14

I have a problem with HAProxy server. I want to forward in header a client IP. I almost done it, but there is interesting case and I can't figure it out. I need to write client IP in 2 places in header, in X-CLIENT-IP and X-FORWARDED-FOR tag's.

The problem is: When I use

option http-server-close
option forwardfor

On target server I see in header X-FORWARDED-FOR=xxx.xxx.xxx.xxx(client ip) but there is no x-client-ip header.

When I use:

option forwardfor header X-Client-IP
option http-server-close

On target server I see header X-CLIENT-IP=xxx.xxx.xxx(client IP) but X-FORWARDED-FOR=xxx.xxx.xxx.xxx(HAProxy ip)

I need to see on target header where X-CLIENT-IP and X-FORWARDED-FOR has value of client IP.

I try to mix configurations like

 option forwardfor
 option forwardfor header X-Client-IP
 option http-server-close

No efect. I can not also install any modules. The target is IIS.

Any ideas? :(

KacproSo
  • 143
  • 1
  • 1
  • 5

6 Answers6

15

You can try setting up custom header, like this:

http-request set-header X-Client-IP %[src]

Or, you can even copy it from X-Forwarded-For header, I think syntax would go something like:

http-request set-header X-Client-IP req.hdr_ip([X-Forwarded-For])
Jakov Sosic
  • 5,157
  • 3
  • 22
  • 33
  • Second option give me in header x-client-ip=req.hdr_ip(%5bX-Forwarded-For%5d), so something is wrong. But I'l try first one. – KacproSo Sep 15 '15 at 09:17
  • First resolution http-request set-header X-Client-IP %[src] works perfect. – KacproSo Sep 15 '15 at 10:21
  • Last example is wrong, the right rule is: http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)] – rfmoz Aug 19 '19 at 08:59
  • X-Client-IP and X-Forwarded-For have different purposes. It's not safe to copy X-Forwarded-For, because HAProxy can return value sent by client. – Der_Meister Sep 10 '19 at 04:45
8

If you want to use both, you'll need to add the second with an http-request keyword.

# add X-FORWARDED-FOR
option forwardfor
# add X-CLIENT-IP
http-request add-header X-CLIENT-IP %[src]
GregL
  • 9,030
  • 2
  • 24
  • 35
  • I think set-header is better to remove malicious headers sent from client. – Der_Meister Sep 10 '19 at 04:40
  • @Der_Meister You might be right, but I don't see how that has any relevance to this question or answer. Care to elaborate? – GregL Sep 10 '19 at 13:33
  • 1
    The purpose of X-Client-IP header is to tell backend the real IP address of the connection, not a random value from an incoming header. It's not mentioned in the question, I just want to warn future readers. – Der_Meister Sep 10 '19 at 18:29
  • Again, you might be right but in this example, the `X-CLIENT-IP` isn't being set by the client, but rather by HAProxy based on the source IP. I'd suggest leaving these comments on questions where it *is* relevent so as not to confuse readers. – GregL Sep 10 '19 at 20:47
  • `add-header` doesn't remove the `X-CLIENT-IP` that may have been set by the client. This is why @Der_Meister recommended using `set-header` instead. I suggest editing your answer to use `set-header` instead. – pistache Nov 22 '19 at 11:24
1

Suggested answer above that did not work for KacproSo just needed to read the value by adding &[...], so this should work fine:

http-request set-header X-Client-IP %[req.hdr_ip([X-Forwarded-For])]
Thomas
  • 4,155
  • 5
  • 21
  • 28
user489680
  • 11
  • 1
  • With this one you get the last IP on the list. The client IP is the first one so, get it with their number position: `http-request set-header X-Client-IP %[req.hdr_ip([X-Forwarded-For,1])]` – rfmoz Apr 09 '21 at 10:03
1

Trying on HAproxy 1.7 this is the correct syntax that makes this work, without the square brakets around X-Forwarded-For

   http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
user3540644
  • 11
  • 1
0

this one works best for me:

backend example
    mode http
    option forwardfor
    http-request set-header X-Forwarded-For %[src]
kabanus
  • 11
  • 1
-2

Your can install a module called mod_rpaf on your backend server(s). This copies the X-FORWARDED-FOR IP to the X-CLIENT-IP. For more information see this. On Windows you should have similar modules, something like X-Forwarded-For ASAPI filters.

Jeroen
  • 1,339
  • 7
  • 16