Will using proxy-protocol on a backend change behaviour on header manipulation in a frondend?

jvwag · July 5, 2019, 8:05am

I have configured a frontend with some header manipulation, mostly for security:

frontend ft_web
  bind :::443 v4v6 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 curves secp384r1
  reqidel ^x-forwarded.*
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains;"
  use_backend bk_group1

backend bk_group1
  server localhost1 localhost:8000 send-proxy check

In this case, the headers are not modified. But when I remove send-proxy from the backend server, and reconfigure my backend to not use the proxy protocol the header manipulations work. I added my bind to indicate I also use http/2.0.

Does the send-proxy directive manipulate the connection mode to tunnel mode?

ciprian.craciun · July 5, 2019, 10:25am

To my knowledge the send-proxy doesn’t change anything in the behaviour of HAProxy except sending a few extra first bytes (as per PROXY protocol).

Could you perhaps do a tcpdump on the server-side to see exactly what happens at the network level? (It might happen that your web server behaves differently, and when it uses the PROXY protocol it adds itself the X-Forwarded-For header.)

Topic		Replies	Views
Send-proxy in tcp mode with encrypted traffic Help!	2	422	September 4, 2023
Multiple proxy protocol headers Help!	1	606	July 18, 2020
Haproxy itself talks proxy protocol Help!	8	1471	February 6, 2020
Pumping x-forwarded-for ip into proxy protocol Help!	0	413	August 12, 2022
HAProxy in `mode tcp` accepts HTTP with HTTPS backend Help!	1	776	March 3, 2020

Will using proxy-protocol on a backend change behaviour on header manipulation in a frondend?

Related topics