We are using haproxy 1.8.17 in a two-stage setup:
- multiple “interceptor” servers (in http mode) that accept the initial connection and send it (using
send-proxy-v2-ssl) to multiple:
- “routers” that know about the various backends to which we need to route the requests
Everything is working great, except when CloudFlare is involved. In the frontend on “router” we’re using:
http-request set-src hdr(x-forwarded-for) if is_cloudflare_src
and we find:
the connections are properly coming from various Cloudflare IPs within their published ranges (126.96.36.199, 188.8.131.52, 184.108.40.206) – this is OK
between “interceptor” and “router”, a single connection is fronted by a PROXY header with the actual outside layer 3/4 connection information – this is OK
inside that stream are multiple requests – this is OK :
POST /message-bus/c009f71cb32a656f70b46a6db8c6ad42/poll?dlp=t HTTP/1.1 Host: community.customer.com X-Forwarded-For: 192.0.2.18 CF-Connecting-IP: 192.0.2.18 POST /message-bus/97361f6ea08fc8c7a1eda4d34435907b/poll?dlp=t HTTP/1.1 Host: community.customer.com X-Forwarded-For: 198.51.100.37 CF-Connecting-IP: 198.51.100.37 GET /admin/users/195.json?_=1556350420519 HTTP/1.1 Host: community.customer.com X-Forwarded-For: 203.0.113.39 CF-Connecting-IP: 203.0.113.39
what’s being reported by “router” is NOT OK as it has the source IP as the
X-Forwarded-ForIP from the first request:
192.0.2.18:30658 [30/Apr/2019:18:54:41.486] app community/server03 0/0/1/61/62 200 1904 - - ---- 718/718/29/12/0 0/0 "GET /admin/users/195.json?_=1556350420519 HTTP/1.1"
I think that with our setup haproxy should be inspecting the
X-Forwarded-For of each request, but it appears to be using the first IP seen for every single subsequent request.
Where’s the problem? Is this haproxy’s error or do we need to tell it to do something different?
This is a total guess but I wonder if the
http-request set-src overwrites the connection source instead of the request source and then on the next request on that connection it doesn’t match