Https in passthrough but with passing the source IP's

I’m new to HAProxy and i’m currently migrating my proxy server from NGINX to to HAProxy. One of the requirements i have is that I can do hostheader based routing without SSL offloading but that my application that is behind haproxy can fetch the source IP addresses. For http traffic it is working, https traffic itself is also working but my application sees the IP address of the haproxy and not the address of the source. Any help is welcome. This is how my config looks like currently:

log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy

log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
bind *:80
acl is_admin hdr(host) -i
use_backend http_back if is_admin
default_backend error_page

http-request set-header X-Forwarded-For %[src]
http-request set-header Upgrade Websocket
http-request set-header Host %[hdr(host)]

frontend https_front
bind *:443
mode tcp
option tcplog

acl is_admin_ssl req.ssl_sni -i
use_backend https_back if is_admin_ssl

default_backend error_page

backend http_back
server server1 maxconn 32

backend https_back
mode tcp
option ssl-hello-chk
server server1

backend error_page
mode http
errorfile 503 /etc/haproxy/errors/503.http

You cannot really, nobody can act on encrypted data without decrypting. What haproxy can do is SNI based routing, which is NOT the same as Host header based matching.

The difference for example can lead to unexpected traffic flow when using overlapping certificates. So do make sure you don’t have any overlaps in the certificates.

The application needs proxy protocol support for this. nginx / Apache do have that.

Adding “send-proxy” to the server line in haproxy and configure the backend application to accept the proxy protocol (for example in nginx: Accepting the PROXY Protocol | NGINX Documentation )

1 Like

Thank you for the fast reply. I tried again the “send-proxy” setting but that breaks my SSL setup. I get an “ERR_SSL_PROTOCOL_ERROR” back.

Any other tricks I can do? I’m setting up a classroom test lab (multiple systems behind a single public IP via the proxy) and one of the tasks that each student has to do is via the build-in letsencrypt functionality of the product that is configured behind the haproxy get a certificate. That part is currently actually working, the only thing that is not working correct is the logging as the system thinks my connections come from the proxy IP. For the http traffic I managed to fix it by injecting the X-forwarded-for headers, but I understand i can’t do this for the https traffic (as it is not decrypted). Was hoping there was some kind of trick I could force the source IP address (at least in the header) to remain the original one.

Please read my post completely.