Re: log X-Forwarded-For in haproxy log
Hi Pedro, You can use the log-format statement available in HAProxy 1.5. Everything is explained in the doc. If you need more help, please let us know. Baptiste On Thu, May 9, 2013 at 3:21 PM, Pedro Mata-Mouros pedro.matamou...@sapo.pt wrote: Hi, Picking up this old thread, is there a way of actually replacing the client_ip in the logs with this captured header X-Forwarded-For? I'm using AWS and the current setup uses AWS LBs to deliver traffic to my HAProxy box, and this way every single client_ip I'm seeing in the logs is from the LB internal IP address - which is kind of wasted space... Thanks, Pedro. On 5 Jul 2011, at 21:25, Julien Vehent jul...@linuxwall.info wrote: On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote: I just finished setting up apache+mod_security in front of haproxy: user-- apache+modsec -- haproxy -- webservers -- fastcgi The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1: (apache) which then ProxyPass'es to haproxy (127.0.0.1:); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ? x-forwarded-for is a http header. like any other http header, you can ask haproxy to log it by using frontend XYZ [...] option httplog capture request header X-Forwarded-For len 50 it will appear in the logs in field #14, enclosed between {} characters. http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat Julien
Re: log X-Forwarded-For in haproxy log
Hi Baptiste, Thanks for referring that. I was hoping there was some way of picking a specific captured header (X-Forwarded-For in this case) and use it, but it seems %hr just gives you everything and puts it inside {}. In my case I'd just like to use the X-Forwarded-For as the client IP, if it exists, or use the default %ci in case it doesn't. But no harm done, it's not that big of an issue. :-) Thanks, Pedro. On 10 May 2013, at 07:18, Baptiste bed...@gmail.com wrote: Hi Pedro, You can use the log-format statement available in HAProxy 1.5. Everything is explained in the doc. If you need more help, please let us know. Baptiste On Thu, May 9, 2013 at 3:21 PM, Pedro Mata-Mouros pedro.matamou...@sapo.pt wrote: Hi, Picking up this old thread, is there a way of actually replacing the client_ip in the logs with this captured header X-Forwarded-For? I'm using AWS and the current setup uses AWS LBs to deliver traffic to my HAProxy box, and this way every single client_ip I'm seeing in the logs is from the LB internal IP address - which is kind of wasted space... Thanks, Pedro. On 5 Jul 2011, at 21:25, Julien Vehent jul...@linuxwall.info wrote: On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote: I just finished setting up apache+mod_security in front of haproxy: user-- apache+modsec -- haproxy -- webservers -- fastcgi The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1: (apache) which then ProxyPass'es to haproxy (127.0.0.1:); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ? x-forwarded-for is a http header. like any other http header, you can ask haproxy to log it by using frontend XYZ [...] option httplog capture request header X-Forwarded-For len 50 it will appear in the logs in field #14, enclosed between {} characters. http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat Julien
Re: log X-Forwarded-For in haproxy log
Hi, Picking up this old thread, is there a way of actually replacing the client_ip in the logs with this captured header X-Forwarded-For? I'm using AWS and the current setup uses AWS LBs to deliver traffic to my HAProxy box, and this way every single client_ip I'm seeing in the logs is from the LB internal IP address - which is kind of wasted space... Thanks, Pedro. On 5 Jul 2011, at 21:25, Julien Vehent jul...@linuxwall.info wrote: On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote: I just finished setting up apache+mod_security in front of haproxy: user-- apache+modsec -- haproxy -- webservers -- fastcgi The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1: (apache) which then ProxyPass'es to haproxy (127.0.0.1:); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ? x-forwarded-for is a http header. like any other http header, you can ask haproxy to log it by using frontend XYZ [...] option httplog capture request header X-Forwarded-For len 50 it will appear in the logs in field #14, enclosed between {} characters. http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat Julien
Re: log X-Forwarded-For in haproxy log
On Thu, Jul 07, 2011 at 11:42:01AM +0100, Hugo Silva wrote: On 07/05/11 21:25, Julien Vehent wrote: x-forwarded-for is a http header. like any other http header, you can ask haproxy to log it by using frontend XYZ [...] option httplog capture request header X-Forwarded-For len 50 it will appear in the logs in field #14, enclosed between {} characters. http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat Julien That will do, thanks! Any comments on the wisdom of apache before haproxy for mod_security? At some customers, we're doing this : client | | v +-+ +--+ | |--| apache +| | haproxy | | mod_proxy + | | |--| mod_security | +-+ +--+ | | v servers It's interesting because : - you can use as many mod_security servers as needed - you can bypass them for requests that are not at risk (eg: static) - mod_proxy caches before mod_security, which is handy for all static contents that were still sent there - load balancing and persistence is still performed on the servers - the number of the servers is independant on the number of proxies - it's cheap :-) Cheers, Willy
log X-Forwarded-For in haproxy log
I just finished setting up apache+mod_security in front of haproxy: user-- apache+modsec -- haproxy -- webservers -- fastcgi The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1: (apache) which then ProxyPass'es to haproxy (127.0.0.1:); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ?
Re: log X-Forwarded-For in haproxy log
On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote: I just finished setting up apache+mod_security in front of haproxy: user-- apache+modsec -- haproxy -- webservers -- fastcgi The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1: (apache) which then ProxyPass'es to haproxy (127.0.0.1:); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ? x-forwarded-for is a http header. like any other http header, you can ask haproxy to log it by using frontend XYZ [...] option httplog capture request header X-Forwarded-For len 50 it will appear in the logs in field #14, enclosed between {} characters. http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat Julien