RE: Multiple X-Forwarded-For headers

I have another recommendation on how to address this issue.

If you use the mod_rpaf module, you can change the apparent source address in apache, so that it's like HAProxy isn't in the stack and the apache server is directly exposed.

http://stderr.net/apache/rpaf/

-JohnF

> -----Original Message-----
> From: Krzysztof Oledzki [mailto:ole#ans.pl]
> Sent: December 20, 2007 7:39 AM
> To: Jean-Baptiste Quenot
> Cc: haproxy#formilux.org
> Subject: Re: Multiple X-Forwarded-For headers
>
>
>
> On Thu, 20 Dec 2007, Jean-Baptiste Quenot wrote:
>
> > Hi there,
> Hi,
>
> > I'm using the forwardfor option so that haproxy adds the originating
> > IP in the X-Forwarded-For http request header. This works
> great, but
> > sometimes the request already has an X-Forwarded-For header, and ip
> > addresses get appended, like:
> >
> > X-Forwarded-For: 1.2.3.4, 2.3.4.5, 3.4.5.6
>
> As far as I know haproxy adds additional X-Forwarded-For
> headers, so it
> would rather look like:
> X-Forwarded-For: 1.2.3.4
> X-Forwarded-For: 1.2.3.5
> X-Forwarded-For: 3.4.5.6
>
> > As multiple values are impractical to handle in Apache and
> awstats, do
> > you think it makes sense to add an option in haproxy so that the
> > X-Forwarded-For header is replaced instead?
>
> I handled this by:
> option forwardfor
> reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2
>
> However, this does not work well with https connections, when it is
> stunnel not haproxy that adds X-Forwarded-For. I had been
> thinking about
> adding a possibility to rename everything except first/last
> header but as
> I get stuck with other tasks lately I haven't tuch this problem yet.
>
> Best regards,
>
> Krzysztof Olêdzki
>
Received on 2007/12/20 14:39