded-Proto:\ https if https
    
    

    Should be possible to add them in the advanced section.



  • Thank you PiBa! It works like a charm!