Hello. I want to pass the real client address from Haproxy to Exchange.
I have added the option forwardfor option to all blocks.
I still see the Haproxy address.
Can anyone tell me the exact steps how to correctly forward the real client address ?
Exchange settings: How to use X-Forwarded-For header to log actual client IP address? (microsoft.com)
My config Haproxy( At this point, I have commented out the option forwardfor option ):
log 127.0.01 local2 notice
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
# nbproc 4
# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
# ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
# ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog
option dontlognull
# option forwardfor
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 15m # this value should be rather high with Exchange
timeout server 15m # this value should be rather high with Exchange
timeout http-keep-alive 10s
timeout check 10s
maxconn 100000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------
# Main front-end which proxies to the back-ends
#---------------------------------------------------------------------
frontend http_frontend
bind 10.0.224.16:80
mode http
# option forwardfor
acl is-ssl hdr(X-Orig-Proto) https
acl is-http hdr(X-Orig-Proto) http
acl is_zabbixhttp hdr(host) -i zabbix.csmedica.ru
acl is_sdhttp hdr(host) -i sd.csdeskwork.ru
acl is_owncloudhttp hdr(host) -i owncloud.csdeskwork.ru
acl is_ks82skladhttp hdr(host) -i ks82sklad.csdeskwork.ru
acl is_csdeskworkhttp hdr(host) -i csdeskwork.ru
acl is_test-bitrixcsdeskworkhttp hdr(host) -i test-bitrix.csdeskwork.ru
acl is_bitrixcsdeskworkhttp hdr(host) -i bitrix.csdeskwork.ru
acl is_backupbitrixcsdeskworkhttp hdr(host) -i backup-bitrix.csdeskwork.ru
acl is_udhttp hdr(host) -i ud.csdeskwork.ru
redirect scheme https code 301 if is-http || is_zabbixhttp || is_sdhttp || is_owncloudhttp || is_csdeskworkhttp || is_udhttp || is_ks82skladhttp || is_test-bitrixcsdeskworkhttp || is_bitrixcsdeskworkhttp || is_backupbitrixcsdeskworkhttp
acl is_netqis hdr(host) -i netqis.csdeskwork.ru
use_backend netqis if is_netqis
acl is_ohtr hdr(host) -i ohtr.csdeskwork.ru
use_backend ohtr if is_ohtr
acl is_mirapolis hdr(host) -i mirapolis.csdeskwork.ru
use_backend mirapolis if is_mirapolis
acl is_myk-vr.csdeskwork.ru hdr(host) -i myk-vr.csdeskwork.ru
use_backend myk-vr.csdeskwork.ru if is_myk-vr.csdeskwork.ru
acl is_vr1.csdeskwork.ru hdr(host) -i vr1.csdeskwork.ru
use_backend vr1.csdeskwork.ru if is_vr1.csdeskwork.ru
acl is_vr2.csdeskwork.ru hdr(host) -i vr2.csdeskwork.ru
use_backend vr2.csdeskwork.ru if is_vr2.csdeskwork.ru
acl is_vr3.csdeskwork.ru hdr(host) -i vr3.csdeskwork.ru
use_backend vr3.csdeskwork.ru if is_vr3.csdeskwork.ru
acl is_estaff.csdeskwork.ru hdr(host) -i estaff.csdeskwork.ru
use_backend be_estaff.csdeskwork.ru if is_estaff.csdeskwork.ru
# acl is_udhttp hdr(host) -i ud.csdeskwork.ru
# use_backend ud if is_udhttp
frontend https_frontend_ssl_terminate
mode http
# option forwardfor
bind 10.0.224.16:443 ssl crt /etc/haproxy/ssl/wc-csdeskwork2023.pem
option httpclose
acl is_zabbix hdr(host) -i zabbix.csmedica.ru
use_backend Zabbix if is_zabbix
acl is_sd hdr(host) -i sd.csdeskwork.ru
use_backend sd if is_sd
acl is_owncloud hdr(host) -i owncloud.csdeskwork.ru
use_backend owncloud if is_owncloud
acl is_csdeskwork hdr_beg(host) -i csdeskwork.ru
use_backend csdeskwork2 if is_csdeskwork
acl is_udhttp hdr(host) -i ud.csdeskwork.ru
use_backend ud if is_udhttp
