Re: Force client IP with PROXY protocol

2016-02-04 4:57 GMT+01:00 Willy Tarreau : > No, set-src replaces the client's src as logged by haproxy and as passed > over the proxy protocol. The only issue is that this action was incompletely > implemented, it's only in http-request while it should also have been in > tcp-request.

Re: Force client IP with PROXY protocol

On Thu, Jan 28, 2016 at 12:25:05PM +0100, Aleksandar Lazic wrote: > > > Am 28-01-2016 12:01, schrieb Jonathan Leroy - Inikup: > >2016-01-28 11:47 GMT+01:00 Lukas Tribus : > >>Doesn't: > >>http-request set-src hdr(CF-Connecting-IP) > >> > >>in combination with a standard

RE: Force client IP with PROXY protocol

>> If you can't use layer 7 features then you can't access the >> CF-Connecting-IP header in nginx. > > ...HAProxy, not Nginx, no ? Yes, I mixed that up, haproxy was what I meant. > Otherwise that would be nice to be able pass client IP address as an > argument to send-proxy directive. >

Re: Force client IP with PROXY protocol

2016-01-28 11:47 GMT+01:00 Lukas Tribus : > Doesn't: > http-request set-src hdr(CF-Connecting-IP) > > in combination with a standard proxy-protocol config > already do that? Yes, but it doesn't work with SPDY or HTTP/2 backends. -- Jonathan Leroy http://www.inikup.com/ Tel:

Re: Force client IP with PROXY protocol

Am 28-01-2016 12:01, schrieb Jonathan Leroy - Inikup: 2016-01-28 11:47 GMT+01:00 Lukas Tribus : Doesn't: http-request set-src hdr(CF-Connecting-IP) in combination with a standard proxy-protocol config already do that? Yes, but it doesn't work with SPDY or HTTP/2

Re: Force client IP with PROXY protocol

2016-01-28 10:56 GMT+01:00 Aleksandar Lazic : > Maybe it would be a nice idea to add something like. > > proxy-protocol set-src hdr(CF-Connecting-IP) > > Opinions about this? Something like "proxy-protocol set-src []", yep :) -- Jonathan Leroy http://www.inikup.com/ Tel:

RE: Force client IP with PROXY protocol

> Maybe it would be a nice idea to add something like. > > proxy-protocol set-src hdr(CF-Connecting-IP) > > Opinions about this? Doesn't: http-request set-src hdr(CF-Connecting-IP) in combination with a standard proxy-protocol config already do that? Lukas

Re: Force client IP with PROXY protocol

Dear Jonathan, Am 27-01-2016 21:58, schrieb Jonathan Leroy - Inikup: Hi, 2016-01-27 21:33 GMT+01:00 Aleksandar Lazic : I see this possible ways .) http://nginx.org/en/docs/http/ngx_http_realip_module.html .)

RE: Force client IP with PROXY protocol

> I use TCP mode, so I can't use layer 7 features. If you can't use layer 7 features then you can't access the CF-Connecting-IP header in nginx. I would suggest: - leave the haproxy configuration as is (using proxy protocol towards    nginx) - configure nginx to respect the CF-Connecting-IP

Re: Force client IP with PROXY protocol

2016-01-28 0:49 GMT+01:00 Lukas Tribus : >> I use TCP mode, so I can't use layer 7 features. > > If you can't use layer 7 features then you can't access the > CF-Connecting-IP header in nginx. ...HAProxy, not Nginx, no ? > I would suggest: > - leave the haproxy

Re: Force client IP with PROXY protocol

2016-01-28 0:49 GMT+01:00 Aleksandar Lazic : > Well I missed this in your original post. I haven't told it so... :p > How about to tell us a little bit more about your setup. > > haproxy version > relevant part of config > a small ascii art from your setup and protocols ;-)

Re: Force client IP with PROXY protocol

Hi. Am 27-01-2016 21:18, schrieb Jonathan Leroy - Inikup: Hi, [snip] Now, I need to add CloudFlare in front HAProxy. CloudFlare return a "CF-Connecting-IP" containing client IP address. I know how to retrieve this header value, but not how to force it to be sent as client ip in the PROXY

Re: Force client IP with PROXY protocol

Hi, 2016-01-27 21:33 GMT+01:00 Aleksandar Lazic : > I see this possible ways > > .) http://nginx.org/en/docs/http/ngx_http_realip_module.html > .) > http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4.2-http-request > set-src > > maybe both I use TCP mode, so I