Get the real-ip on the backend servers with SSL pass-through


my backend servers that I have configured on my haproxy are running fail2ban and for that I need the real-ip / malicious ip, otherwise fail2ban would block my haproxy ip as this ip appears in my web server logs.

Over HTTP this works fine with option forwardfor and using the X-Forwarded-For header, but is something like this also possible over HTTPS, while HAproxy only passes SSL and the termination happens on the backend servers?

Here is a snippet of my HAproxy configuration:

        frontend http_in
          mode http
          bind *:80
          option forwardfor
          option httplog
          use_backend http_%[req.hdr(host),lower,map_str(/etc/haproxy/maps/,servers)]

    frontend https_in
      mode tcp
      tcp-request content accept if { req_ssl_hello_type 1 }
      tcp-request inspect-delay 5s
      bind *:443
      option tcplog
      # option forwardfor -> doesnt work as HAproxy cant edit the header?!
      use_backend https_%[req.ssl_sni(),lower,map(/etc/haproxy/maps/,servers)]

backend http_servers
  mode http
  option forwardfor
  server a1 check

backend https_servers
  mode tcp
  option ssl-hello-chk
  server a1 check
  server a2 ...

HA-Proxy version 1.7.5-2 2017/05/17
OS: Debian GNU/Linux 9 (stretch) / Linux 4.9.0-14-amd64 #1 SMP Debian 4.9.240-2 (2020-10-30) x86_64 GNU/Linux

You could use the proxy protocol to pass the client ip information with the tcp session: HAProxy version 2.0.19 - Configuration Manual