Re: option forwardfor except network issue

From: Willy Tarreau <>
Date: Fri, 26 Jun 2009 03:01:11 +0200

On Tue, Jun 16, 2009 at 04:06:36PM +0100, Sigurd Høgsbro wrote:
> Hello all,
> I'm trying to deploy haproxy as a replacement for the proxy-module in
> lighttpd 1.5svn (not yet released), and have managed to mostly configure
> it to my desires.
> I'm having problems getting haproxy to recognise all the RFC1918
> networks as exception subnets - what is the correct syntax to exclude
> all of the 10/8, 172.16/12, 192.168/16 networks from X-Forwarded-For
> header rewriting for a given frontend? Below is the start of my frontend
> stanza.
> Cheers,
> Sigurd
> listen http
> bind :80
> mode http
> option httpclose
> option forwardfor except
> option forwardfor except
> option forwardfor except

only one network can be specified, so the last entry overrides the previous ones.

I think it would not be too hard to implement ACL-based "option forwardfor {if|unless} <rule>", which would solve your issue once for all. Anyone interested in working on it ?

In the mean time I have another solution. You can do that using two distinct backends :

frontend http

        bind                    :80
        mode                    http
        option httpclose
        acl private             src
        use_backend             http-private if private
        default_backend         http-public

backend http-public
        mode                    http
        option forwardfor

backend http-private
        mode                    http

Willy Received on 2009/06/26 03:01

This archive was generated by hypermail 2.2.0 : 2009/06/26 03:15 CEST