Get source IP from incoming TCP packet

So I currently have this frontend for incoming HTTPS traffic, which inspects the SNI and decides if it needs to perform decryption or not.

listen haproxy-tcp-in
          mode tcp
          bind 192.168.1.2:443
          tcp-request inspect-delay 10s
          tcp-request content accept if { req.ssl_hello_type 1 }
          tcp-request content do-resolve(sess.myip,dns,ipv4) req.ssl_sni
          acl passsites req.ssl_sni - www.example.com
          use_backend passthrough if passites
          use-server tointercept if !passites
          server tointercept 127.0.0.1:10443

server tointercept sends it to another frontend in http mode so I can use http-request stuff and do the ssl termination on the bind line. But, when not terminating, I cannot do the http stuff. But I still want to have the original source IP where the request toHAProxy came from, so basically the forwardfor option that is only available for HTTP.

How can I get the source IP from a tcp req and add it to the request to 127.0.0.1:10443? Because the 127.0.0.1:443 frontend forwardfor then shows 127.0.0.1 as X-Forward-for.

Or perhaps there is a better way to achieve this.

Hi,

You should look at:
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#send-proxy
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#accept-proxy

send-proxy on the server line on your “haproxy-tcp-in” listen.
accept-proxy on the target frontend.

1 Like

That did the trick. Thank you!