Hi.
Am 05-10-2015 14:29, schrieb Travis Fitch:
Hello,
Some quick background; My current setup is haproxy in front of Apache
on
the same host. If I send a request to haproxy, I see the
x-forwarded-for
entry in Apache's logs and also with tcpdump
tcpdump -i any -nn -A -vvvv -s 9999 'host x.x.x.51 and port 8880' |
egrep 'X-F'
X-Forwarded-For: x.x.x.207
X-Forwarded-Port: 443
X-Forwarded-Proto: https
We also have hardware LB in a non in-line configuration in-front of
HAP. Its configured to send x-forwarded onto haproxy.
My issue is, if I bypass the hardware LB, I see the X-Forwarded-For
header, if I go via the the Hardware LB to haproxy and onto Apache, I
don't see any x-forwarded-for headers in Apaches log files.
If on the other hand I go via the hardware LB directly to Apache (by
passing haproxy) I see the x-forwarded-for header. Any ideas what I am
missing in my config file (i'm testing against privatetest.dom.net
snippet of my haproxy config file looks like this
global
log 127.0.0.1 local0
log-send-hostname app04
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy mode 600 level admin
tune.ssl.default-dh-param 1024
ssl-server-verify none
defaults
log global
mode http # Default to L7 proxy service
option httplog # HTTP log format
option dontlognull # Do not log connections with no requests
option contstats # Enable continuous traffic statistics updates
option redispatch # Try another server in case of connection
failure
option http-server-close # Force client side keepalives.
retries 3
maxconn 2000
timeout connect 5s
timeout client 605s # GM: uploads take a while to process in PHP
timeout server 600s # GM: (as above)
timeout http-keep-alive 1s
timeout http-request 10s # slowloris protection
How about to add "option forwardfor .." in the defaults config or at the
frontend?
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4.2-option%20forwardfor
####
Since this
header is always appended at the end of the existing header list, the
server
must be configured to always use the last occurrence of this header
only.
####
BTW: Please can you also add the output of haproxy -vv thanks.
BR Aleks