Re: x-forwarded-for help

Mon, 05 Oct 2015 08:00:04 -0700 

Hi.

Am 05-10-2015 14:29, schrieb Travis Fitch:

Hello,
Some quick background; My current setup is haproxy in front of Apache on the same host. If I send a request to haproxy, I see the x-forwarded-for 
entry in Apache's logs and also with tcpdump

tcpdump -i any -nn -A -vvvv -s 9999 'host x.x.x.51 and port 8880' |
egrep 'X-F'

X-Forwarded-For: x.x.x.207
X-Forwarded-Port: 443
X-Forwarded-Proto: https

We also have  hardware LB in a non in-line configuration  in-front of
HAP. Its configured to send x-forwarded onto haproxy.

My issue is, if I bypass the hardware LB, I see the X-Forwarded-For
header, if I go via the the Hardware LB to haproxy and onto Apache, I
don't see any x-forwarded-for headers in Apaches log files.

If on the other hand I go via the hardware LB directly to Apache (by
passing haproxy) I see the x-forwarded-for header. Any ideas what I am
missing in my config file (i'm testing against privatetest.dom.net

snippet of my haproxy config file looks like this

global
    log 127.0.0.1 local0
    log-send-hostname app04
    maxconn 4096
    user haproxy
    group haproxy
    daemon
    stats socket /tmp/haproxy mode 600 level admin
    tune.ssl.default-dh-param 1024
    ssl-server-verify none

defaults
    log global
    mode http        # Default to L7 proxy service
    option httplog    # HTTP log format
    option dontlognull    # Do not log connections with no requests
    option contstats    # Enable continuous traffic statistics updates
    option redispatch    # Try another server in case of connection
failure
    option http-server-close    # Force client side keepalives.
    retries 3
    maxconn 2000
    timeout connect 5s
    timeout client 605s    # GM: uploads take a while to process in PHP
    timeout server 600s    # GM: (as above)
    timeout http-keep-alive 1s
    timeout http-request 10s    # slowloris protection
How about to add "option forwardfor .." in the defaults config or at the frontend? 

http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4.2-option%20forwardfor

####
Since this
header is always appended at the end of the existing header list, the server must be configured to always use the last occurrence of this header only. 
####

BTW: Please can you also add the output of haproxy -vv thanks.

BR Aleks

Reply via email to