Re: Force client IP with PROXY protocol

2016-03-06 Thread Jonathan Leroy - Inikup
2016-02-04 4:57 GMT+01:00 Willy Tarreau : > No, set-src replaces the client's src as logged by haproxy and as passed > over the proxy protocol. The only issue is that this action was incompletely > implemented, it's only in http-request while it should also have been in > tcp-request.

Re: Force client IP with PROXY protocol

2016-01-28 Thread Jonathan Leroy - Inikup
2016-01-28 11:47 GMT+01:00 Lukas Tribus : > Doesn't: > http-request set-src hdr(CF-Connecting-IP) > > in combination with a standard proxy-protocol config > already do that? Yes, but it doesn't work with SPDY or HTTP/2 backends. -- Jonathan Leroy http://www.inikup.com/ Tel:

Re: Force client IP with PROXY protocol

2016-01-28 Thread Jonathan Leroy - Inikup
2016-01-28 10:56 GMT+01:00 Aleksandar Lazic : > Maybe it would be a nice idea to add something like. > > proxy-protocol set-src hdr(CF-Connecting-IP) > > Opinions about this? Something like "proxy-protocol set-src []", yep :) -- Jonathan Leroy http://www.inikup.com/ Tel:

Re: Force client IP with PROXY protocol

2016-01-27 Thread Jonathan Leroy - Inikup
2016-01-28 0:49 GMT+01:00 Lukas Tribus : >> I use TCP mode, so I can't use layer 7 features. > > If you can't use layer 7 features then you can't access the > CF-Connecting-IP header in nginx. ...HAProxy, not Nginx, no ? > I would suggest: > - leave the haproxy

Re: Force client IP with PROXY protocol

2016-01-27 Thread Jonathan Leroy - Inikup
2016-01-28 0:49 GMT+01:00 Aleksandar Lazic : > Well I missed this in your original post. I haven't told it so... :p > How about to tell us a little bit more about your setup. > > haproxy version > relevant part of config > a small ascii art from your setup and protocols ;-)

Re: Force client IP with PROXY protocol

2016-01-27 Thread Jonathan Leroy - Inikup
Hi, 2016-01-27 21:33 GMT+01:00 Aleksandar Lazic : > I see this possible ways > > .) http://nginx.org/en/docs/http/ngx_http_realip_module.html > .) > http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4.2-http-request > set-src > > maybe both I use TCP mode, so I

Re: client layer stickiness among multiple backends servers

2016-01-25 Thread Jonathan Leroy - Inikup
2016-01-25 15:55 GMT+01:00 Pavlo Zhuk : > Hi dears, > > > I am looking for a feature which allow me to send traffic of the same client > to the same backend node, even if the node is in a different backend groups. > > I know it might sound wierd, but it has good practical

Re: SSL handshake failure when using "send-proxy" on HTTPS backend

2015-12-06 Thread Jonathan Leroy - Inikup
2015-12-06 12:25 GMT+01:00 Lukas Erlacher : > I can't find an obvious error with this. When I tried combining SSL and > proxy protocol in Postfix, it didn't work due to a bug in Postfix. Maybe you > should try to ask an nginx support list instead. Thanks, I'll try that. --

Re: SSL handshake failure when using "send-proxy" on HTTPS backend

2015-12-06 Thread Jonathan Leroy - Inikup
2015-12-06 16:14 GMT+01:00 PiBa-NL : > Hi, > > Ive never used nginx and have little experience with proxy_protocol.. But > could it be an issue that on the same port your both using and not using > proxy protocol? What happens if you remove the first server definition >

Re: SSL handshake failure when using "send-proxy" on HTTPS backend

2015-12-04 Thread Jonathan Leroy - Inikup
2015-12-04 13:23 GMT+01:00 Lukas Erlacher : > Please show the nginx config. Hi Luke, Here's the Nginx config : https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt Thanks, -- Jonathan Leroy

Re: SSL handshake failure when using "send-proxy" on HTTPS backend

2015-12-04 Thread Jonathan Leroy - Inikup
2015-12-04 16:27 GMT+01:00 Jonathan Leroy - Inikup <jonat...@inikup.com>: > Hi Luke, > > Here's the Nginx config : > https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt Now that I use ULA instead of link-loc

Re: Error when using an IPv6 link-local address as backend

2015-12-04 Thread Jonathan Leroy - Inikup
2015-12-04 14:14 GMT+01:00 Lukas Tribus : > I would strongly suggest to avoid link-local addresses for any services > and applications. > > If you need to keep this off the internet, you better assign ULA prefixes > and use those. > > > Using link-local addresses is asking for

Re: SSL handshake failure when using "send-proxy" on HTTPS backend

2015-12-04 Thread Jonathan Leroy - Inikup
Hi, 2015-12-04 17:02 GMT+01:00 Lukas Tribus : > Well, you will have to update the first config line in nginx: > set_real_ip_from fc00::/7 > > To allow proxy connection from the ULA range. Already done. > As to the original problem: > I don't think you can use both SSL and

Error when using an IPv6 link-local address as backend

2015-12-03 Thread Jonathan Leroy - Inikup
Hi, All my backend servers are connected to a private, IPv6-only network. When I'm trying to use their addresses in "server" directive, HAProxy fails to connect to them. Here's some configurations I've tried (fe80::ec4:7aff:fe59:91dd = backend server, fe80::ec4:7aff:fe6c:4a89 = haproxy): server

SSL handshake failure when using "send-proxy" on HTTPS backend

2015-12-03 Thread Jonathan Leroy - Inikup
Hi, I have two backends named "nginx-http" and "nginx-https": the first one handle HTTP connections, the second one HTTPS connections. The proxy protocol works successfully on nginx-http backend: server server1 10.0.80.1:8080 send-proxy check check-send-proxy fall 3 inter 2s weight 10 But the