Hi Mark,
Op 17-10-2018 om 23:36 schreef Mark Holmes:
Question: We have some web apps which are behind an haproxy load
balancer, with TLS being terminated on the server rather than at the
balancer (so using tcp mode). The web server logs are recording the
source IP as that of the load balancer as expected. I now have a
requirement to pass the ‘real’ IP address through to the web
application and also record it in the webserver logs. Currently, with
other applications where TLS is terminated at the balancer and we are
using http mode to connect to the backend web servers I use
X-FORWARDED-FOR to pass through the ‘real’ IP address but obviously
that won’t help me when using TCP mode. I read some stuff about using
the PROXY protocol, but I’m running IIS 8.5 and as far as I can tell
it doesn’t support PROXY. Am I correct?
My other option appears to be to switch to transparent proxying. I
have verified the kernel I’m using is compiled with TPROXY support as
is haproxy itself. Before I go down this road – is transparent
proxying the correct/best option here?
Thanks in advance for any advice
Mark
There are 3 options to let a webserver know the client-IP.
-forwardfor (only works with 'mode http' and needs webserver to know
how to use that header)
-proxyprotocol (needs server to support it, and know how to use it.)
-TPROXY (needs routing for reply traffic through haproxy)
As you can see each has its own dis-advantage's.. And well with the
first 2 already ruled out, the 3rd is your only option.. (that i know of
anyhow..)
Regards,
PiBa-NL (Pieter)
