HAProxy show correct client ip
-
Hi,
I want the set several options in HAProxy for my nginx to show the correct ip address. I came across the following post https://philio.me/showing-the-correct-client-ip-in-logs-and-scripts-when-using-nginx-behind-a-reverse-proxy/ to do this.
Where can i find the options to set in the pfsense UI:
option http-server-close
option forwardfor
real_ip_header X-Forwarded-ForAt the moment the moment my conf looks like this:
global maxconn 100 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend frontend bind mypubip:443 name mypubip:443 mode tcp log global maxconn 100 timeout client 30000 tcp-request inspect-delay 5s acl web1-acl req.ssl_sni -i web1.mydomain.com acl web2-acl req.ssl_sni -i web2.mydomain.com tcp-request content accept if { req.ssl_hello_type 1 } use_backend web1backend_https_ipvANY if web1-acl use_backend web2_https_ipvANY if web2-acl default_backend web1backend_https_ipvANY backend web1backend_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server mywebsite 192.168.1.2:443 check-ssl check inter 1000 weight 10 verify none backend web2_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 option httpchk GET / server web2 192.168.1.3:443 check-ssl check inter 1000 verify none -
Hi Trumee,
The 'Use "forwardfor" option' and 'Use "httpclose" option' in the frontend settings are likely what your looking for.
b.t.w. it should not be required for haproxy to use httpclose when using 1.5 or above the default is to inspect and modify all http requests, where 1.4 switched to tunnelmode after 1 request.. Anyway should be easy enough to test if nginx keeps logging the correct client ip for a keepalive connection.Of course if all GUI options fail its always possible to use the 'advanced' sections to insert some custom configuration options of your own :). But i dont think you need to in this case.
The third setting real_ip_header is something you must configure inside nginx.
Regards,
PiBa-NL -
Hi PiBa-NL,
I dont see these options in the frontend with the HAProxy-devel package. In which block should these options appear, Actions/Stats options/Advanced settings?
My frontend type is set to SSL/HTTPS(TCP mode).
Thanks
-
Hi Trumee,
Ah i overlooked that indeed, if your using TCP mode it is not possible to modify the http content inside the encrypted ssl connection.
1- So to use the options i wrote you need to perform offloading on haproxy and load the certificates on pfSense.Other options are:
2- proxy-protocol (on the server line you could add a advanced setting "send-proxy" or -v2 -v2-ssl -v2-ssl-cn , but the backend must be configured to expect those..) http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#5.2-send-proxy
3- Transparent-Client-IP (this is a setting on the backend, but do read the warnings.!.)If you dont want to decrypt ssl traffic on haproxy then option 2 would probably be best if your nginx supports it..
Regards,
PiBa-NL