Hello,
my backend servers that I have configured on my haproxy are running fail2ban and for that I need the real-ip / malicious ip, otherwise fail2ban would block my haproxy ip as this ip appears in my web server logs.
Over HTTP this works fine with option forwardfor and using the X-Forwarded-For header, but is something like this also possible over HTTPS, while HAproxy only passes SSL and the termination happens on the backend servers?
Here is a snippet of my HAproxy configuration:
frontend http_in
mode http
bind *:80
option forwardfor
option httplog
use_backend http_%[req.hdr(host),lower,map_str(/etc/haproxy/maps/backends.map,servers)]
frontend https_in
mode tcp
tcp-request content accept if { req_ssl_hello_type 1 }
tcp-request inspect-delay 5s
bind *:443
option tcplog
# option forwardfor -> doesnt work as HAproxy cant edit the header?!
use_backend https_%[req.ssl_sni(),lower,map(/etc/haproxy/maps/backends.map,servers)]
backend http_servers
mode http
option forwardfor
server a1 10.0.13.37:80 check
...
backend https_servers
mode tcp
option ssl-hello-chk
server a1 10.0.13.37:443 check
server a2 ...
HA-Proxy version 1.7.5-2 2017/05/17
OS: Debian GNU/Linux 9 (stretch) / Linux 4.9.0-14-amd64 #1 SMP Debian 4.9.240-2 (2020-10-30) x86_64 GNU/Linux