HAProxy community

Option forwardfor ignored for backend

Hi, haproxy status gives me these errors even though it seems to work:

$ systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-05-08 09:00:34 UTC; 22min ago
Process: 26543 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS)
Main PID: 26544 (haproxy)
Tasks: 2 (limit: 24956)
Memory: 14.9M
CGroup: /system.slice/haproxy.service
├─26544 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
└─26546 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid

May 08 09:00:34 server1 haproxy[26544]: [WARNING] 128/090034 (26544) : config : ‘option forwardfor’ ignored for backend ‘port.5060’ as it requires HTTP mode.
May 08 09:00:34 server1 haproxy[26544]: [WARNING] 128/090034 (26544) : config : ‘option forwardfor’ ignored for backend ‘port.5061’ as it requires HTTP mode.
May 08 09:00:34 server1 systemd[1]: Started HAProxy Load Balancer.


My config file:

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the ‘-r’ option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#

log 127.0.0.1:514 local0
chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM

ssl-default-server-ciphers PROFILE=SYSTEM
tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------

defaults
mode http
option forwardfor
option http-server-close
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2048

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main
bind *:5000
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js

use_backend static          if url_static
default_backend             app

frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats realm Haproxy\ Statistics
stats auth user:password

#---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------
backend static
balance roundrobin

server static 127.0.0.1:4331 check

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------

backend app
balance roundrobin

server app1 127.0.0.1:5001 check

server app2 127.0.0.1:5002 check

server app3 127.0.0.1:5003 check

server app4 127.0.0.1:5004 check

#---------------------------------------------------------------------

My config

#---------------------------------------------------------------------

frontend port.5060
mode tcp
option tcplog
bind 172.16.10.100:5060
default_backend port.5060

frontend port.5061
mode tcp
option tcplog
bind 172.16.10.100:5061
default_backend port.5061

frontend website1:80
bind 172.16.10.99:80
redirect scheme https code 301 if !{ ssl_fc }
default_backend website1:443

frontend website1:443
bind 172.16.10.99:443 ssl crt /etc/pki/tls/certificate.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend website1:443

backend port.5060
balance roundrobin
mode tcp
option tcplog
server gw1 192.168.100.121:5060 check
server gw2 192.168.100.122:5060 check

backend port.5061
balance roundrobin
mode tcp
option tcplog
server gw1 192.168.100.121:5061 check
server gw2 192.168.100.122:5061 check

backend website1:80
balance roundrobin
redirect scheme https if !{ ssl_fc }
server web1 192.168.100.41:80 check verify none
server web2 192.168.100.42:80 check verify none

backend website1:443
balance roundrobin
redirect scheme https if !{ ssl_fc }
cookie SESSIONID insert indirect nocache
server web1 192.168.100.41:443 ssl check verify none cookie web1
server web2 192.168.100.42:443 ssl check verify none cookie web2


How can i solve it?

Thank in advanced!!

You cannot use HTTP options when you are in TCP mode.

Thanks for your help!

What would be the wrong http options?

Thanks!

Reading or modifying HTTP headers requires haproxy to actually parse the HTTP message, which is why http mode is required.

TCP mode means that the entire TCP payload is forwarded from one socket to the other (between frontend and backend, without any HTTP level parsing).

That’s why, when you want to use option forwardfor, you need to enable HTTP mode.

If I understand correctly then, the problem is that the forwardfor entry in the defaults section is applying to all the rules, so it would be better to remove it from there and include it only in the backend that require http?

Correct. You can also define an additional default section before you begin with the tcp sections and not define http specific features there.

This would then overwrite the previous default section.

Thank you very much lukastribus!!!