Forward Client IP


#1

Hi

I have a HAproxy as a Load Balancer with 2 jboss servers as backends. I am trying to forward the client IP to the jboss servers how ever from the jboss logs I see the HaProxy IP. Below is my config:

global
chroot /var/lib/haproxy
daemon
group haproxy
log 127.0.0.1 local0
maxconn 4000
pidfile /var/run/haproxy.pid
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-default-bind-options no-sslv3 no-tls-tickets
stats socket /var/lib/haproxy/stats
user haproxy
defaults
log global
maxconn 8000
option httplog
option redispatch
option log-separate-errors
retries 3
stats enable
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s

frontend app_preprod
bind 172.0.0.222:443 ssl crt /etc/haproxy/ssl/certs/cert.pem
bind 172.0.0.222:80
mode http
acl url_app_partner path_beg /app-1.0.0
use_backend app_insurance_preprod if url_app_partner
redirect scheme https if !{ ssl_fc }
option forwardfor
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
capture request header Host len 40
capture request header X-Forwarded-For len 50
capture request header Accept-Language len 50
capture request header Referer len 200
capture request header User-Agent len 200

backend app_insurance_preprod
balance roundrobin
mode http
option forwardfor
server 172.0.0.134:8080 check
server 172.0.0.135:8080 check


#2

Always provide the haproxy release (output of haproxy -vv).

Nothing wrong with the haproxy configuration. I assume your jboss backend ignores the x-forward-for header and suggest to double-check on that end.


#3

Cool will check the backend.

BTW here is the version

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.


#4

This haproxy release should work just fine regarding x-forwarded-for.


#5

My backend looks at client Ip not x-forward-for, is it possible to forward the client IP?


#6

Use mod_remoteip on Tomcat:
http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html