2

I am running HAProxy that is receiving layer 4 proxy protocol from an upstream source. I have a need to create a custom HTTP header with the address contained there. I can't seem to find how I can reference that TCP header.

Below is a sample of what I am trying to do:

frontend http_in
    bind *:1025 accept-proxy
    mode http
    default_backend http_out

backend http_out
    mode http
    http-request set-header X-Custom-Header %[<ip from proxy protocol header>]
    server some-server some-server:80

How can I make sure I am populating the new header with the address from the L4 header and not some spoofable http header?

Justin Talbott
  • 123
  • 1
  • 5

1 Answers1

3

Based on the docs of the accept-proxy bind option, and more generically the usage of the PROXY protocol, all the fields contained in the PROXY protocol header (source IP & port, destination IP & port) replace those from the real connection:

...
The PROXY protocol dictates the layer 3/4 addresses of the incoming
connection to be used everywhere an address is used, with the only
exception of "tcp-request connection" rules which will only see the
real connection address. Logs will reflect the addresses indicated in
the protocol, unless it is violated, in which case the real address
will still be used.
...

Meaning that your backend would look like

backend http_out
    mode http
    http-request set-header X-Custom-Header %[src]
    server some-server some-server:80

This works because the src sample field will contain the source IP as defined in the PROXY header, and not the actual source IP.

GregL
  • 9,370
  • 2
  • 25
  • 36