Hi All,
I have a problem with forward ip.
I have 2 haproxies: 1 with public IP (external proxy) and 1 for internal network (internal proxy).
The conf of my external proxy is very simple: all traffic is routed from external proxy to internal proxy and I have 1 BE of HTTP and 1 BE for HTTPS.
All of ACLs and BE are configured on internal proxy.
I have problem for client IP. The external proxy send the ip client as domain name and not as client ip:
Mar 29 10:04:33 haproxy-indire-int01-indire haproxy[25793]: IP_EXTERNAL_PROXY:36064 [29/Mar/2023:10:04:31.954] www-https~ Sito_Istituzionale/indire-esterno-1 0/0/3/965/1915 200 90589 - - ---- 1/1/0/0/0 0/0 {CLIENT_IP} “GET / HTTP/1.1”
This is the conf of my external proxy:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
maxconn 4000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers !SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
option log-health-checks
retries 5
timeout check 20s
timeout client 2m
timeout connect 2s
timeout http-keep-alive 20s
timeout http-request 20s
timeout queue 2m
timeout server 2m
maxconn 3000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
###################################################################################################################
Sezione FRONTEND HTTP
###################################################################################################################
#---------------------------------------------------------------------
frontend www-http
mode http
bind *:80
bind *:8125
bind *:36666
http-request set-header X-Forwarded-Proto http
capture request header Host len 100
default_backend haproxy-int-80
#---------------------------------------------------------------------
###################################################################################################################
Sezione FRONTEND HTTPS
###################################################################################################################
#---------------------------------------------------------------------
frontend www-https
mode http
bind *:443 ssl crt /etc/haproxy/ssl
bind *:8125 ssl crt /etc/haproxy/ssl
bind *:36666 ssl crt /etc/haproxy/ssl
http-request set-header X-Forwarded-Proto https
capture request header Host len 100
default_backend haproxy-int-443
#---------------------------------------------------------------------
SEZIONE CONFIGURAZIONE SERVER DI BE
backend haproxy-int-80
mode http
balance source
option forwardfor
http-request add-header X-FrontEnd-IP %[dst]
redirect scheme https if !{ ssl_fc }
server haproxy-int01 INTERNAL_PROXY_IP:80
backend haproxy-int-443
mode http
balance source
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server haproxy-int01 INTERNAL_PROXY_IP:443 check-sni check ssl verify none
Were I wrong?