0

On HAProxy instances running on K8S I need to block certain IP addresses manually on HAProxy. Currently I am failing already to log them. Per the AWS docs the loadbalancers set the X-Forwarded-For request header and fill in the clients IP address.

When trying to log this header (and hence the clients IP), I always get empty strings with HAProxy version 2.0.18 and 2.2.20. So I guess, I misconfigured HAProxy. My config looks like:

global
    daemon
    maxconn 256
    log stdout format raw local0

defaults
    mode http

    option  httplog
    option  dontlognull

    timeout connect 15000ms
    timeout client 150000ms
    timeout server 150000ms

userlist global_auth
    user someuser insecure-password somepass

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/certs/myapp-de.pem/cert_bundle_key.pem alpn h2,http/1.1

    option  httplog
    option  dontlognull

    capture request header X-Forwarded-For len 500
    capture request header x-forwarded-for len 500

    log-format "Headers = --%hr--, --%hrl-- | Headers2: --%[capture.req.hdr(0)]--, --%[capture.req.hdr(1)]--"
    log global

    acl host_ssl_exception hdr(host) -i jobs.myapp.com

    redirect scheme https code 301 if !{ ssl_fc } !host_ssl_exception

    acl is_post method POST|OPTIONS
    acl is_get  method GET

    default_backend myapp-web

backend myapp-web
    mode http
    compression algo gzip
    compression type text/html text/plain text/css application/javascript application/json
    server web1 myapp-web.myapp-${TRACK}.svc.cluster.local:80 maxconn 32 cookie check

All but one backend removed. HTTPS and HTTP2 enabled. The capture seems to fail, but currently I do not get why.

Jason Nerer
  • 85
  • 1
  • 5

1 Answers1

-1

Add send-proxy to your server config line in the backend myapp-web config in order to receive the client's correct IP.

vautee
  • 470
  • 3
  • 11
  • 2
    Thank you for your recommendation. Correct me, I guess `send-proxy` passes proxy related headers to the backend. But that's not, what I need to achieve. I need to block certain IP addresses already on the HAProxy. And HAProxy gets its requests from an AWS Loadbalancer setup. And the AWS LBs set the `X-Forwarded-For` header, which I would like to use to block certain IP addresses already, before the requests hit my backends. – Jason Nerer Feb 06 '22 at 12:22
  • http-request set-header X-Forwarder-For %[src] – Orphans Feb 21 '22 at 14:49
  • This should work, atleast in 2.2.9 – Orphans Feb 21 '22 at 14:49
  • @Orphans: This forwards the `X-Forwarded-For` header to my backends, which is not what I would like to achive. The issue is, that the HAProxy as first machine in the line after a classic AWS loadbalancer can not even capture/log the `X-Forwarded-For` header, which should be set on the ELB. I want to filter traffic already on the HAProxyy, so it does not even hit my backends, and I do not get, why I dont see that header. – Jason Nerer Feb 21 '22 at 16:10