Hi Clément,
On Sat, Nov 18, 2017 at 02:04:20AM +0000, Clément Guillaume wrote:
> Hello,
>
> I'm trying to use fc_rcvd_proxy to detect if Proxy Protocol should be used
> (tcp-request connection expect-proxy layer4), but it always returns false.
> An AWS ELB is adding the Proxy Protocol header. I pretty sure the this
> header is present because I'm seeing "400 BadRequest" if I omit
> accept-proxy in the configuration.
>
> I'm using HAProxy 1.7.7 and my configuration looks like this:
>
> frontend protoProxyTest
> bind *:9005
> log-format fc_rcvd_proxy=%[fc_rcvd_proxy]
> acl protoc_proxy fc_rcvd_proxy
> tcp-request connection expect-proxy layer4 if protoc_proxy
> mode http
> errorfile 200 /etc/haproxy/200.http
> monitor-uri /
There is a mistake in this configuration. The fc_rcvd_proxy function
returns true if a PROXY protocol line was processed. Ie: it will always
return false if no "accept-proxy" nor "expect-proxy" action is processed,
and will always return true after.
In your case, given that it's false when you use it as a condition, it
prevents the proxy protocol header from being extracted.
I suspect you're trying to use it to detect the presence of the header,
but this is exactly what MUST NOT be done, otherwise it presents a huge
security risk. What you must do instead is :
- either you enable it unconditionally (bind ... accept-proxy)
- or you enable conditionally, usually based on the source address
range (eg: expect it from private addresses only)
If you are having ELB in front of your farm, I don't see why you'd need
to allow direct connections to your service so you should always enable
it.
Hoping this helps,
Willy
