-
Notifications
You must be signed in to change notification settings - Fork 15
haproxy_pass_clientip_to_webserver
HAProxy currently offers a few different methods of sending the client ip to a (web)-server each has its own (dis)-advantages. This page explains the general working of these options, and how to configure them in the pfSense haproxy specifically.
To send the ip addres of the client/webbrowser to the server/webserver behind it there are a few options: 1- option forwardfor 2- send-proxy 3- source 0.0.0.0 usesrc clientip
This is an easy option to configure in haproxy, it does require that http layer7 processing is used 'mode http' and the webserver/ webapplication that wants to log or use the ip of the client must use the http-header 'X-Forwarded-For' to read the clientip.
In the frontend a option 'Use "forwardfor" option' can be selected.
This is can be used both with mode tcp and http, it does however require that the server also understands the proxyprotocol. Some applications have added support for this protocol which adds a few bytes with ip information before the actual request.
The textual setting send-proxy can be set individually on each server defined by filling the 'advanced' setting. Also its possible to use the 'Per server pass thru' once so it will get applied to all servers in the backend.
This allows any application and any protocol to be used and see the actual client ip as the origin from the incomming connection. It does however require to configure IPTABLES or IPFW or other firewall rules to capture reply-traffic, also the haproxy machine must be the defaultroute for the return traffic from the (web-)server.
In the backend a checkbox 'Transparent ClientIP' can be checked, also the interface to put the traffic intercepting firewall rules on must then be selected.