Quick question (after writing the email, I realized that there's nothing
quick about it) about the order of processing for "reqidel" and "option
forwardfor" options. First and foremost, we're running HA-Proxy version
1.5-dev24-8860dcd 2014/04/26
Up until a few days ago, we were doing pretty straightforward things with
our X-Forwarded-For headers. Basically, we just removed them altogether,
and then used forwardfor to add a new one:
reqidel ^X-Forwarded-For:.*
option forwardfor
There were no problems with that, AFAIK. Now, we have some traffic coming
through Distil, as a test. These, of course, have client IPs that we don't
really care about, but we'd like to trust the X-Forwarded-For header that
Distil is tacking on. I tried using an acl to only remove X-Forwarded-For
if the request isn't coming from Distil, and then use "if-none" for option
forwardfor:
capture request header X-Forwarded-For len 49
acl from-distil hdr(X-Distil) some_string_that_we_can_trust
reqidel ^X-Forwarded-For:.* unless from-distil
option forwardfor if-none
At first glance, this seemed to do the trick -- in all cases, it looks like
Distil is sending X-Forwarded-For headers with only one single IP address
in them, as seen in the haproxy logs: (I redacted the client IP, and it's
shown as 11.22.33.44)
Jun 2 00:00:16 haproxy2a haproxy[4373]: 192.225.212.21:3612
[02/Jun/2014:00:00:15.828] frontend backend/srvr 0/0/0/337/337 200 823 - -
---- 1716/937/24/4/0 0/0 {e4d077fcc15ade3dfa99ca86ccf01084|0|11.22.33.44}
"POST /my/url.cgi HTTP/1.0"
However, on the server side, the X-Forwarded-For header that's coming
through is:
X-Forwarded-For: 11.22.33.44, 192.225.212.21
Therefore, I'm curious when/how the logic for option forwardfor's "if-none"
keyword is determined. Also, am I correct in assuming that reqidel always
happens before "option forwardfor"? I tried flipping them around in the
config file to see if a warning would pop up, and none did, but I'd assume
that reqidel happens first, otherwise one would never see any
X-Forwarded-For headers on the backend servers at all.
--
Andy Walker
System Administrator
FBS - creators of flexmls
3415 39th St S
Fargo, ND 58104
701-235-7300
