Re: X-Forwarded-For header chaining

From: Miguel Pilar Vilagran <miguel.pilar#apex.pr>
Date: Wed, 2 Sep 2009 17:06:01 -0400

On 9/2/09 4:43 PM, "Willy Tarreau" <w#1wt.eu> wrote:

On Wed, Sep 02, 2009 at 05:17:28PM +0200, Alexander Staubo wrote:
> On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar
> Vilagran<miguel.pilar#apex.pr> wrote:
> > I am seeing (with option forwardfor) that HAProxy is replacing
> > X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
> > but the defacto standard is to chain the proxies by appending to the header.
> > For my usage it is not necessary but thought I'd point it out (Varnish also
> > doesn't handle the header properly but there's a workaround in VCL for it).
> >
> > Is there a setting for this that I am missing?

Miguel, there might be something special in your config, because "option forwardfor" only appends a header, it does not remove it at all. If you want haproxy to remove the existing header, you have to explicitly tell it to do so using reqidel.

> The issue is that X-Forwarded-For can be spoofed by clients, and to
> prevent this, the proxy would need a list of upstream IPs for which it
> will trust the X-Forwarded-For header and chain it.
>
> We would very much like this functionality as well. We are in a
> situation where we're using HAProxy simply to bounce requests onwards
> to another HAProxy (for legacy issues related to IP address
> ownership), and we've had to modify our app since the client IPs are
> sometimes no longer available.

The problem with this header (and a few others such as Via) is that it can appear multiple times, but it must always be chained in the correct sequence. Haproxy respects this. However I've already seen some applications using any random occurrence of the header, instead of the one which corresponds to the proxy position in their architecture. For instance, if there are 2 proxies before the application, the application must use occurrence N-2 where N is the number of occurrences of the header, to find the original client's IP address.

Hoping this helps,
Willy

Willy what I meant by chaining is what Squid does, which is not append another header but if a header exists it appends the proxy IP to a comma+space separated list that may be on the header.

See here: http://en.wikipedia.org/wiki/X-forwarded-for

I guess this can be done with some req* magic in HAProxy. 

--
Miguel Pilar
Received on 2009/09/02 23:06

This archive was generated by hypermail 2.2.0 : 2009/09/02 23:15 CEST