Remote IP's with HAProxy

I'm testing a new web server setup which is having a couple of issues. Essentially, we have a web server, where the code uses the remote IP for some interesting things, and also some apache directories secured down to some certain IP's (our office etc).

However, we've just chucked this behind ha_proxy so we can look at adding some more app servers, but now the remote IP is always coming through as the proxy ip, not the real remote user. This means we can't get to some locations, and our app is behaving a little oddly where user IP is important.

Our config is as follows:

global
      maxconn 4096
      pidfile /var/run/haproxy.pid
      daemon

defaults
      mode http
      retries 3
      option redispatch
      maxconn 2000
      contimeout 5000
      clitimeout 50000
      srvtimeout 50000

listen farm xxx.xxx.xxx.xxx:80
      mode http
      cookie GALAXY insert
      balance roundrobin
      option httpclose
      option forwardfor
      stats enable
      stats auth username:userpass

      server app1 xxx.xxx.xxx.xxx:80 maxconn 1 check

Solution 1:

Quoted from the HAProxy doc at haproxy.1wt.eu.

- if the application needs to log the original client's IP, use the
  "forwardfor" option which will add an "X-Forwarded-For" header with the
  original client's IP address. You must also use "httpclose" to ensure
  that you will rewrite every requests and not only the first one of each
  session:
        option httpclose
        option forwardfor

It is stated that the application must treat the X-Forwarded-For HTTP Header to know the client IP adress. Seems like the only way to go in your case.

Updated for HAProxy 1.4

Haproxy 1.4 introduced a new mode with "option http-server-close". It still closed the connection to the server but maintains keep-alive towards the client if possible and used. On most setups, you probably want to use that as it helps with latency on the single high-latency part of your connection (between Haproxy and the client).

   option http-server-close
   option forwardfor

Solution 2:

There is a way to recompile HAproxy to include Tproxy which will allow forwarding of the source address.

There's a blog post here about it: http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/

A few notes:

The latest linux kernel (2.6.28-11-server) includes support for TProxy, so recompiling the kernel is not necessary.

Make sure to configure the servers in your web farm with a default gateway address which points to the HAProxy server.

Solution 3:

Use rpaf apache module http://stderr.net/apache/rpaf/ I know this is and old post but it took me days to find this. This will present to any application the x-forwarded-for ip.

Solution 4:

Note that it would appear that you can override what the application see's my changing the Apache headers:

SetEnvIf X-Forwarded-For (.*) REMOTE_ADDR=$1
SetEnvIf X-Forwarded-For (.*) REMOTE_IP=$1

However, this doesn't work for Apache access via "Allow from" etc.

Solution 5:

HAProxy, by design, can't forward the original IP address to the real server, pretty much like any other proxy.

One solution may be, if your only problem is with a web server, to look into the X-forwarded-for HTTP header, which should contain the client's address. Now, that's pretty much application/language specific, but take a look at this example in php:

$headers = apache_request_headers();

$real_client_ip = $headers["X-Forwarded-For"];

If you also want to log the original address, you can modify the LogFormat in httpd.conf to look something like this:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{X-Forwarded-For}i\"" common