Hi.
Am 16.01.2019 um 06:43 schrieb Vũ Xuân Học:
> Dear,
>
> I fixed it. I use { src x.x.x.x ... } in use_backend and it worked.
>
> Many thanks,
Great ;-).
How about the origin issue with the ssl, how is the solution now?
Best regards
Aleks
> -----Original Message-----
> From: Vũ Xuân Học <ho...@thaison.vn>
> Sent: Wednesday, January 16, 2019 10:37 AM
> To: 'Aleksandar Lazic' <al-hapr...@none.at>; 'haproxy@formilux.org'
> <haproxy@formilux.org>; 'PiBa-NL' <piba.nl....@gmail.com>
> Subject: RE: Get client IP
>
> Hi,
>
> I have other problem. I want to only allow some ip access my website. Please
> show me how to allow some IP by domain name.
>
> I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn }
> !{ src x.x.x.x x.x.x.y } but it’s not work. I get error message:
>
> keyword 'hdr' which is incompatible with 'frontend
> tcp-request connection rule'
>
> I try with some other keyword but not successful.
>
>
>
>
>
> -----Original Message-----
> From: Aleksandar Lazic <al-hapr...@none.at>
> Sent: Monday, January 14, 2019 5:20 PM
> To: Vũ Xuân Học <ho...@thaison.vn>; haproxy@formilux.org; 'PiBa-NL'
> <piba.nl....@gmail.com>
> Subject: Re: Get client IP
>
> Hi.
>
> Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
>> Hi,
>>
>>
>>
>> I don’t know how to use ssl in http mode. I have many site with many
>> certificate.
>>
>> As you see:
>>
>> …
>>
>> bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP
>> 192.168.0.4)
>>
>> …
>>
>> # Define hosts
>>
>> acl host_1 req.ssl_sni -i ebh.vn
>>
>> acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
>>
>> … (many acl like above)
>>
>>
>> use_backend eBH if host_1
>>
>> use_backend einvoice443 if host_2
>
> You can use maps for this.
> https://www.haproxy.com/blog/introduction-to-haproxy-maps/
>
> The openshift router have a complex but usable solution. Don't get confused
> with the golang template stuff in there.
>
> https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180
>
> https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198
>
> Regards
> Aleks
>
>> *From:* Aleksandar Lazic <al-hapr...@none.at>
>> *Sent:* Monday, January 14, 2019 8:45 AM
>> *To:* haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL'
>> <piba.nl....@gmail.com>
>> *Subject:* RE: Get client IP
>>
>>
>>
>> Hi.
>>
>> As you use IIS I strongly suggest to terminate the https on haproxy
>> and use mode http instead of tcp.
>>
>> Here is a blog post about basic setup of haproxy with ssl
>>
>> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
>> f-stunnel-stud-nginx-or-pound/
>>
>> I assume that haproxy have the client ip as the setup works in the http
>> config.
>>
>> Best regards
>> Aleks
>>
>> ----------------------------------------------------------------------
>> ----------
>>
>> *Von:*"Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn>>
>> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
>> *An:* 'PiBa-NL' <piba.nl....@gmail.com
>> <mailto:piba.nl....@gmail.com>>, 'Aleksandar Lazic'
>> <al-hapr...@none.at <mailto:al-hapr...@none.at>>, haproxy@formilux.org
>> <mailto:haproxy@formilux.org>
>> *Betreff:* RE: Get client IP
>>
>>
>>
>> Thanks for your help
>>
>>
>>
>> I try config HAProxy with accept-proxy like this:
>>
>> frontend ivan
>>
>>
>>
>> bind 192.168.0.4:443 accept-proxy
>>
>> mode tcp
>>
>> option tcplog
>>
>>
>>
>> #option forwardfor
>>
>>
>>
>> reqadd X-Forwarded-Proto:\ https
>>
>>
>>
>> then my website can not access.
>>
>> I use IIS as webserver and I don’t know how to accept proxy, I only
>> know config X-Forwarded-For like this
>>
>> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
>>
>>
>>
>>
>>
>> *From:* PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>>
>> *Sent:* Sunday, January 13, 2019 10:06 PM
>> *To:* Aleksandar Lazic <al-hapr...@none.at
>> <mailto:al-hapr...@none.at>>; Vũ Xuân Học <ho...@thaison.vn
>> <mailto:ho...@thaison.vn>>; haproxy@formilux.org
>> <mailto:haproxy@formilux.org>
>> *Subject:* Re: Get client IP
>>
>>
>>
>> Hi,
>>
>> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
>>
>> Hi.
>>
>>
>>
>> Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
>>
>> Hi,
>>
>>
>>
>> Please help me to solve this problem.
