Forward Client's IP to apache backend with https pass through

marcingiedz · August 3, 2017, 11:22am

Hi there,

this is my haproxy version:
haproxy -vv
HA-Proxy version 1.5.18 2016/05/10

We’ve got 2 apache backends accepting https only requests. Our business app runnig on apache must record original Clients IP but instead saves balancer IP. Is there any way for ttps mode to forward client’s IP to webserver ?

Thx
Marcin

lukastribus · August 4, 2017, 7:26am

Use the PROXY protocol:
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.2-send-proxy
https://github.com/roadrunner2/mod-proxy-protocol

Or setup haproxy as transparent MITM proxy.

I suggest the former possibility, as the latter is more complicated to setup.

marcingiedz · August 6, 2017, 12:14pm

Hi Lukas, seems like mod-proxy-protocol is not supported with recent Apache 2.4 - in log file I can observe

[Sun Aug 06 14:08:33.765403 2017] [proxy_protocol:error] [pid 10688] [client ::1:45534] ProxyProtocol: no valid header found

found also this topic:
https://github.com/roadrunner2/mod-proxy-protocol/issues/6

perhaps I did something wrong with this setup but it’s quite straightforward.

Thx
Marcin

lukastribus · August 6, 2017, 1:06pm

Did you enable send-proxy in haproxy?

marcingiedz · August 6, 2017, 1:34pm

sure:

backend https_nodes
mode tcp
balance roundrobin
option tcplog
option ssl-hello-chk
stick-table type ip size 1m expire 1h
stick on src
server https-1 77.X.X.X:443 send-proxy
server https-2 77.Y.Y.Y:443 send-proxy

can tshark sniff proxy protocol ?

Thx
Marcin

lukastribus · August 6, 2017, 2:04pm

Not sure if it can parse it correctly, but you should certainly see the difference.

marcingiedz · August 7, 2017, 2:44pm

definitely there is some extra information between haproxy and apache:

0010 08 00 45 00 00 64 a4 45 40 00 40 06 20 8d 4d 4f …E…d.E@.@. .MO
0020 ed 99 4d 4f ed 89 c5 ce 01 bb 46 2c 5e 36 fd d5 …MO…F,^6…
0030 af 17 80 18 00 e5 f9 54 00 00 01 01 08 0a bb 29 …T…)
0040 fd 93 6e c7 96 66 50 52 4f 58 59 20 54 43 50 34 …n…fPROXY TCP4
0050 20 33 37 2e 34 37 2e 32 36 2e 32 35 33 20 37 37 37.47.26.253 77
0060 2e 37 31 2e 31 31 31 2e 32 33 33 20 38 35 35 39 .71.111.233 8559
0070 20 34 34 33 0d 0a 443…

but on apache side: ProxyProtocol: no valid header found

lukastribus · August 17, 2017, 9:50am

So haproxy correctly sends the PROXY header.

I suggest you troubleshoot on the Apache side: you did disable HTTP2 in Apache, right?

marcingiedz · August 17, 2017, 2:48pm

on Apache side http2 is disabled. So it’s not related to http2 in my opinion.

M.

lukastribus · August 17, 2017, 3:08pm

You would have to troubleshoot it with Apache folks, or rather the Apache module folks. Not an Apache expert myself.

Topic		Replies	Views
Accessing Client IP in Backend Server is SSLPassthrough mode Help!	10	5348	August 28, 2021
TCP mode with forward ip Help!	2	1634	May 23, 2023
Send-proxy in tcp mode with encrypted traffic Help!	2	422	September 4, 2023
Get the real-ip on the backend servers with SSL pass-through Help!	1	3081	December 31, 2020
Can not forward client ip from load balancer Help!	2	7919	August 23, 2016

Forward Client's IP to apache backend with https pass through

Related topics