Forward Client's IP to apache backend with https pass through


#1

Hi there,

this is my haproxy version:
haproxy -vv
HA-Proxy version 1.5.18 2016/05/10

We’ve got 2 apache backends accepting https only requests. Our business app runnig on apache must record original Clients IP but instead saves balancer IP. Is there any way for ttps mode to forward client’s IP to webserver ?

Thx
Marcin


#2

Use the PROXY protocol:
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.2-send-proxy

Or setup haproxy as transparent MITM proxy.

I suggest the former possibility, as the latter is more complicated to setup.


#3

Hi Lukas, seems like mod-proxy-protocol is not supported with recent Apache 2.4 - in log file I can observe

[Sun Aug 06 14:08:33.765403 2017] [proxy_protocol:error] [pid 10688] [client ::1:45534] ProxyProtocol: no valid header found

found also this topic:
https://github.com/roadrunner2/mod-proxy-protocol/issues/6

perhaps I did something wrong with this setup but it’s quite straightforward.

Thx
Marcin


#4

Did you enable send-proxy in haproxy?


#5

sure:

backend https_nodes
mode tcp
balance roundrobin
option tcplog
option ssl-hello-chk
stick-table type ip size 1m expire 1h
stick on src
server https-1 77.X.X.X:443 send-proxy
server https-2 77.Y.Y.Y:443 send-proxy

can tshark sniff proxy protocol ?

Thx
Marcin


#6

Not sure if it can parse it correctly, but you should certainly see the difference.


#7

definitely there is some extra information between haproxy and apache:

0010 08 00 45 00 00 64 a4 45 40 00 40 06 20 8d 4d 4f …E…d.E@.@. .MO
0020 ed 99 4d 4f ed 89 c5 ce 01 bb 46 2c 5e 36 fd d5 …MO…F,^6…
0030 af 17 80 18 00 e5 f9 54 00 00 01 01 08 0a bb 29 …T…)
0040 fd 93 6e c7 96 66 50 52 4f 58 59 20 54 43 50 34 …n…fPROXY TCP4
0050 20 33 37 2e 34 37 2e 32 36 2e 32 35 33 20 37 37 37.47.26.253 77
0060 2e 37 31 2e 31 31 31 2e 32 33 33 20 38 35 35 39 .71.111.233 8559
0070 20 34 34 33 0d 0a 443…

but on apache side: ProxyProtocol: no valid header found


#8

So haproxy correctly sends the PROXY header.

I suggest you troubleshoot on the Apache side: you did disable HTTP2 in Apache, right?


#9

on Apache side http2 is disabled. So it’s not related to http2 in my opinion.

M.


#10

You would have to troubleshoot it with Apache folks, or rather the Apache module folks. Not an Apache expert myself.