Hi Clément, On Sat, Nov 18, 2017 at 02:04:20AM +0000, Clément Guillaume wrote: > Hello, > > I'm trying to use fc_rcvd_proxy to detect if Proxy Protocol should be used > (tcp-request connection expect-proxy layer4), but it always returns false. > An AWS ELB is adding the Proxy Protocol header. I pretty sure the this > header is present because I'm seeing "400 BadRequest" if I omit > accept-proxy in the configuration. > > I'm using HAProxy 1.7.7 and my configuration looks like this: > > frontend protoProxyTest > bind *:9005 > log-format fc_rcvd_proxy=%[fc_rcvd_proxy] > acl protoc_proxy fc_rcvd_proxy > tcp-request connection expect-proxy layer4 if protoc_proxy > mode http > errorfile 200 /etc/haproxy/200.http > monitor-uri /
There is a mistake in this configuration. The fc_rcvd_proxy function returns true if a PROXY protocol line was processed. Ie: it will always return false if no "accept-proxy" nor "expect-proxy" action is processed, and will always return true after. In your case, given that it's false when you use it as a condition, it prevents the proxy protocol header from being extracted. I suspect you're trying to use it to detect the presence of the header, but this is exactly what MUST NOT be done, otherwise it presents a huge security risk. What you must do instead is : - either you enable it unconditionally (bind ... accept-proxy) - or you enable conditionally, usually based on the source address range (eg: expect it from private addresses only) If you are having ELB in front of your farm, I don't see why you'd need to allow direct connections to your service so you should always enable it. Hoping this helps, Willy