HAProxy community

SSL passthrough send-proxy

Hi Community.

I use HAProxy as reverse proxy for serving a couple of hobby projects.
All projects runs in Linux containers.
I choose to terminate the SSL inside the containers.
This is a simplified mockup of the infrastructure.

Is it even possible to forward the real client IP that connects to HAProxy to for example nc.mydomain.tld without terminating the SSL on HAProxy?

I have tried some different changes and A few of these, the SSL handshake fails because the SSL header is wrong size. That somehow indicates that HAProxy does add something to the connect. Is this an indicator that it is my webserver which do not understand the proxy_protocol correctly?

You need to enable support for the proxy protocol in the configuration of your webserver. If there is no option for it, then it’s not supported.

I don’t think any webserver automatically detects whether the TCP payload contains a proxy header or not.

Thank you.

I did add support for it in Apache2. However I think I found the “cullprit”:
The LXD proxy device can be set to proxy with proxy_protocol=true. However the LXD proxy do not understand this when proxying SSL trafic hence it rejects the SSL trafic as per odd ssl header size.
I needs to set the LXC network device to NAT instead so that the LXD network gateway is not the connecting client IP but is merely routing using pure NAT. This way the connecting IP will be my HAProxy, which by using proxy protocol, adds the real client IP.

The only thing I have to change here is to use the LXD network gateway as destination IP in HAProxy instead of 127.0.0.1 as that IP is hard to distinguish for the container…