RE: Client source IP visibility

Tue, 17 Jul 2012 07:23:27 -0700 

Hi Edison,

I think it would be doable with X-Forwarded-For as workaround in some
cases.

For Apache:
-----------------------------------------------------
<Location "/only_proxy/">
        SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
        Order allow,deny
        Satisfy Any
        Allow from env=proxy_env
</Location>
-----------------------------------------------------

I also found this in the CloudStack Docs:
http://wiki.cloudstack.org/display/COMM/Log+the+IP+of+the+client+in+Apache
+using+the+CloudStack+LoadBalancer

For nginx there is a HttpRealipModule for stuff like that.

But for our customers this would mean they have to adapt their
applications and they would need to test and accept this solution in the
POC.
We would definitively like to see a solution which wouldn’t require on the
application side.

Regards,
Fabrice

--
Fabrice Brazier
Apalia™
FR: +33-632-73-53-00
http://www.apalia.net
fabrice.braz...@apalia.net


-----Message d'origine-----
De : Edison Su [mailto:edison...@citrix.com]
Envoyé : lundi 16 juillet 2012 19:54
À : cloudstack; cloudstack-us...@incubator.apache.org
Objet : RE: Client source IP visibility



> -----Original Message-----
> From: Fabrice Brazier [mailto:fabrice.braz...@apalia.net]
> Sent: Monday, July 16, 2012 1:56 AM
> To: cloudstack-us...@incubator.apache.org
> Cc: cloudstack
> Subject: Client source IP visibility
>
> Hi Folks,
>
>
>
> we need a way of configuring CloudStack load balancing with the
> integrated ha-proxy load balancer without hiding the client (source)
> IP.
>
> We see TPPROXY feature as a way of doing this, see
> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
> full-transparent-proxy/
> .
>
>
>
> Does this functionality is already implemented ? Will be in the future?
>

It needs special kernel, not sure it works in debian squeeze kernel or
not.

>
>
> A possible workaround would be to use the "X-Forwarded-For" header for
> filtering IP addresses.

"option forwardfor" is already in haproxy configuration file, by default.
Doesn't it work for you? If not, please fire a bug.

>
>
>
> Thanks,
>
> Fabrice
>
>
>
> --
> Fabrice Brazier
> *Apalia*(tm)*
> *FR: +33-632-73-53-00
> *http://www.apalia.net
> fabrice.braz...@apalia.net*

Reply via email to