acl is_testbitrixcsdeskwork hdr_beg(host) -i test-bitrix.csdeskwork.ru
use_backend testbitrixcsdeskwork if is_testbitrixcsdeskwork
acl is_bitrixcsdeskwork hdr_beg(host) -i bitrix.csdeskwork.ru
use_backend bitrixcsdeskwork if is_bitrixcsdeskwork
acl is_backupbitrixcsdeskwork hdr_beg(host) -i backup-bitrix.csdeskwork.ru
use_backend backupbitrixcsdeskwork if is_backupbitrixcsdeskwork
acl is_ks82sklad hdr(host) -i ks82sklad.csdeskwork.ru
acl p_root path -i /
http-request set-path /Ks_82_Sklad/ru if is_ks82sklad p_root
use_backend ks82sklad if is_ks82sklad
acl is_csm-video01 hdr(host) -i csm-video01.csdeskwork.ru
use_backend csm-video01 if is_csm-video01
### EXCHANGE config begin
frontend fe_ex2019
# http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
mode http
# option forwardfor
bind 10.0.224.18:80
bind 10.0.224.18:443 ssl crt /etc/haproxy/ssl/wc_csmedica2023.pem
redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443 (for owa)
acl autodiscover path_beg -i /Autodiscover
#acl autodiscover url_beg /autodiscover
acl mapi path_beg -i /mapi
acl rpc path_beg -i /rpc
acl owa path_beg -i /owa
acl owa path_beg -i /OWA
acl eas path_beg -i /Microsoft-Server-ActiveSync
acl ecp path_beg -i /ecp
acl ews path_beg -i /EWS
acl ews path_beg -i /ews
acl oab path_beg -i /OAB
use_backend be_ex2019_autodiscover if autodiscover
use_backend be_ex2019_mapi if mapi
use_backend be_ex2019_rpc if rpc
use_backend be_ex2019_owa if owa
use_backend be_ex2019_eas if eas
use_backend be_ex2019_ecp if ecp
use_backend be_ex2019_ews if ews
use_backend be_ex2019_oab if oab
default_backend be_ex2019
frontend fe_exchange_smtp
mode tcp
option tcplog
bind 10.0.224.18:25
default_backend be_exchange_smtp
#frontend fe_exchange_smtp_forwarded_for
# mode tcp
# option tcplog
# bind 10.0.224.18:2525
# default_backend be_exchange_smtp_forwarded_for
frontend fe_exchange_imaps
mode tcp
option tcplog
bind 10.0.224.18:993 name imaps
default_backend be_exchange_imaps
frontend fe_exchange_smtp587
mode tcp
option tcplog
bind 10.0.224.18:587
default_backend be_exchange_smtp587
frontend fe_exchange_pop3
mode tcp
option tcplog
bind 10.0.224.18:995 name pop3
default_backend be_exchange_pop3
frontend fe_exchange_pop
mode tcp
option tcplog
bind 10.0.224.18:110 name pop
default_backend be_exchange_pop
frontend fe_exchange_smtpbasic
mode tcp
option tcplog
bind 10.0.224.18:11125 name smtpbasic
default_backend be_exchange_smtpbasic
frontend fe_exchange_smtp1C
mode tcp
option tcplog
bind 10.0.224.18:11225 name smtp1C
default_backend be_exchange_smtp1C
### EXCHANGE config end
#------------------------------
# Back-end section
#------------------------------
backend be_stkh_clients
mode tcp
option tcplog
server server1 10.0.16.53:13289
backend Zabbix
mode http
server zabbix zabbix.csmedica.ru:443 ssl verify none
backend sd
mode http
server sd sd.csdeskwork.ru:443 ssl verify none
backend owncloud
mode http
server owncloud owncloud.csdeskwork.ru:443 ssl verify none
backend ks82sklad
mode http
server ks82sklad csm-1c01.ad.csmedica.ru:443 ssl verify none
backend csdeskwork2
mode http
server csdeskwork3 csdeskwork.ru:443 ssl verify none
backend testbitrixcsdeskwork
mode http
server testbitrixcsdeskwork test-bitrix.csdeskwork.ru:443 ssl verify none
backend bitrixcsdeskwork
mode http
server bitrixcsdeskwork bitrix.csdeskwork.ru:443 ssl verify none
backend backupbitrixcsdeskwork
mode http
server backupbitrixcsdeskwork backup-bitrix.csdeskwork.ru:443 ssl verify none
backend myk-vr.csdeskwork.ru