>>
>>
>>
>> I use HAProxy version 1.5.18, SSL transparent mode and I can
>> not get client IP
>>
>> in my .net mvc website. With mode http, I can use option
>> forwardfor to catch
>>
>> client ip but with tcp mode, my web read X_Forwarded_For is null.
>>
>>
>>
>>
>>
>>
>>
>> My diagram:
>>
>>
>>
>> Client => Firewall => HAProxy => Web
>>
>>
>>
>>
>>
>>
>>
>> I read HAProxy document, try to use send-proxy. But when use
>> send-proxy, I can
>>
>> access my web.
>>
>>
>>
>> This is my config:
>>
>>
>>
>> frontend test2233
>>
>>
>>
>> bind *:2233
>>
>>
>>
>> option forwardfor
>>
>>
>>
>>
>>
>>
>>
>> default_backend testecus
>>
>>
>>
>> backend testecus
>>
>>
>>
>> mode http
>>
>>
>>
>> server web1 192.168.0.151:2233 check
>>
>>
>>
>> Above config work, and I can get the client IP
>>
>>
>>
>> That's good as it's `mode http` therefore haproxy can see the http
>> traffic.
>>
>> Indeed it can insert the http forwardfor header with 'mode http'.
>>
>>
>>
>>
>>
>> Config with SSL:
>>
>>
>>
>> frontend ivan
>>
>>
>>
>> bind 192.168.0.4:443
>>
>> mode tcp
>>
>> option tcplog
>>
>>
>>
>> #option forwardfor
>>
>>
>>
>> reqadd X-Forwarded-Proto:\ https
>>
>>
>>
>> This can't work as you use `mode tcp` and therefore haproxy can't
>> see the http
>>
>> traffic.
>>
>>
>>
>> From my point of view have you now 2 options.
>>
>>
>>
>> * use https termination on haproxy. Then you can add this http header.
>>
>> Thats one option indeed.
>>
>>
>>
>> * use accept-proxy in the bind line. This option requires that the
>> firewall is
>>
>> able to send the PROXY PROTOCOL header to haproxy.
>>
>>
>> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-acce
>> pt-proxy
>>
>> I dont expect a firewall to send such a header. And if i understand
>> correctly the 'webserver' would need to be configured to accept
>> proxy-protocol.
>> The modification to make in haproxy would be to configure
>> send-proxy[-v2-ssl-cn]
>> http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#
>> 5.2-send-proxy And how to configure it with for example nginx:
>> https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx
>>
>>
>>
>>
>>
>> The different modes are described in the doc
>>
>>
>> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode
>>
>>
>>
>> Here is a blog post about basic setup of haproxy with ssl
>>
>>
>> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
>> f-stunnel-stud-nginx-or-pound/
>>
>>
>>
>> acl tls req.ssl_hello_type 1
>>
>>
>>
>> tcp-request inspect-delay 5s
>>
>>
>>
>> tcp-request content accept if tls
>>
>>
>>
>>
>>
>>
>>
>> # Define hosts
>>
>>
>>
>> acl host_1 req.ssl_sni -i ebh.vn
>>
>>
>>
>> acl host_2 req.ssl_sni hdr_end(host) -i
>> einvoice.com.vn
>>
>>
>>
>>
>>
>>
>>
>> use_backend eBH if host_1
>>
>>
>>
>> use_backend einvoice443 if host_2
>>
>>
>>
>>
>>
>>
>>
>> backend eBH
>>
>>
>>
>> mode tcp
>>
>>
>>
>> balance roundrobin
>>
>>
>>
>> option ssl-hello-chk
>>
>>
>>
>> server web1 192.168.0.153:443 maxconn 30000 check
>> #cookie web1
>>
>>
>>
>> server web1 192.168.0.154:443 maxconn 30000 check
>> #cookie web2
>>
>>
>>
>>
>>
>>
>>
>> Above config doesn’t work, and I can not get the client ip. I
>> try server web1
>>
>> 192.168.0.153:443 send-proxy and try server web1
>> 192.168.0.153:443 send-proxy-v2
>>
>> but I can’t access my web.
>>
>>
>>
>> This is expected as the Firewall does not send the PROXY PROTOCOL
>> header and the
>>
>> bind line is not configured for that.
>>
>> Firewall's by themselves will never use proxy-protocol at all. That it
>> doesn't work with send-proxy on the haproxy server line is likely
>> because the webservice that is receiving the traffic isn't configured
>> to accept the proxy protocol. How to configure a ".net mvc website" to
>> accept that is something i don't know if it is even possible at all..
>>
>>
>>
>>
>>
>> Many thanks,
>>
>>
>>
>> Best regards
>>
>> Aleks
>>
>>
>>
>> Thanks & Best Regards!
>>
>> ****************************
>>
>> * VU XUAN HOC
>>
>>
>>
>> Regards,
>> PiBa-NL (Pieter)
>>
>
>
>
>
