Real IP address visibility issue


#1

Hello all,
I am pretty much new to HAProxy, but I need to used it in order to have true-client-ip visibility. Out DDoS provider masks the real IP of the clients. All IP’s that we see in our log are couple of IP’s that we know they are from the subnet of the DDoS provider. For some audit purposes we need to see the real ip address of the client, that’s why we implement HAProxy in front of our server.
The problem here is that I am able to see the real IP address only in the first packet which is fine, but all other sessions that are logged in the server log(like executed commands etc.) are with source IP address of the proxy server.
I need to have the Real IP address signed on all the logs not only the first packet ?

Could you please assist.
Let me know if additional info is needed!

Thank you in advance !


#2

How does the DDoS provider share the original IP with you?
Please share the complete configuration and the output of haproxy -vv.


#3

Hello,

I forgot to mention that the protocol is not HTTP/HTTPS so XFF is not in the game.

Output of the haproxy -vv

HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS =

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity(“identity”)
Built without OpenSSL support (USE_OPENSSL not set)
Built without PCRE support (using libc’s regex instead)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe

Config:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend users
bind *:3443 accept-proxy transparent
mode tcp
stats uri /
default_backend dcs

backend dcs
mode tcp
server dc 10.164.71.157:3443 check


#4

I don’t quite understand your situation yet …

Where exactly do you see what?

I assume that on your backend server you never see the real IP address at all, not even for the first packet, because you don’t use the proxy protocol between haproxy and your backend.

In haproxy logs, you should see the real IP address, but since this is TCP you would really only have one log entry per TCP session, so I don’t understand your point about “executed commands”.


#5

Hello,

On my backend servers in the application log I am able to see that user XXX is connected from real IP address Y.Y.Y.Y
but again in this application log each other task executed by the same user is logged with the HAPROXY IP address.

and I am not sure how it works for the first session “login” and not for the others.


#6

Yeah I don’t have any idea why you see the real IP in your application for the first request. I don’t understand your configuration so I’m afraid I’m unable to help, sorry.