Hello,
Le 23/07/2020 à 14:34, Willy Tarreau a écrit :
Hi Arnall,
On Tue, Jul 21, 2020 at 01:27:31PM +0200, Arnall wrote:
Hello everyone,
I remember that in the past it was strongly discouraged to use http-reuse in
combination with send-proxy, because of the client IP which is provided by
the proxy protocol.
I have this configuration :
HA-Proxy version 2.0.14-1~bpo9+1 2020/04/16 - https://haproxy.org/
defaults
http-reuse always
backend abuse
timeout server 60s
balance roundrobin
hash-balance-factor 0
server s_abuse [email protected] send-proxy-v2 maxconn 4
listen l_abuse
bind [email protected] accept-proxy
http-request set-var(req.delay) int(500)
http-request lua.add_delay
server xxxx 192.168.000.aaa:80 maxconn 1
server yyyy 192.168.000.bbb:80 maxconn 1
server zzzzz 192.168.000.ccc:80 maxconn 1
Is it OK ? Because i have no warning when verifying the configuration, or
should i add a "http-reuse never" in "backend abuse" ?
It is now properly dealt with, by marking the connection private, which
means it will not be shared at all. So what you'll see simply is that
there is no reuse for connections employing send-proxy. So your config
is safe, but you will just not benefit from the reuse.
Anyway it's generally not a good idea to use proxy protocol over HTTP
from an HTTP-aware agent. Better use Forward/X-Forwarded-for that passes
the info per request and that nowadays everyone can consume.
Regards,
Willy
Thank you for the answers/tips !
The abuse flow is an exception, for the regular flow we use indeed
"forwardfor" in order to be able to use http-reuse with Varnish.
Regards.
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
