HAProxy community

Haproxy & CloudFlare & Cf-Connecting-Ip


#1

Hello
I use Claudofler before loading Blancher Haproxy.
I would like to add a x-local header if the client IP was on a specific list.
It should be noted that the headers come from the side of the Coldflight server
Please advise.

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
retries 2
maxconn 2000000
timeout client 60s
timeout server 60s
timeout queue 60s
timeout connect 4s
option httpclose
option abortonclose
timeout http-request 5s
option http-keep-alive
option tcp-smart-accept
option tcp-smart-connect
stats enable
stats refresh 10s
stats uri /stats
stats realm Authentication\ Required
stats auth admin:usetsels

frontend testsite_https
bind 192.168.0.31:443 ssl crt /etc/haproxy/certs/testsite.com/testsite.pem alpn h2,http/1.1 npn h2,http/1.1
mode http
option http-keep-alive
option forwardfor
acl is_cf req.hdr(cf-connecting-ip) -m found
acl from_eli_cf req.hdr_ip(cf-connecting-ip) -f /etc/haproxy/eli.subnets
acl whitelist src -f /etc/haproxy/WL.subnets
acl badbots hdr_reg(User-Agent) -i -f /etc/haproxy/badbots.lst
acl from_tr src -f /etc/haproxy/tr.subnets
acl from_eli src -f /etc/haproxy/eli.subnets
acl url_cdn hdr_end(host) -i cdn.testsite.com
acl url_cdn hdr_end(host) -i cdnx.testsite.com
acl m_testsite hdr_end(host) -i m.testsite.com
acl host_testsite hdr(host) -i testsite.com
acl host_testsite hdr_end(host) -i testsite.co
http-request deny if badbots !whitelist
http-request add-header X-Country %[req.hdr(Cf-Ipcountry)] if is_cf
http-request add-header X-Local Yes if from_eli_cf
reqirep ^cf-connecting-ip:(.) X-Forwarded-For:\1 if is_cf
reqadd X-Country:\ IR if from_tr
reqadd X-Forwarded-Proto:\ https
reqadd X-Local:\ Yes if from_eli
redirect code 301 prefix https://www.testsite.com if m_testsite
use_backend cdn-testsite if url_cdn
use_backend cdn-video if video_cdn
use_backend eli-weblog if url_weblog from_tr
use_backend eli-weblog-x if url_weblog !from_tr
default_backend testsite
rspidel ^X-.

rspirep ^Server:.* Server:\ testWeb\ 0.1
rspadd X-XSS-Protection:\ 1;\ mode=block
#rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload;
rspadd X-Content-Type-Options:\ nosniff


#2

Seems like you are already doing it:

acl from_eli_cf req.hdr_ip(cf-connecting-ip) -f /etc/haproxy/eli.subnets
http-request add-header X-Local Yes if from_eli_cf

However you are also doing a million other things at the same time, like rewriting that header you are relying on in the first place:

 reqirep ^cf-connecting-ip:(.) X-Forwarded-For:\1 if is_cf

So I suggest you remove everything and start with just the 2 configuration lines to set X-Local.