HAProxy community

Will using proxy-protocol on a backend change behaviour on header manipulation in a frondend?

I have configured a frontend with some header manipulation, mostly for security:

frontend ft_web
  bind :::443 v4v6 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 curves secp384r1
  reqidel ^x-forwarded.*
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains;"
  use_backend bk_group1

backend bk_group1
  server localhost1 localhost:8000 send-proxy check

In this case, the headers are not modified. But when I remove send-proxy from the backend server, and reconfigure my backend to not use the proxy protocol the header manipulations work. I added my bind to indicate I also use http/2.0.

Does the send-proxy directive manipulate the connection mode to tunnel mode?

To my knowledge the send-proxy doesn’t change anything in the behaviour of HAProxy except sending a few extra first bytes (as per PROXY protocol).

Could you perhaps do a tcpdump on the server-side to see exactly what happens at the network level? (It might happen that your web server behaves differently, and when it uses the PROXY protocol it adds itself the X-Forwarded-For header.)