HAProxy not forwarding client headers

haproxy

We have HAProxy installed infront of Apache. The setup works, but the IP-Address of the client is not forwarded despite the rule "forwardfor".

I have previously investigated answers on serverfault like this one e.g. haproxy and forwarding client IP address to servers but could not solve the problem so far.

This is the config:

frontend apache-http
    bind 192.168.56.150:80
    mode http
    option http-server-close
    option forwardfor header X-Real-IP
    reqadd X-Forwarded-Proto:\ http
    default_backend apache-http
    stats enable
    #stats hide-version

backend apache-http
    # redirect scheme https if !{ ssl_fc }
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server www-1 10.0.0.120:80 cookie S1 check
    server www-2 10.0.0.130:80 cookie S2 check

PHP Server variables return the info of HAProxy:

$_SERVER['REMOTE_ADDR'] returns 10.0.0.120
$_SERVER['HTTP_X_FORWARDED_FOR'] returns nothing

Apache log also returns —

config:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Am I missing something in the configuration of HAProxy?

Best Answer

The problem lies in a configuration mis-match between HAProxy and Apache.

You've told HAProxy to send the client's real IP in a header called X-Real-IP:

option forwardfor header X-Real-IP

In Apache, you're looking for a header called X-Forwarded-For:

$_SERVER['HTTP_X_FORWARDED_FOR'] returns nothing
LogFormat "%{X-Forwarded-For} ...

You have two options to fix this.

Let HAProxy add a header with the default name, by changing
```
option forwardfor header X-Real-IP
```
to
```
option forwardfor  
```
Change Apache, and your PHP code to look for the right header:
```
$_SERVER['HTTP_X_Real_IP']

LogFormat "%{X-Real-IP} ...
```

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

What are you using to cipher/decipher the SSL traffic before haproxy ? Stunnel, nginx, apache, something else ?

I suspect it might be related to the lack of "option httpclose" on your port 80, but it's not clear to me why it would cause an issue to only a few visitors.

HAProxy – Forwarding Client IP Address to Servers

I solved this problem. May be it was not a problem from the beginning. I made google search when I faced this problem, and I saw that

option forwardfor

line in order to use in haproxy.cfg file and also other options. I tried those options including recompiling the haproxy... But the real problem related to learning real client's IPs on web servers is not sourced from HAproxy, it is about reading headers by server scripts, in our case this scripting language is PHP.

I try to learn client's IPs by these commands

echo 'Client IP: '.$_SERVER["REMOTE_ADDR"];
echo 'Client IP: '.$_SERVER["HTTP_CLIENT_IP"];

and these commands displays loadbalancer's IP. This is correct but that is not what I am expected. Despite the forwardfor option these commands, gave me loadbalancer's IP

By using forwardfor option we make enable HAproxy to insert the x-forwarded-for header into client's requests sent to our web servers. HAproxy put this field to header but I have ignored this. Today I realized that this is a header field and I have to read this header like this

echo 'Client IP: '.$_SERVER["HTTP_X_FORWARDED_FOR"];

With this command I got the client's IP address not loadbalancer's IP address.

But my offer is in order to get the header data to investigate the other information is getallheaders() function for PHP.

//from php.net http://php.net/manual/en/function.getallheaders.php
foreach (getallheaders() as $name => $value) {
    echo "$name: $value<br>\n";
}

End of all my last haproxy.cfg file is like below.

global
    maxconn 100000
    uid 99
    gid 99
    daemon

defaults
    option forwardfor except 127.0.0.1
    mode    http
    contimeout  5000
    clitimeout  50000
    srvtimeout  50000

listen  myWeb 0.0.0.0:80
    mode http
    balance source
    option forwardfor
    option http-server-close
    stats enable
    stats refresh 10s
    stats hide-version
    stats scope   .
    stats uri     /lb?stats
    stats realm   LB2\ Statistics
    stats auth admin:passwd

    server  S1 192.168.1.117:80 check inter 2000 fall 3
    server  S2 192.168.1.116:80 check inter 2000 fall 3
    server  S3 192.168.1.118:80 check inter 2000 fall 3

Nevertheless I have many missing things about HAproxy like what is the meaning uid or gid.

Best Answer

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

HAProxy – Forwarding Client IP Address to Servers

Related Topic