HAProxy show correct client ip

  • Hi,

    I want the set several options in HAProxy for my nginx to show the correct ip address. I came across the following post https://philio.me/showing-the-correct-client-ip-in-logs-and-scripts-when-using-nginx-behind-a-reverse-proxy/  to do this.

    Where can i find the options to set in the pfsense UI:

    option http-server-close
    option forwardfor
    real_ip_header X-Forwarded-For

    At the moment the moment my conf looks like this:

            maxconn                 100
            stats socket /tmp/haproxy.socket level admin
            uid                     80
            gid                     80
            nbproc                  1
            chroot                  /tmp/haproxy_chroot
    listen HAProxyLocalStats
            bind name localstats
            mode http
            stats enable
            stats admin if TRUE
            stats uri /haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    frontend frontend
            bind                    mypubip:443 name mypubip:443
            mode                    tcp
            log                     global
            maxconn                 100
            timeout client          30000
            tcp-request inspect-delay       5s
            acl                     web1-acl       req.ssl_sni -i web1.mydomain.com
            acl                     web2-acl     req.ssl_sni -i web2.mydomain.com
            tcp-request content accept if { req.ssl_hello_type 1 }
            use_backend web1backend_https_ipvANY  if  web1-acl
            use_backend web2_https_ipvANY  if  web2-acl
            default_backend web1backend_https_ipvANY
    backend web1backend_https_ipvANY
            mode                    tcp
            log                     global
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk OPTIONS /
            server                  mywebsite check-ssl check inter 1000  weight 10 verify none
    backend web2_https_ipvANY
            mode                    tcp
            log                     global
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /
            server                  web2 check-ssl check inter 1000  verify none

  • Hi Trumee,

    The 'Use "forwardfor" option' and 'Use "httpclose" option' in the frontend settings are likely what your looking for.
    b.t.w. it should not be required for haproxy to use httpclose when using 1.5 or above the default is to inspect and modify all http requests, where 1.4 switched to tunnelmode after 1 request.. Anyway should be easy enough to test if nginx keeps logging the correct client ip for a keepalive connection.

    Of course if all GUI options fail its always possible to use the 'advanced' sections to insert some custom configuration options of your own :). But i dont think you need to in this case.

    The third setting real_ip_header is something you must configure inside nginx.


  • Hi PiBa-NL,

    I dont see these options in the frontend with the HAProxy-devel package. In which block should these options appear, Actions/Stats options/Advanced settings?

    My frontend type is set to SSL/HTTPS(TCP mode).


  • Hi Trumee,

    Ah i overlooked that indeed, if your using TCP mode it is not possible to modify the http content inside the encrypted ssl connection.
    1- So to use the options i wrote you need to perform offloading on haproxy and load the certificates on pfSense.

    Other options are:
    2- proxy-protocol (on the server line you could add a advanced setting "send-proxy" or -v2 -v2-ssl -v2-ssl-cn , but the backend must be configured to expect those..) http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#5.2-send-proxy
    3- Transparent-Client-IP (this is a setting on the backend, but do read the warnings.!.)

    If you dont want to decrypt ssl traffic on haproxy then option 2 would probably be best if your nginx supports it..


Log in to reply