Hi all,
On Thu, Dec 20, 2007 at 01:38:37PM +0100, Krzysztof Oledzki wrote:
> On Thu, 20 Dec 2007, Jean-Baptiste Quenot wrote:
>
> >Hi there,
> Hi,
>
> >I'm using the forwardfor option so that haproxy adds the originating
> >IP in the X-Forwarded-For http request header. This works great, but
> >sometimes the request already has an X-Forwarded-For header, and ip
> >addresses get appended, like:
> >
> >X-Forwarded-For: 1.2.3.4, 2.3.4.5, 3.4.5.6
>
> As far as I know haproxy adds additional X-Forwarded-For headers, so it
> would rather look like:
> X-Forwarded-For: 1.2.3.4
> X-Forwarded-For: 1.2.3.5
> X-Forwarded-For: 3.4.5.6
Yes, haproxy does this because it is quite dumb when adding headers. RFC2616 recommends that multiple identical headers are merged in a single one delimited by commas like Jean-Baptiste reported, but this is not mandatory, and I personally find it easier to add one line at the end than to insert at the end of an existing header (but this may change in the future).
In fact, the real problem is that apache should provide the ability to select which one you want to log (first, first+1, first+2... or last-2, last-1, last). But I will not blame apache for this, as the captures in haproxy just focus on the first occurrence as well.
> >As multiple values are impractical to handle in Apache and awstats, do
> >you think it makes sense to add an option in haproxy so that the
> >X-Forwarded-For header is replaced instead?
>
> I handled this by:
> option forwardfor
> reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2
Other people do simply remove the original x-forwarded-for headers when it comes from the internet (it's caused either by some internal address leaks from poorly configured proxies, or by malicious attackers who try to fool logs) :
option forwardfor
reqidel ^X-Forwarded-For:
> However, this does not work well with https connections, when it is
> stunnel not haproxy that adds X-Forwarded-For. I had been thinking about
> adding a possibility to rename everything except first/last header but as
> I get stuck with other tasks lately I haven't tuch this problem yet.
If you know that you always have stunnel before your frontend, simply don't add the header. If you have to use the same frontend for stunnel and public addresses, the solution is to use the "except" argument of the forwardfor option :
option forwardfor except 127.0.0.0/8
(if stunnel is on the same machine).
It will add the header except if the TCP connection comes from any host in
the specified network. You can only specify one network though, but generally
your stunnel or apache proxies are located on a give LAN, most commonly a
private one.
Best regards,
Willy
Received on 2007/12/20 22:03
This archive was generated by hypermail 2.2.0 : 2007/12/20 22:15 CET