Re: Logging real rather than load balancer IP
Hi Mark, Op 17-10-2018 om 23:36 schreef Mark Holmes: Question: We have some web apps which are behind an haproxy load balancer, with TLS being terminated on the server rather than at the balancer (so using tcp mode). The web server logs are recording the source IP as that of the load balancer as expected. I now have a requirement to pass the ‘real’ IP address through to the web application and also record it in the webserver logs. Currently, with other applications where TLS is terminated at the balancer and we are using http mode to connect to the backend web servers I use X-FORWARDED-FOR to pass through the ‘real’ IP address but obviously that won’t help me when using TCP mode. I read some stuff about using the PROXY protocol, but I’m running IIS 8.5 and as far as I can tell it doesn’t support PROXY. Am I correct? My other option appears to be to switch to transparent proxying. I have verified the kernel I’m using is compiled with TPROXY support as is haproxy itself. Before I go down this road – is transparent proxying the correct/best option here? Thanks in advance for any advice Mark There are 3 options to let a webserver know the client-IP. -forwardfor (only works with 'mode http' and needs webserver to know how to use that header) -proxyprotocol (needs server to support it, and know how to use it.) -TPROXY (needs routing for reply traffic through haproxy) As you can see each has its own dis-advantage's.. And well with the first 2 already ruled out, the 3rd is your only option.. (that i know of anyhow..) Regards, PiBa-NL (Pieter)
Logging real rather than load balancer IP
Question: We have some web apps which are behind an haproxy load balancer, with TLS being terminated on the server rather than at the balancer (so using tcp mode). The web server logs are recording the source IP as that of the load balancer as expected. I now have a requirement to pass the 'real' IP address through to the web application and also record it in the webserver logs. Currently, with other applications where TLS is terminated at the balancer and we are using http mode to connect to the backend web servers I use X-FORWARDED-FOR to pass through the 'real' IP address but obviously that won't help me when using TCP mode. I read some stuff about using the PROXY protocol, but I'm running IIS 8.5 and as far as I can tell it doesn't support PROXY. Am I correct? My other option appears to be to switch to transparent proxying. I have verified the kernel I'm using is compiled with TPROXY support as is haproxy itself. Before I go down this road - is transparent proxying the correct/best option here? Thanks in advance for any advice Mark BI WORLDWIDE Limited | Registered in England No 01445905 | Registered address 1 Vantage Court, Newport Pagnell, Bucks, MK16 9EZ | +44 (0) 1908 214 700 This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you Please consider the environment before printing this email
