I just finished setting up apache+mod_security in front of haproxy: user--> apache+modsec --> haproxy --> webservers --> fastcgi
The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1:aaaa (apache) which then ProxyPass'es to haproxy (127.0.0.1:bbbb); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ?
