Copy content from one header to the other

igor · March 31, 2023, 4:36pm

Hi all,

As one problem was solved, the other popped in. Does anyone know if is there a way to copy the content of one header into the other?

What I mean is that a client firewall is receiving an HTTP packet forwarded from HAproxy with two headers: 1) X-Forwarded-For (this header doesn’t contain real client IP but an IP from our router)
2) X-Original-Forwarded-For (this header contains real client IP which visits our website)

The question is how to copy the real client IP from X-Original-Forwarded-For into X-Forwarded-For.

Is this doable?

Thanks,
I

stormrover · April 1, 2023, 6:14pm

These are examples. I’ve not tested them for syntax, so you might have to adjust them a bit.

Assuming the router always sends this header:

    http-request set-header X-Forwarded-For %[req.hdr(X-Original-Forwarded-For)] if { src <router_IP> }

If there is ever a scenario where this header may not be present (like requests directly from the router), use this:

    http-request set-header X-Forwarded-For %[req.hdr(X-Original-Forwarded-For)] if { src <router_IP> } { req.hdr(X-Original-Forwarded-For) -m found }

Always add the router’s IP address to prevent someone else from setting X-Forwarded-For. It’s probably rare, but it’s good security practice.

igor · April 4, 2023, 11:39am

Thanks, this is a working solution.

davama · June 28, 2024, 6:45pm

This was very helpful. Thank you for that.

Just to add here, if you are copying from a header with a string that has commas, req.hdr will split it, you need to use req.fhdr() instead

Reference:

github.com/haproxy/haproxy

incorrect use of "len" parameter on http-request capture req.hdr(User-Agent)

opened 11:51AM - 04 Aug 20 UTC

closed 08:43PM - 04 Aug 20 UTC

thomaswieland

type: bug status: works as designed

I am using the "http-request capture" directive as described in the docs: https:…//www.haproxy.com/documentation/hapee/latest/onepage/#4.2-capture%20request%20header Expected behaviour: When setting "`http-request capture req.hdr(User-Agent) len 50`" I want to have logged "50 characters, beginning from position 0" (left end of the line). Observed behaviour: I get "50 characters, beginning from position 50". Conclusion: It seems like the "len" parameter is not only interpreted for the "num of characters", but also for the starting position. please find below my haproxy.cfg: ``` global daemon maxconn 256 ssl-server-verify none tune.ssl.default-dh-param 2048 log stdout daemon defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend website bind :8080 http-request capture req.hdr(x-forwarded-client-cert) len 58 http-request capture req.hdr(User-Agent) len 50 option httplog log global default_backend drm-service backend drm-service server backend drm-service:8080 ```

Topic		Replies	Views
Appending to the XFF header does not work as expected Help!	6	1925	March 29, 2021
Capturing HTTP header (X-Forwarded-For with wrong IP: 10.0.0.2)? Help!	3	2603	April 4, 2023
Http-request capture only logging partial X-Forward-For data Help!	2	1377	August 9, 2019
Pumping x-forwarded-for ip into proxy protocol Help!	0	428	August 12, 2022
Help with Regex Help!	1	369	June 21, 2021

Copy content from one header to the other

Related topics