Join Log in
Score:0
avatar Server

How to access X-Forwarded-For header on HAProxy behind AWS Loadbalancer

tl flag
Jason Nerer

On HAProxy instances running on K8S I need to block certain IP addresses manually on HAProxy. Currently I am failing already to log them. Per the AWS docs the loadbalancers set the X-Forwarded-For request header and fill in the clients IP address.

When trying to log this header (and hence the clients IP), I always get empty strings with HAProxy version 2.0.18 and 2.2.20. So I guess, I misconfigured HAProxy. My config looks like:

global
    daemon
    maxconn 256
    log stdout format raw local0

defaults
    mode http

    option  httplog
    option  dontlognull

    timeout connect 15000ms
    timeout client 150000ms
    timeout server 150000ms

userlist global_auth
    user someuser insecure-password somepass

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/certs/myapp-de.pem/cert_bundle_key.pem alpn h2,http/1.1

    option  httplog
    option  dontlognull

    capture request header X-Forwarded-For len 500
    capture request header x-forwarded-for len 500

    log-format "Headers = --%hr--, --%hrl-- | Headers2: --%[capture.req.hdr(0)]--, --%[capture.req.hdr(1)]--"
    log global

    acl host_ssl_exception hdr(host) -i jobs.myapp.com

    redirect scheme https code 301 if !{ ssl_fc } !host_ssl_exception

    acl is_post method POST|OPTIONS
    acl is_get  method GET

    default_backend myapp-web

backend myapp-web
    mode http
    compression algo gzip
    compression type text/html text/plain text/css application/javascript application/json
    server web1 myapp-web.myapp-${TRACK}.svc.cluster.local:80 maxconn 32 cookie check

All but one backend removed. HTTPS and HTTP2 enabled. The capture seems to fail, but currently I do not get why.

508
0 + 0
Score:-1
vautee avatar Server
kr flag
vautee

Add send-proxy to your server config line in the backend myapp-web config in order to receive the client's correct IP.

0 + 0
tl flag
Jason Nerer
Thank you for your recommendation. Correct me, I guess `send-proxy` passes proxy related headers to the backend. But that's not, what I need to achieve. I need to block certain IP addresses already on the HAProxy. And HAProxy gets its requests from an AWS Loadbalancer setup. And the AWS LBs set the `X-Forwarded-For` header, which I would like to use to block certain IP addresses already, before the requests hit my backends.
2
Reply
Orphans avatar
cn flag
Orphans
http-request set-header X-Forwarder-For %[src]
0
Reply
Orphans avatar
cn flag
Orphans
This should work, atleast in 2.2.9
0
Reply
tl flag
Jason Nerer
@Orphans: This forwards the `X-Forwarded-For` header to my backends, which is not what I would like to achive. The issue is, that the HAProxy as first machine in the line after a classic AWS loadbalancer can not even capture/log the `X-Forwarded-For` header, which should be set on the ELB. I want to filter traffic already on the HAProxyy, so it does not even hit my backends, and I do not get, why I dont see that header.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.