I’m new to HAProxy and i’m currently migrating my proxy server from NGINX to to HAProxy. One of the requirements i have is that I can do hostheader based routing without SSL offloading but that my application that is behind haproxy can fetch the source IP addresses. For http traffic it is working, https traffic itself is also working but my application sees the IP address of the haproxy and not the address of the source. Any help is welcome. This is how my config looks like currently:
log /dev/log local0
log /dev/log local1 notice
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
timeout connect 5000
timeout client 50000
timeout server 50000
acl is_admin hdr(host) -i admin.XXXXXXXXXXXXX.net
use_backend http_back if is_admin
http-request set-header X-Forwarded-For %[src]
http-request set-header Upgrade Websocket
http-request set-header Host %[hdr(host)]
acl is_admin_ssl req.ssl_sni -i admin.XXXXXXXXXXXX.net
use_backend https_back if is_admin_ssl
server server1 10.1.0.7:80 maxconn 32
server server1 10.1.0.7:443
errorfile 503 /etc/haproxy/errors/503.http
You cannot really, nobody can act on encrypted data without decrypting. What haproxy can do is SNI based routing, which is NOT the same as Host header based matching.
The difference for example can lead to unexpected traffic flow when using overlapping certificates. So do make sure you don’t have any overlaps in the certificates.
The application needs proxy protocol support for this. nginx / Apache do have that.
Adding “send-proxy” to the server line in haproxy and configure the backend application to accept the proxy protocol (for example in nginx: Accepting the PROXY Protocol | NGINX Documentation )
Thank you for the fast reply. I tried again the “send-proxy” setting but that breaks my SSL setup. I get an “ERR_SSL_PROTOCOL_ERROR” back.
Any other tricks I can do? I’m setting up a classroom test lab (multiple systems behind a single public IP via the proxy) and one of the tasks that each student has to do is via the build-in letsencrypt functionality of the product that is configured behind the haproxy get a certificate. That part is currently actually working, the only thing that is not working correct is the logging as the system thinks my connections come from the proxy IP. For the http traffic I managed to fix it by injecting the X-forwarded-for headers, but I understand i can’t do this for the https traffic (as it is not decrypted). Was hoping there was some kind of trick I could force the source IP address (at least in the header) to remain the original one.
Please read my post completely.