Re: client ip address

From: Willy Tarreau <w#1wt.eu>
Date: Mon, 14 Jul 2008 07:18:58 +0200


Hello,

On Fri, Jul 11, 2008 at 03:24:10PM +0200, Benoit Plessis wrote:
> Rainer Sabelka a écrit :
> >On Friday 11 July 2008 14:17:16 Johan Duflost wrote:
> >
> >>I developped a web service that is accessed through haproxy.
> >>It works but I need to get the client ip at the web service side but
> >>instead I get the ip of haproxy. Any idea on the way I can solve this
> >>problem?
> >>
> >
> >Add "option forwardfor" to your configuration.
> >This will add an "X-Forwarded-For" request header which you can use in
> >your backend servers to obtain the original IP-address.
> >
> Be carefull though, other proxy may add this header into the
> request.
> It could be of the form: "192.168.1.145,56.82.14.97" (private IP added
> bya http proxy, then public IP of the proxy added by haproxy)
> and may be longer.
> The ease the job here with an apache reverse proxy i added a delete
> header to
> reset It before mod_proxy will set it up.
> I'm starting to study haproxy and you should look ad req[i]del to do the
> same.

Exactly. Normally, the application should only focus on last instance of the header (or last-1 or last-2 depending on the number of reverse proxies). But it looks like it is not always very easy for some applications. And you're right, simply setting a "reqidel ^X-Forwarded-For" in haproxy is normally enough to get rid of possibly existing headers.

If the configuration is split in frontend/backend, I would suggest doing this in the frontend, so that it will be easier to add more frontends later, some of which might have to keep the header.

Regards,
Willy Received on 2008/07/14 07:18

This archive was generated by hypermail 2.2.0 : 2008/07/14 07:30 CEST