I've followed numerous references online, which tell me I should just be able to set up a frontend like:
frontend http_https
bind 1.2.3.4:443 ssl crt /etc/haproxy/tls/mycert.pem
bind 1.2.3.4:80
mode http
option httplog
option forwardfor
option http-server-close
redirect scheme https code 301 if !{ ssl_fc }
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Request-Start t=%Ts%ms
http-response set-header Strict-Transport-Security max-age=15768000
use_backend %[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map)]
When I take a tcpdump on my backend server, I see all the add-header and set-header headers, but I don't see any X-Forwarded-For header.
If I add something like:
http-request add-header X-Client-IP %[src]
I do see that header passed along, with the correct client IP.
Can anyone offer any insight into why this may not be working? Or any reason I shouldn't just use http-request set-header X-Forwarded-For %[src] instead of option forwardfor?
A sample backend section:
backend bk_foo
balance roundrobin
errorfile 502 /etc/haproxy/errorfiles/502.http
errorfile 503 /etc/haproxy/errorfiles/503.http
errorfile 504 /etc/haproxy/errorfiles/504.http
option httpchk
server foo.example.com 10.1.2.3:8080 check
Best Answer
edit: You should be putting
option forwardforin the backend section. Not under frontend section.I don't think there is anything wrong with the HAProxy config. I have done many configurations with forwardfor option without any issue. Any chance there is a device sitting between HAProxy and backend server that might be removing certain headers? Also I would suggest to test with a simple setup focusing on this header to ensure other configurations does not cause the issue.