On Thu, 20 Dec 2007, Willy Tarreau wrote:
> Hi all,
>
> On Thu, Dec 20, 2007 at 01:38:37PM +0100, Krzysztof Oledzki wrote:
>> On Thu, 20 Dec 2007, Jean-Baptiste Quenot wrote:
>>
>>> Hi there,
>> Hi,
>>
>>> I'm using the forwardfor option so that haproxy adds the originating
>>> IP in the X-Forwarded-For http request header. This works great, but
>>> sometimes the request already has an X-Forwarded-For header, and ip
>>> addresses get appended, like:
>>>
>>> X-Forwarded-For: 1.2.3.4, 2.3.4.5, 3.4.5.6
>>
>> As far as I know haproxy adds additional X-Forwarded-For headers, so it
>> would rather look like:
>> X-Forwarded-For: 1.2.3.4
>> X-Forwarded-For: 1.2.3.5
>> X-Forwarded-For: 3.4.5.6
>
> Yes, haproxy does this because it is quite dumb when adding headers.
> RFC2616 recommends that multiple identical headers are merged in a
> single one delimited by commas like Jean-Baptiste reported, but this
> is not mandatory, and I personally find it easier to add one line at
> the end than to insert at the end of an existing header (but this
> may change in the future).
>
> In fact, the real problem is that apache should provide the ability
> to select which one you want to log (first, first+1, first+2... or
> last-2, last-1, last). But I will not blame apache for this, as the
> captures in haproxy just focus on the first occurrence as well.
>
>>> As multiple values are impractical to handle in Apache and awstats, do
>>> you think it makes sense to add an option in haproxy so that the
>>> X-Forwarded-For header is replaced instead?
>>
>> I handled this by:
>> option forwardfor
>> reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2
>
> Other people do simply remove the original x-forwarded-for headers when it
> comes from the internet (it's caused either by some internal address leaks
> from poorly configured proxies, or by malicious attackers who try to fool
> logs) :
>
> option forwardfor
> reqidel ^X-Forwarded-For:
Yes, this is another solution. ;)
>> However, this does not work well with https connections, when it is
>> stunnel not haproxy that adds X-Forwarded-For. I had been thinking about
>> adding a possibility to rename everything except first/last header but as
>> I get stuck with other tasks lately I haven't tuch this problem yet.
>
> If you know that you always have stunnel before your frontend, simply don't
> add the header. If you have to use the same frontend for stunnel and public
> addresses, the solution is to use the "except" argument of the forwardfor
> option :
>
> option forwardfor except 127.0.0.0/8
>
> (if stunnel is on the same machine).
> It will add the header except if the TCP connection comes from any host in
> the specified network. You can only specify one network though, but generally
> your stunnel or apache proxies are located on a give LAN, most commonly a
> private one.
The problem is that X-Forwarded-For may be added before stunnel. So, it would be usefull to remove _all_ X-Forwarded-For headers except the one added by stunnel.
Best regards,
Krzysztof Olędzki Received on 2007/12/20 22:19
This archive was generated by hypermail 2.2.0 : 2007/12/20 22:30 CET