When running HAProxy in a docker container, we can only see (and forward) the original client's IP when running the container with the --net=host option as described here.
Our question: Is this advisable from a security standpoint? Will this allow attackers more easily to exploit HAProxy vulnerabilities? Or is it common practice?
Using the host's network stack beats the purpose of isolation.
Rather than using the host network, you can create a network of its own and fiddle with iptable NAT to not MASQUERADE the incoming connections and directly pass them to the HAPROXY container. This way, the HAproxy will receive client ip that is received in your host end.
Like in here.
