Always getting 127.0.0.1 on Cherrypy backend

Hello,
I’m always getting 127.0.0.1 in my log despite I’ve tried to insert option forwardfor

###### Logs from Cherrypy backend #######
​
2022-03-16 03:43:38,861 - cherrypy.access.139875460336512 - INFO - 127.0.0.1 - - [16/Mar/2022:03:43:38] "GET / HTTP/1.1" 200 1356 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0"
2022-03-16 03:43:42,596 - cherrypy.access.139875460336512 - INFO - 127.0.0.1 - - [16/Mar/2022:03:43:42] "GET / HTTP/1.1" 200 1359 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0"
2022-03-16 03:43:43,307 - cherrypy.access.139875460336512 - INFO - 127.0.0.1 - - [16/Mar/2022:03:43:43] "GET / HTTP/1.1" 200 1358 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0"

I’ve read guides and searched for a solution but couldn’t make it happen. Most of the configurations where already there. I’ve added backend, frontend and proxy forward. here is my configurations:

global  
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
​
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
​
        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
​
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
​
frontend myfrontend
  bind 176.56.111.111:80
  bind 176.56.111.111:443 ssl crt /etc/letsencrypt/live/example.com/example.com.pem
  default_backend myservers
  redirect scheme https code 301 if !{ ssl_fc }
​
backend myservers
  server server1 127.0.0.1:8080

I appreciate your help.

The problem is not HAProxy here, because by specifying option forwardfor it sets (by default) the X-Forwarded-For header to all requests to your backend. (You could confirm this by stopping your server and using socat tcp-listen:8080 stdio, then doing a curl, on the public endpoint, and check that the header is actually present.)

However, none of the web servers (including CherryPy) trust that header by default, but instead they just ignore it due to security concerns.

Thus you’ll have to find out in the CherryPy documentation (or the WSGI server you are using) how to trust that header. For example on a quick search on Google I’ve found this: https://github.com/cherrypy/tools/blob/master/ModProxy, which hints about using tools.proxy.on.

Thank you for response. That is true, issue is not with HAproxy, I was able to make it work by adding this to Cherrypy server configuration:

cherrypy.config.update({
    'server.socket_port': 8080,
    'tools.proxy.on': True,
    'tools.proxy.base': 'http://example.com'
})

As in this guide. Deploy — CherryPy 3.2.4 documentation