Hi Craig, On Thu, Feb 03, 2011 at 02:59:40PM +0100, Craig Craig wrote: > Hi, > > I've stumbled upon a problem with balance(hdr), specefically with > X-Forwarded-For. > When you use the config that I've attached, you get different results > wheather you send a X-Forwarded-For or not. > > The source IP does not change when I perform those queries, hosts did not > change state: > > curl http://www.foo.de/host.jsp -s > Stays always on the same server. > > curl http://www.foo.de/host.jsp -s -H "X-Forwarded-For: x.x.x.x" > Jumps between the three hosts. > > This is strange: I delete the header that is sent by the client on the > frontend with reqidel and set a new one with "option forwardfor" - I expected > the backend to balance based on that new header. > > If my assumption was wrong, and the original header is used, then I should > not jump between hosts when I am always sending the same header. > > Something smells fishy here...is this a bug? A Feature? ;) Or > misunderstanding on my part?
It's not how it's supposed to work, but I agree the doc is not very precise about that. The X-Forwarded-For header is only added once at the end of all processing. Otherwise, having it in the defaults section would result in both your frontend and your backend adding it. So in your case, what happens is that you delete it in the frontend (using reqidel) then you tag the session for adding a new one after all processing is done. When at the last point we have to establish a connection to the server, we check the header and balance based on it. I agree we should always have it filled with the same value, so there's a bug. My guess is that you're running a version prior to 1.4.10 which has the header deletion bug : the header list can become corrupted when exactly two consecutive headers are removed from the request (eg: connection and x-forwarded-for). Then the newly added X-Forwarded-For could not be seen by the code responsible for hashing it. If so, please try to upgrade to the last bug fix (1.4.10) and see if the problem persists. Also, I'd like to add that what you're doing is simply equivalent (though more complex) to hashing the source address. You'd better use "balance src" for this :-) Cheers, Willy
