Oh for dumb... I actually do have an: option forwardfor except 127.0.0.0/8
in the defaults section, despite the fact that I'd defined it in all of the frontends that we have. Big oversight! My apologies :) So, removing that line from the defaults section actually did fix the issue, but I'll probably still take your suggestion and use "http-request set-header", since it can be set conditionally by acl. Thanks much, Bryan! -- Andy Walker System Administrator FBS - creators of flexmls 3415 39th St S Fargo, ND 58104 701-235-7300 On Tue, Jun 3, 2014 at 2:25 PM, Bryan Talbot <[email protected]> wrote: > On Tue, Jun 3, 2014 at 8:57 AM, Andy Walker <[email protected]> wrote: > >> Quick question (after writing the email, I realized that there's nothing >> quick about it) about the order of processing for "reqidel" and "option >> forwardfor" options. First and foremost, we're running HA-Proxy version >> 1.5-dev24-8860dcd 2014/04/26 >> >> >> > >> There were no problems with that, AFAIK. Now, we have some traffic coming >> through Distil, as a test. These, of course, have client IPs that we don't >> really care about, but we'd like to trust the X-Forwarded-For header that >> Distil is tacking on. I tried using an acl to only remove X-Forwarded-For >> if the request isn't coming from Distil, and then use "if-none" for option >> forwardfor: >> >> capture request header X-Forwarded-For len 49 >> acl from-distil hdr(X-Distil) some_string_that_we_can_trust >> reqidel ^X-Forwarded-For:.* unless from-distil >> option forwardfor if-none >> >> At first glance, this seemed to do the trick -- in all cases, it looks >> like Distil is sending X-Forwarded-For headers with only one single IP >> address in them, as seen in the haproxy logs: (I redacted the client IP, >> and it's shown as 11.22.33.44) >> > > > I have a similar setup and it's working well and doesn't add the client-ip > if "from-distil" is set -- maybe another "option forwardfor" without the > "if-none" was left in a default, frontend or backend? > > > Also, if I were do build the config starting with 1.5, I think that the > "http-request set-header" configuration would be the way to go as it should > be simpler and more flexible. Something like > > acl from-distil hdr(X-Distil) some_string_that_we_can_trust > http-request set-header X-Forwarded-For %[src] unless from-distil > > > I've not tried that yet but it seems like it should work. > > > -Bryan > >
