Cannot put header X-Forwarded-For in a stick table


#1

Hello!

I need to use X-Forwarded-For header as sticking item for balancing, but cannot figure out how to do it correct.
My haproxy.conf:

global
        log 127.0.0.1 local2 notice
        chroot /var/lib/haproxy
        stats socket /tmp/haproxy.sock mode 666 level admin
        stats timeout 2m
        user haproxy
        group haproxy
        daemon
        maxconn 100000

defaults
        log     global
        option  dontlognull
        retries 3
        maxconn 100000
        timeout connect 240s
        timeout client 900s
        timeout server 900s
        timeout check 20s
        #errorfile 400 /etc/haproxy/errors/400.http
        #errorfile 403 /etc/haproxy/errors/403.http
        #errorfile 408 /etc/haproxy/errors/408.http
        #errorfile 500 /etc/haproxy/errors/500.http
        #errorfile 502 /etc/haproxy/errors/502.http
        #errorfile 503 /etc/haproxy/errors/503.http
        #errorfile 504 /etc/haproxy/errors/504.http

frontend app-frontend-test
        bind *:1234
        mode http
        option httplog
        option httpclose
        option http-server-close
        option forwardfor except 127.0.0.1 if-none
        capture request header X-Forwarded-For len 50
        default_backend test-server

backend test-server
        mode http
        stick-table type string len 50 size 200k expire 8h
        stick on capture.req.hdr(0)
        balance roundrobin
        server test-app1 10.9.15.43:1234 check
        fullconn 100000

listen stats
        bind 10.9.127.80:8888
        mode http
        stats enable
        stats uri /stats
        stats realm HAProxy Statistics
        stats auth user:password
        stats refresh 10s

My HAProxy version:

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

OS: CentOS 7

I see with tcpdump that HAProxy put X-Forwarded-For header, but stick-table is empty (I’ve check it with echo “show table test-server” | socat /tmp/haproxy.sock stdio)


#2

I don’t think you can if it’s HAproxy adding the header. In simple terms I think it’s added after you’re trying to read it…

If it’s added upstream say by pound for example or any other proxy then you can stick on it simply like this:

stick on hdr(X-Forwarded-For,-1)

However, I’ve never been able to do it either if it’s HAproxy adding the header.