4

I have a haproxy set for https and as such I had to enable mode:tcp for that but as it turns out because of that forwardfor is being ignored and I can't see original ip. is there any way to bypass it?

haproxy ver: 1.4.9

slm
  • 7,615
  • 16
  • 56
  • 76
Marcin
  • 613
  • 4
  • 8
  • 15

1 Answers1

3

x-forwarded-for is an HTTP header field, so has nothing to do with the transport layer (TCP). Usually web proxies insert the x-forwarded-for data.

If you want to have the source IP when balancing at transport layer, then you need to compile haproxy with TPROXY support. See: https://www.loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/

But note that the current Linux kernel has TPROXY support by default (It has done since 2.6.28), so you may be able to skip the kernel step described in the above blog post if your kernel version > 2.6.28.

Community
  • 1
James Little
  • 1,159
  • 6
  • 8
  • yeah, the example there is for port 80 - mode http so that is no problem, the problem is mode tcp and forwardfor, but thanks – Marcin Apr 21 '11 at 14:22
  • Actually I think that is an error in the config file. It *should* be mode tcp. The point is, you need TCP transparency, which you won't get with 'option forwardfor' because this is operating on HTTP headers only. TPROXY is your only option and then you need this line: `source 0.0.0.0 usesrc clientip`. – James Little Apr 21 '11 at 14:57