Re: A patch for haproxy-1.3.17 which add X-Original-Dst header.
Hi Maik, On Fri, May 08, 2009 at 04:44:05PM +0200, Maik Broemme wrote: > Hi, > > many thanks Willy, I have still found a line which was missing in the > patch. In 'src/cfgparse.c' around line 677 there are the default values > set. I missed the following line: > > curproxy->except_to = defproxy.except_to; > > Just to set the default values if they will be - maybe - changed in > future versions. So please add it before adding the patch. :) OK thanks for this one. I tend to forget those too :-) > I have also another question: I am preparing a patch for setting > multiple except values to X-Forward-For and X-Original-To, because I am > still missing this feature. Am I right that it isn't possible in the > current version or did i miss something in documentation? indeed, you can only set one exception. But I'd rather use ACLs to add such headers. That way, it will be possible to set them based on a lot of other conditions, not just source address. Regards, Willy
Re: A patch for haproxy-1.3.17 which add X-Original-Dst header.
Hi, many thanks Willy, I have still found a line which was missing in the patch. In 'src/cfgparse.c' around line 677 there are the default values set. I missed the following line: curproxy->except_to = defproxy.except_to; Just to set the default values if they will be - maybe - changed in future versions. So please add it before adding the patch. :) I have also another question: I am preparing a patch for setting multiple except values to X-Forward-For and X-Original-To, because I am still missing this feature. Am I right that it isn't possible in the current version or did i miss something in documentation? Willy Tarreau wrote: > Hi Maik, > > OK the patch looks fine, I've merged it. > > Thanks! > Willy > --Maik
Re: A patch for haproxy-1.3.17 which add X-Original-Dst header.
Hi Maik, OK the patch looks fine, I've merged it. Thanks! Willy
Re: A patch for haproxy-1.3.17 which add X-Original-Dst header.
Hi Maik, On Fri, Apr 17, 2009 at 06:53:21PM +0200, Maik Broemme wrote: > okay attached is now the final version, there were no new features or > enhancements. I only renamed it from 'X-Original-Dst' to 'X-Original-To' > because it is a common practice to name it so. For example Postfix does > it in a mail header with the same name. you seem to have done a very clean work. I'm queuing the patch for inclusion. Thanks ! Willy
Re: A patch for haproxy-1.3.17 which add X-Original-Dst header.
Hi, Maik Broemme wrote: > Hi, > > Maik Broemme wrote: > > Hi, > > > > I have attached a patch which will add on every http request a new > > header 'X-Original-Dst'. If you have HAProxy running in transparent mode > > with a big number of SQUID servers behind it, it is very nice to have > > the original destination ip as a common header to make decisions based > > on it. > > > > The whole thing is configurable with a new option 'originaldst'. I have > > updated the sourcecode as well as the documentation. The 'haproxy-en.txt' > > and 'haproxy-fr.txt' files are untouched, due to lack of my french > > language knowledge. ;) > > > > Also the patch adds this header for IPv4 only. I haven't any IPv6 test > > environment running here and don't know if getsockopt() with SO_ORIGINAL_DST > > will work on IPv6. If someone knows it and wants to test it I can modify > > the diff. Feel free to ask me questions or things which should be changed. > > :) > > > > I have attached a new diff, because the first one has two issues: > > - The except ip addresses for X-Original-Dst header were matched > against 'except_net' instead of 'except_dst' which was wrong. > > - The except ip addresses for X-Original-Dst header were matched > against the netmask of 'except_mask' which is only valid for > 'except_net'. I have added a new netmask value 'except_mask_dst' > to fix that. > okay attached is now the final version, there were no new features or enhancements. I only renamed it from 'X-Original-Dst' to 'X-Original-To' because it is a common practice to name it so. For example Postfix does it in a mail header with the same name. > > --Maik > > --Maik --Maik diff -Nur haproxy-1.3.17/doc/architecture.txt haproxy-1.3.17-x-original-to/doc/architecture.txt --- haproxy-1.3.17/doc/architecture.txt 2009-03-29 15:26:57.0 +0200 +++ haproxy-1.3.17-x-original-to/doc/architecture.txt 2009-04-17 18:41:58.0 +0200 @@ -128,6 +128,15 @@ option httpclose option forwardfor + - if the application needs to log the original destination IP, use the + "originalto" option which will add an "X-Original-To" header with the + original destination IP address. You must also use "httpclose" to ensure + that you will rewrite every requests and not only the first one of each + session : + +option httpclose +option originalto + The web server will have to be configured to use this header instead. For example, on apache, you can use LogFormat for this : diff -Nur haproxy-1.3.17/doc/configuration.txt haproxy-1.3.17-x-original-to/doc/configuration.txt --- haproxy-1.3.17/doc/configuration.txt2009-03-29 15:26:57.0 +0200 +++ haproxy-1.3.17-x-original-to/doc/configuration.txt 2009-04-17 18:44:02.0 +0200 @@ -599,6 +599,7 @@ [no] option dontlognull X X X - [no] option forceclose X - X X option forwardfor X X X X +option originalto X X X X [no] option http_proxy X X X X option httpchk X - X X [no] option httpclose X X X X @@ -2038,6 +2039,65 @@ See also : "option httpclose" +option originalto [ except ] [ header ] + Enable insertion of the X-Original-To header to requests sent to servers + May be used in sections : defaults | frontend | listen | backend + yes |yes | yes | yes + Arguments : + is an optional argument used to disable this option for sources + matching +an optional argument to specify a different "X-Original-To" + header name. + + Since HAProxy can work in transparent mode, every request from a client can + be redirected to the proxy and HAProxy itself can proxy every request to a + complex SQUID environment and the destination host from SO_ORIGINAL_DST will + be lost. This is annoying when you want access rules based on destination ip + addresses. To solve this problem, a new HTTP header "X-Original-To" may be + added by HAProxy to all requests sent to the server. This header contains a + value representing the original destination IP address. Since this must be + configured to always use the last occurrence of this header only. Note that + only the last occurrence of the header must be used, since it is really + possible that the client has already brought one. + + The keyword "header" may be used to supply a different header name to replace + the default "X-Original-To". This can be useful where you might already + have a "X-Original-To" header from a different application, and you need + preserve it. Also if your backend server doesn't use the "X-Original-To" + header and requires different one. + + Sometimes, a same HAProxy instance may be shared between a direct client + acc
Re: A patch for haproxy-1.3.17 which add X-Original-Dst header.
