Can not forward client ip from load balancer


#1

Hi,

We are sending https request from client through HAProxy to an internal server.
We are sending header information from client, but when after coming through HAProxy , the header information HTTP_X_FORWARDED_FORare lost somewhere.

Please help us how to forward the header informations through HAProxy.

Following is our config:

Configuration:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
stats socket /etc/haproxy/haproxysock level admin
defaults
log global
mode http
retries 3
option redispatch
maxconn 4096
contimeout 50000
clitimeout 50000
srvtimeout 50000
errorfile 503 /etc/haproxy/errors/503_error.html

frontend Http
mode http
bind *:80

 option http-server-close
 option forwardfor
 default_backend http_web_servers

frontend Https
mode tcp
bind *:443
default_backend https_servers

backend https_servers
mode tcp
balance roundrobin
server webserver-001 xx.xx.xx.xx:443 maxconn 200 check port 80

backend http_web_servers
mode http
option abortonclose
# option httpclose
option http-server-close
balance roundrobin
option httpchk GET /health_check/65394534523423412345578568 HTTP/1.0
server webserver-001 xx.xx.xx.xx::80 maxconn 200 check port 80

listen admin_page *:33306
mode http
balance roundrobin
stats uri /
stats realm Strictly\ Private
stats auth :


#2

Do you want to SET a HTTP header, or do you want to FORWARD a HTTP header transparently?

You seem to pass TCP port 443 transparently (and therefor encrypted) to your backends, so you cannot set any HTTP headers obviously, because it is encrypted and-to-end between the client and the backend server.


#3

Because you are using mode tcp for https and just forwarding requests, you’ll need to use
server webserver-001 xx:xx:xx:xx:443 check … send-proxy

since you didn’t mention which webserver you are using, but an nginx example is:
server {
listen 443 ssl http2 default_server proxy_protocol;

// while not completely required you should also set:
set_real_ip_from yy:yy:yy:yy; // haproxy address
real_ip_header proxy_protocol;
}
the two combinations will send the client ip over https when you are forwarding rather than terminating, when terminating you have as much control as you wish over headers modification. https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#5.2-send-proxy