HAPORXY and APache logs - client IP

Hi,

I have a problem with the HAPORXY configuration.

I have a public IP.
There are two LAMP servers in my network.

I want to be able to access them from the outside through two different domains on ports 80 and 443.

I have configured HAPORXY for this purpose.
It works. I have access to two servers through two different domains.

The problem is that in the Apache logs on LAMP01 and LAMP02 I can see the IP of the HAPROXY server instead of the client’s real IP.

What do I have to change to see the client’s real IP in the logs?

I added an entry to the Apache configuration file:

]RemoteIPHeader X-Forwarded-For LogFormat "% a% l% u% t \"% r \ "%> s% O \"% {Referer} i \ "\"% {User-Agent} i \ "" combined LogFormat "% a% l% u% t \"% r \ "%> s% b" common

Then I executed the command:

a2enmod remoteip && systemctl restart apache2

Below is my configuration file for HAPROXY:

root@haproxy01:~# cat /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        timeout connect 10s
        timeout client  60s
        timeout server  60s
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
        mode http
        option httplog
        bind *:80
        option forwardfor
        redirect scheme https code 301 if !{ ssl_fc }
        acl host_server1 hdr(host) -i mojadomena1.pl
        acl host_server2 hdr(host) -i mojadomena2.pl
        acl host_server3 hdr(host) -i test.mojadomena2.pl

        use_backend http_server1 if host_server1
        use_backend http_server2 if host_server2
        use_backend http_server3 if host_server3

backend http_server1
        mode http
        option httplog
        option forwardfor
        server server1 server1:80

backend http_server2
        mode http
        option httplog
        option forwardfor
        server server2 server2:80

backend http_server3
        mode http
        option httplog
        option forwardfor
        server server3 server3:80

frontend https_in
        mode tcp
        option tcplog
        option forwardfor
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if tls

        acl host_server1 req.ssl_sni -i mojadomena1.pl
        acl host_server2 req.ssl_sni -i mojadomena2.pl
        acl host_server3 req.ssl_sni -i test.mojadomena2.pl

        use_backend https_server1 if host_server1
        use_backend https_server2 if host_server2
        use_backend https_server3 if host_server3

backend https_server1
        mode tcp
        option tcplog
        option forwardfor
        option ssl-hello-chk
        server server1 server1:443

backend https_server2
        mode tcp
        option tcplog
        option forwardfor
        option ssl-hello-chk
        server server2 server2:443

backend https_server3
        mode tcp
        option tcplog
        option forwardfor
        option ssl-hello-chk
        server server3 server3:443

frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if LOCALHOST
    stats auth admin:admin123

Please help me :slight_smile:

You are using option forwardfor in your https_in frontend without terminating TLS.
As a result haproxy is not able to see the HTTP traffic, and cant enrich the XFF header with the client IP address.

As for your http_in frontend, even though you configured use_backend rules, you have a redirect rule to redirect all http traffic to https, and as a result option forwardfor does not apply because no request going through this frontend is ever proxied to a backend server.

Thanks jerome for the answer.

I can see that I have a lot of work to do with the HAPROXY configuration.

I read the documentation and I get lost in it all