Hi, Maik Broemme wrote: > Hi, > > I have attached a patch which will add on every http request a new > header 'X-Original-Dst'. If you have HAProxy running in transparent mode > with a big number of SQUID servers behind it, it is very nice to have > the original destination ip as a common header to make decisions based > on it. > > The whole thing is configurable with a new option 'originaldst'. I have > updated the sourcecode as well as the documentation. The 'haproxy-en.txt' > and 'haproxy-fr.txt' files are untouched, due to lack of my french > language knowledge. ;) > > Also the patch adds this header for IPv4 only. I haven't any IPv6 test > environment running here and don't know if getsockopt() with SO_ORIGINAL_DST > will work on IPv6. If someone knows it and wants to test it I can modify > the diff. Feel free to ask me questions or things which should be changed. :) > I have attached a new diff, because the first one has two issues: - The except ip addresses for X-Original-Dst header were matched against 'except_net' instead of 'except_dst' which was wrong. - The except ip addresses for X-Original-Dst header were matched against the netmask of 'except_mask' which is only valid for 'except_net'. I have added a new netmask value 'except_mask_dst' to fix that. > --Maik --Maik diff -Nur haproxy-1.3.17/doc/architecture.txt haproxy-1.3.17-x-original-dst/doc/architecture.txt --- haproxy-1.3.17/doc/architecture.txt 2009-03-29 15:26:57.0 +0200 +++ haproxy-1.3.17-x-original-dst/doc/architecture.txt 2009-04-15 04:34:08.0 +0200 @@ -128,6 +128,15 @@ option httpclose option forwardfor + - if the application needs to log the original destination IP, use the + "originaldst" option which will add an "X-Original-Dst" header with the + original destination IP address. You must also use "httpclose" to ensure + that you will rewrite every requests and not only the first one of each + session : + +option httpclose +option originaldst + The web server will have to be configured to use this header instead. For example, on apache, you can use LogFormat for this : diff -Nur haproxy-1.3.17/doc/configuration.txt haproxy-1.3.17-x-original-dst/doc/configuration.txt --- haproxy-1.3.17/doc/configuration.txt2009-03-29 15:26:57.0 +0200 +++ haproxy-1.3.17-x-original-dst/doc/configuration.txt 2009-04-15 04:30:21.0 +0200 @@ -599,6 +599,7 @@ [no] option dontlognull X X X - [no] option forceclose X - X X option forwardfor X X X X +option originaldst X X X X [no] option http_proxy X X X X option httpchk X - X X [no] option httpclose X X X X @@ -2038,6 +2039,65 @@ See also : "option httpclose" +option originaldst [ except ] [ header ] + Enable insertion of the X-Original-Dst header to requests sent to servers + May be used in sections : defaults | frontend | listen | backend + yes |yes | yes | yes + Arguments : + is an optional argument used to disable this option for sources + matching +an optional argument to specify a different "X-Original-Dst" + header name. + + Since HAProxy can work in transparent mode, every request from a client can + be redirected to the proxy and HAProxy itself can proxy every request to a + complex SQUID environment and the destination host from SO_ORIGINAL_DST will + be lost. This is annoying when you want access rules based on destination ip + addresses. To solve this problem, a new HTTP header "X-Original-Dst" may be + added by HAProxy to all requests sent to the server. This header contains a + value representing the original destination IP address. Since this must be + configured to always use the last occurrence of this header only. Note that + only the last occurrence of the header must be used, since it is really + possible that the client has already brought one. + + The keyword "header" may be used to supply a different header name to replace + the default "X-Original-Dst". This can be useful where you might already + have a "X-Original-Dst" header from a different application, and you need + preserve it. Also if your backend server doesn't use the "X-Original-Dst" + header and requires different one. + + Sometimes, a same HAProxy instance may be shared between a direct client + access and a reverse-proxy access (for instance when an SSL reverse-proxy is + used to decrypt HTTPS traffic). It is possible to disable the addition of the + header for a known source address or network by adding the "except" keyword + followed by the network address. In this case, any source IP matching the + network will not cause an addition of th