mode http
server myk-vr.csdeskwork.ru myk-vr.csdeskwork.ru:80
backend netqis
mode http
server netqis netqis.csdeskwork.ru:80
backend ohtr
mode http
server ohtr 10.0.16.55:80
backend mirapolis
mode http
server mirapolis 10.0.224.14:8080
backend vr1.csdeskwork.ru
mode http
server vr1.csdeskwork.ru vr1.csdeskwork.ru:80
backend vr2.csdeskwork.ru
mode http
server vr2.csdeskwork.ru vr2.csdeskwork.ru:80
backend vr3.csdeskwork.ru
mode http
server vr3.csdeskwork.ru vr3.csdeskwork.ru:80
backend be_estaff.csdeskwork.ru
mode http
server csm-estaff.ad.csmedica.ru csm-estaff.ad.csmedica.ru:9000
backend ud
mode http
server db-srv2.c_s ud.csdeskwork.ru:443 ssl verify none
backend csm-video01
mode http
server csm-video01 csm-video01.csdeskwork.ru:443 ssl verify none
### EXCHANGE config begin
backend be_ex2019_autodiscover
mode http
balance source
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_mapi
mode http
balance source
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_rpc
mode http
balance source
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_owa
mode http
balance source
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_eas
mode http
balance source
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_ecp
mode http
balance source
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_ews
mode http
balance source
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019_oab
mode http
balance source
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_ex2019
mode http
balance source
server csm-ex01.ad.csmedica.ru 10.0.16.84:443 check ssl verify none
server csm-ex02.ad.csmedica.ru 10.0.16.85:443 check ssl verify none
backend be_exchange_smtp
mode tcp
option tcplog
balance source
option log-health-checks
server exchange1 10.0.16.84:25 check
server exchange2 10.0.16.85:25 check
backend be_exchange_imaps
mode tcp
option tcplog
balance source
balance leastconn
option log-health-checks
server exchange1 10.0.16.84:993 check
server exchange2 10.0.16.85:993 check
backend be_exchange_smtp587
mode tcp
option tcplog
balance source
balance leastconn
option log-health-checks
server exchange1 10.0.16.84:587 check
server exchange2 10.0.16.85:587 check
backend be_exchange_pop3
mode tcp
option tcplog
balance source
balance leastconn
option log-health-checks
server exchange1 10.0.16.84:995 check
server exchange2 10.0.16.85:995 check
backend be_exchange_pop
mode tcp
option tcplog
balance source
balance leastconn
option log-health-checks
server exchange1 10.0.16.84:110 check
server exchange2 10.0.16.85:110 check
backend be_exchange_smtpbasic
mode tcp
option tcplog
balance source
balance leastconn
option log-health-checks
server exchange1 10.0.16.84:11125 check
server exchange2 10.0.16.85:11125 check
backend be_exchange_smtp1C
mode tcp
option tcplog
balance source
balance leastconn
option log-health-checks
server exchange1 10.0.16.84:11225 check
server exchange2 10.0.16.85:11225 check
#backend be_exchange_smtp_forwarded_for
# mode tcp
# option tcplog
# option tcp-check
# tcp-request inspect-delay 5s
# tcp-request content accept if { req.hdr_cnt(X-Forwarded-For) gt 0 }
# http-request set-header X-Forwarded-For %[src] if !{ req.hdr_cnt(X-Forwarded-For) gt 0 }
# server exchange1 10.0.16.84:25 check
# server exchange2 10.0.16.85:25 check
### EXCHANGE config end
listen stats
bind 10.0.224.16:8181
stats enable
stats uri /haproxy
stats realm Haproxy\ Statistics
stats hide-version
stats auth admin:QdBpX3cRFmEq
stats show-legends
stats show-node