HAProxy community

Haproxy & CloudFlare & Cf-Connecting-Ip


I use Claudofler before loading Blancher Haproxy.
I would like to add a x-local header if the client IP was on a specific list.
It should be noted that the headers come from the side of the Coldflight server
Please advise.

log global
mode http
option httplog
option dontlognull
option forwardfor
retries 2
maxconn 2000000
timeout client 60s
timeout server 60s
timeout queue 60s
timeout connect 4s
option httpclose
option abortonclose
timeout http-request 5s
option http-keep-alive
option tcp-smart-accept
option tcp-smart-connect
stats enable
stats refresh 10s
stats uri /stats
stats realm Authentication\ Required
stats auth admin:usetsels

frontend testsite_https
bind ssl crt /etc/haproxy/certs/testsite.com/testsite.pem alpn h2,http/1.1 npn h2,http/1.1
mode http
option http-keep-alive
option forwardfor
acl is_cf req.hdr(cf-connecting-ip) -m found
acl from_eli_cf req.hdr_ip(cf-connecting-ip) -f /etc/haproxy/eli.subnets
acl whitelist src -f /etc/haproxy/WL.subnets
acl badbots hdr_reg(User-Agent) -i -f /etc/haproxy/badbots.lst
acl from_tr src -f /etc/haproxy/tr.subnets
acl from_eli src -f /etc/haproxy/eli.subnets
acl url_cdn hdr_end(host) -i cdn.testsite.com
acl url_cdn hdr_end(host) -i cdnx.testsite.com
acl m_testsite hdr_end(host) -i m.testsite.com
acl host_testsite hdr(host) -i testsite.com
acl host_testsite hdr_end(host) -i testsite.co
http-request deny if badbots !whitelist
http-request add-header X-Country %[req.hdr(Cf-Ipcountry)] if is_cf
http-request add-header X-Local Yes if from_eli_cf
reqirep ^cf-connecting-ip:(.) X-Forwarded-For:\1 if is_cf
reqadd X-Country:\ IR if from_tr
reqadd X-Forwarded-Proto:\ https
reqadd X-Local:\ Yes if from_eli
redirect code 301 prefix https://www.testsite.com if m_testsite
use_backend cdn-testsite if url_cdn
use_backend cdn-video if video_cdn
use_backend eli-weblog if url_weblog from_tr
use_backend eli-weblog-x if url_weblog !from_tr
default_backend testsite
rspidel ^X-.

rspirep ^Server:.* Server:\ testWeb\ 0.1
rspadd X-XSS-Protection:\ 1;\ mode=block
#rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload;
rspadd X-Content-Type-Options:\ nosniff


Seems like you are already doing it:

acl from_eli_cf req.hdr_ip(cf-connecting-ip) -f /etc/haproxy/eli.subnets
http-request add-header X-Local Yes if from_eli_cf

However you are also doing a million other things at the same time, like rewriting that header you are relying on in the first place:

 reqirep ^cf-connecting-ip:(.) X-Forwarded-For:\1 if is_cf

So I suggest you remove everything and start with just the 2 configuration lines to set X-Local.