So I currently have this frontend for incoming HTTPS traffic, which inspects the SNI and decides if it needs to perform decryption or not.
listen haproxy-tcp-in
mode tcp
bind 192.168.1.2:443
tcp-request inspect-delay 10s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content do-resolve(sess.myip,dns,ipv4) req.ssl_sni
acl passsites req.ssl_sni - www.example.com
use_backend passthrough if passites
use-server tointercept if !passites
server tointercept 127.0.0.1:10443
server tointercept sends it to another frontend in http mode so I can use http-request stuff and do the ssl termination on the bind line. But, when not terminating, I cannot do the http stuff. But I still want to have the original source IP where the request toHAProxy came from, so basically the forwardfor option that is only available for HTTP.
How can I get the source IP from a tcp req and add it to the request to 127.0.0.1:10443? Because the 127.0.0.1:443 frontend forwardfor then shows 127.0.0.1 as X-Forward-for.
Or perhaps there is a better way to achieve this.