prevent X-Forwarded-For spoofing in haproxy

Yesterday we got hit by a DDoS attack reaching our webserver backends (apache2). The frontend consists of haproxy loadbalancing connections to the webservers. On access.log of apache we saw thousands of requests from two ips and after a couple of hours we realized that those were fake/spoofed and were not the actual ips.

For clarification reasons, we did a "curl GET /" with an ip of "137.137.136.136" and indeed that's the ip (fake one) we saw in our weblogs

Now, in another cluster where we use nginx as reverse proxy, changing/crafting the X-Forwarded-For Header doesn't work. Meaning , even if you enter a random ip in the specific header nginx will still pass the correct ip to the backend webserver?

Does this has to do with haproxy?
Anyone can confirm that crafted X-Forwarded-For headers can pass through haproxy?
Why is this not happening in nginx ?
How do you prevent this?


In haproxy, if you don't have nothing to prevent this, that is normal, I don't know how to deal with it in nginx, but I solved in this way using haproxy:

in defaults options:

forwardfor

In my haproxy frontend definition, I have:

reqidel ^X-Forwarded-For:.*

That delete X-Forwarded-For in the http request if the client try to fake and haproxy return the real header in the http response with true ip address

If you want to use X-Forwarded-For to check the ip address of http clients, you need to delete it if exists in the http request, because client that use an http proxy sometime set local ip address in X-Forwarded-For