On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote:
I just finished setting up apache+mod_security in front of haproxy:
user--> apache+modsec --> haproxy --> webservers --> fastcgi
The reasoning being that if apache was behind haproxy, then the
backend
(nginx+php) servers wouldn't show on the haproxy admin interface (the
apaches would).
I'm not 100% sure if this is the best way to go about it, but for the
time being that's the approach. Feel free to suggest/discuss
alternatives.
Because the site is live, I'm doing this in phases. For now the
firewall
on the load balancers redirects incoming connections from certain IPs
to
the new apache+modsec setup, while everything else is business as
usual.
The few connections that go through the test setup get logged by
haproxy
as coming from 127.0.0.1. This is because the firewall redirects to
127.0.0.1:aaaa (apache) which then ProxyPass'es to haproxy
(127.0.0.1:bbbb); therefore haproxy sees an incoming connection from
127.0.0.1.
Apache properly sets the X-Forwarded-For header.
Question: Can I somehow tell haproxy to log that instead?
If it is possible, are there security implications ?
x-forwarded-for is a http header. like any other http header, you can
ask haproxy to log it by using
frontend XYZ
[...]
option httplog
capture request header X-Forwarded-For len 50
it will appear in the logs in field #14, enclosed between "{}"
characters.
http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
Julien