X-Forwardfor for an Android APP

Help!
1

Hello, i have a problem with X-Forwarded for.
I have an Android Application that needs X-Forwarded for in the HA Proxy.
In Log File i get this line, when die APP hints the HAProxy

With Android APP
Oct 13 08:21:50 haproxy haproxy[21124]: x.x.x.x:52050 [13/Oct/2022:08:21:50.748] fe_mail~ fe_mail/ -1/-1/-1/-1/0 503 216 - - SC-- 5/5/0/0/0 0/0 “POST /index.php?r=mobile/get HTTP/1.1”
There is in.

In Browser, looks good
Oct 13 08:35:16 haproxy haproxy[21124]: x.x.x.x:48078 [13/Oct/2022:08:35:16.746] fe_mail~ be_easymobil/easymobil1 0/0/0/33/33 200 1751 - - ---- 14/14/0/0/0 0/0 “GET /index.php?r=site/login HTTP/1.1”

I have had consultation with the support of the app. They told me I needed X-Forwarded-For

Here is my HAProxy Config.

global
log /dev/log local0

maxconn 1000
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

Default SSL material locations

#ca-base /etc/pki/tls/certs
#crt-base /etc/pki/tls/certs
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

#ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
#If you want to enable TLS 1.0 & TLS 1.1 also then use below line.
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:@SECLEVEL=1

This ciphers should be on production: This should be used if u want to disable TLS1.0 & TLS1.1

ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

#ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor

retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next request
timeout http-request 15s # 15 seconds max for the client to send a request
timeout queue 30s # 30 seconds max queued on load balancer
timeout client 300s
timeout server 300s

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#no option http-use-htx

#---------------------------------------------------------------------
#HAProxy Monitoring Config
#---------------------------------------------------------------------
listen stats
bind :1111
mode http
option forwardfor
option httpclose
stats enable
stats uri /
stats refresh 5s
stats show-legends
stats realm Haproxy\ Statistics
stats auth haproxy:xxxxx

#-----------------------

FrontEnd Begins

-------------------

frontend fe_mail

receives traffic from clients

bind :80
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=63072000

mode http
option forwardfor except 127.0.0.1
maxconn 1000
#maxconn 10000

redirect scheme https code 301 if !{ ssl_fc } # redirect 80 → 443 (for owa)
bind *:443 ssl crt /etc/pki/tls/certs/certkh.pem

acl easymobil hdr(host) -i subdomain.externalserver.de
use_backend be_easymobil if easymobil

backend be_easymobil
mode http
option forwardfor header X-Client
option log-health-checks
server easymobil1 interalserver:3102 check ssl verify none

I have tried many solutions, but no success.
The HAPROXY Version is 2.6.6-1 2022-09-22

If someone can help me, i am lost :wink:

Thx, greetings Norman

2

X_FORWARED_FOR will set the client ip adress. your backend will see ip-adress from haproxy as client address (REMOTE_ADDR). with option forwardfor there is also X_FORWAREDED_FOR set, so you can get the (origin) client ip address.

i only have option forwardfor in global section. NOT in backend section. I can see the X_FORWAREDED_FOR on my backend servers. had to check documentation with forward for option in backend. could it be, that with that line you get the client address in X-Client ENV-Var?

i don’t see any error in both log lines you gave. the

3

Hi Markus, thx for your reply.
i have made the backend cleaned up.

frontend fe_mail

receives traffic from clients

bind :80
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=63072000

mode http
option forwardfor
maxconn 1000
#maxconn 10000

Allow Exchange Admin Center to certain private network only

redirect scheme https code 301 if !{ ssl_fc } # redirect 80 → 443 (for owa)
bind *:443 ssl crt /etc/pki/tls/certs/certkh.pem

acl easymobil hdr(host) -i externalhost.de

backend be_easymobil
mode http
option log-health-checks
server easymobil1 internal.server.de:3102 check ssl verify none

Oct 13 15:01:15 haproxy haproxy[32090]: x.x.x.x.:55160 [13/Oct/2022:15:01:15.898] fe_mail~ fe_mail/NOSRV -1/-1/-1/-1/0 503 216 - - SC-- 6/6/0/0/0 0/0 “POST /index.php?r=mobile/get HTTP/1.1”
Client IP is x.x.x:55160 , The client ip is readable.

I have a NOSRV flag in the frontend. The Server from the Data to handle is a IIS with a sync app for this Android APP. I think die Client APP didn’t get the Server IP zu reply. So the Transfer is broken. The IIS has a Wildcardcert and the HAPROXY has the same wildcardcert.

4

I have made an new frontend. That worked for me :thinking:

frontend fe_easy
bind *:3102 ssl crt /etc/pki/tls/certs/certkh.pem
mode http
option httplog
option forwardfor
http-request set-header Host internal.server
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 3102
    #set HTTP Strict Transport Security (HTST) header (Optional)
http-response add-header Strict-Transport-Security max-age=15768000
acl easymobil hdr(host) -i external.domain.de
use_backend be_easymobil if easymobil

Oct 13 21:38:18 haproxy haproxy[41938]: x.x.x.x:54820 [13/Oct/2022:21:38:17.855] fe_easy~ be_easymobil/easymobil1 0/0/0/1112/1112 200 3294 - - ---- 23/1/0/0/0 0/0 "POST /index.php?r=mobile/get HTTP/1.1"