HAPORXY and APache logs - client IP


I have a problem with the HAPORXY configuration.

I have a public IP.
There are two LAMP servers in my network.

I want to be able to access them from the outside through two different domains on ports 80 and 443.

I have configured HAPORXY for this purpose.
It works. I have access to two servers through two different domains.

The problem is that in the Apache logs on LAMP01 and LAMP02 I can see the IP of the HAPROXY server instead of the client’s real IP.

What do I have to change to see the client’s real IP in the logs?

I added an entry to the Apache configuration file:

]RemoteIPHeader X-Forwarded-For LogFormat "% a% l% u% t \"% r \ "%> s% O \"% {Referer} i \ "\"% {User-Agent} i \ "" combined LogFormat "% a% l% u% t \"% r \ "%> s% b" common

Then I executed the command:

a2enmod remoteip && systemctl restart apache2

Below is my configuration file for HAPROXY:

root@haproxy01:~# cat /etc/haproxy/haproxy.cfg
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy

        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        timeout connect 10s
        timeout client  60s
        timeout server  60s
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
        mode http
        option httplog
        bind *:80
        option forwardfor
        redirect scheme https code 301 if !{ ssl_fc }
        acl host_server1 hdr(host) -i mojadomena1.pl
        acl host_server2 hdr(host) -i mojadomena2.pl
        acl host_server3 hdr(host) -i test.mojadomena2.pl

        use_backend http_server1 if host_server1
        use_backend http_server2 if host_server2
        use_backend http_server3 if host_server3

backend http_server1
        mode http
        option httplog
        option forwardfor
        server server1 server1:80

backend http_server2
        mode http
        option httplog
        option forwardfor
        server server2 server2:80

backend http_server3
        mode http
        option httplog
        option forwardfor
        server server3 server3:80

frontend https_in
        mode tcp
        option tcplog
        option forwardfor
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if tls

        acl host_server1 req.ssl_sni -i mojadomena1.pl
        acl host_server2 req.ssl_sni -i mojadomena2.pl
        acl host_server3 req.ssl_sni -i test.mojadomena2.pl

        use_backend https_server1 if host_server1
        use_backend https_server2 if host_server2
        use_backend https_server3 if host_server3

backend https_server1
        mode tcp
        option tcplog
        option forwardfor
        option ssl-hello-chk
        server server1 server1:443

backend https_server2
        mode tcp
        option tcplog
        option forwardfor
        option ssl-hello-chk
        server server2 server2:443

backend https_server3
        mode tcp
        option tcplog
        option forwardfor
        option ssl-hello-chk
        server server3 server3:443

frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if LOCALHOST
    stats auth admin:admin123

Please help me :slight_smile:

You are using option forwardfor in your https_in frontend without terminating TLS.
As a result haproxy is not able to see the HTTP traffic, and cant enrich the XFF header with the client IP address.

As for your http_in frontend, even though you configured use_backend rules, you have a redirect rule to redirect all http traffic to https, and as a result option forwardfor does not apply because no request going through this frontend is ever proxied to a backend server.

Thanks jerome for the answer.

I can see that I have a lot of work to do with the HAPROXY configuration.

I read the documentation and I get lost in it all