I am using HAProxy with multiple backends and some ACLs to select a backend, I want my client (for testing purposes and etc) to know the ip of the backend that was selected.
For example, Client sends request to HAProxy which loadbalances between ip A and ip B. In the response header, I want the ip of A if A was selected by HAProxy and I want the ip of B if B was selected. I know of %[dst] but it returns the ip of the HAProxy server instead.
Right now I'm putting http-response set-header X-Forwarded-Host %[dst]:%[dst_port] in the frontend and it is returning the ip and port of the HAProxy
found the answer, its %si:%sp. cbonte.github.io/haproxy-dconv/1.7/configuration.html#8.2.4
Related
I have a communication problem between Zabbix Proxy and Zabbix Server at port 10051. I’m using HAPROXY version 2.0.13. Look my Kubernetes scenario:
HAPROXY is working fine when I access my website zabbix.domain.com at port 80 and 443.
Zabbix-Proxy has a parameter “Server” that I set with ip address of worker-1 and the communication works fine, but this happen because the traffic don’t pass through HAPROXY server. When I try to set the Server parameter with my domain address zabbix.domain.com that go to my HAPROXY server, the communication dont work, give the impression that HAPROXY cant treat the request.
zabbix_proxy.conf: Work with Worker-1 ip addr, but dont work with domain name.
The domain name as I said, is pointing to HAPROXY server (10.0.0.110). I think the zabbix-proxy is trying to reach the port 10051 of HAPROXY server and the HAPROXY can’t deal with the requests to forward to my worker node.
This is my HAPROXY configuration, I test with frontend and backend, but now, I just rewrite with Listen parameter.
listen zabbix
mode tcp
bind :10051
option forwardfor
server worker-1 10.10.10.112:10051 check
server worker-1 10.10.10.113:10051 check
server worker-1 10.10.10.114:10051 check
Someone can help? There are some manner to point to my website zabbix.domain.com, the haproxy treat the request send to my worker-1 in port 10051? Please tell me If need more information.
I have the following HaProxy configuration:
frontend smtp
bind :25 accept-proxy
default_backend smtp_backend
backend smtp_backend
mode tcp
timeout server 1m
timeout connect 5s
server srv1 127.0.0.1:2500 send-proxy check maxconn 500
That is being a Load Balancer (AWS). I need to know the IP of the Load Balancer.
Looking at the logs on HaProxy, I have the following lines:
Jul 1 16:00:03 ip-172-31-1-100 haproxy[10350]: Connect from 172.31.1.5:35040 to 172.31.1.100:25 (smtp/TCP)
So HaProxy get the proper source IP of the Load Balancer (I'm not looking for the client at that level).
But when showing the IP/Port on the destination server, I get the local IP : 127.0.0.1.
I suspect it's because of server srv1 127.0.0.1:2525 send-proxy check maxconn 500 line, but how can I get the IP of the Load Balancer on my end server?
Thank you in advance!
(note: Once the connection is established, AWS Target Group sends me a Proxy v2 command that allows me to get the client IP address, and this works, but I first need to get that 172.31.1.5 IP from the Load Balancer).
Unfortunately, Haproxy will only support ip forwarding in HTTP mode through some headers.
In your case, you need to use specially compiled HAproxy - TProxy.
Docs: https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
This will support forwarding client ip(AWS load balancer IP in your case) even in TCP mode.
I am looking to perform something quite simple.
Using haproxy I would like to forward any requests from the URL http://webmail.rutest.org or https://webmail.rutest.org to https://outlook.com/rutest.org
BASICALLY:
We currently own the domain rutest.org. What I intend to do is create a DNS "A" record for "webmail" IP address 24.103.122.18. This will then go to a FortiGate Router which has 2 port forwarding rules for 80 and 443 to an internal IP address 10.1.1.18. 10.1.1.18 will be the haproxy server. Once that request gets there, I want haproxy to say ok, you want http://webmail.rockefeller.edu or https://webmail.rockefeller.edu then send the user to https://outlook.com/rutest.org
The users browser should then reflect this URL redirection.
Can this be done? If so, what are the entries needed in the haproxy.cfg?
You can try the following, untested.
listen webmail
bind :80 v4v6
# here should be your certificates
bind :::443 v4v6 alpn h2,http/1.1 ssl crt /etc/ssl/haproxy/
http-request redirect location https://outlook.com/rutest.org if hdr(host) -i webmail.rockefeller.edu
The documentation: http-request redirect
I have a couple of webservers that are reachable directly through the following URL:
https://abcd.example.com:8445/desktop/container/landing.jsp?locale=en_US
https://wxyz.example.com:8445/desktop/container/landing.jsp?locale=en_US
I need to use HAProxy to loadbalance between the two and use the following URLs instead when hitting the frontend:
http://1234.example.com/desktop/container/landing.jsp?locale=en_US
or
https://1234.example.com:8445/desktop/container/landing.jsp?locale=en_US
So other requirements beside the two above:
If initial traffic is port 80, convert to port 8445
Mask the URL so that on the browser while it redirected to https and port to 8445, the host remains intact, like so: https://1234.example.com:8445/desktop/container/landing.jsp?locale=en_US
Here's my config so far:
frontend WebApp_frontend
mode http
bind 10.4.34.11:80
acl is80 dst_port 80
http-request set-uri https://%[req.hdr(Host)]:8445%[path]?%[query] if is80
default_backend WebApp-backend
backend WebApp_backend
description WebApp
balance roundrobin
mode http
server webserver1 10.2.89.222:8445 check inter 5s fall 3 rise 5 downinter 1m ssl verify none
server webserver2 10.4.89.223:8445 check inter 5s fall 3 rise 5 downinter 1m ssl verify none
The problem I'm facing right now is that when you access the frontend, HAProxy will redirect you to any of the webservers and force your client to hit the webserver directly instead of through the HAProxy. I need the connection to remain through the HAProxy.
If all your application is doing is redirecting to HTTPs then you should probably just handle that directly within HAProxy. You might want to also explore whether your application supports X-Forwarded-Proto and X-Forwarded-Host.
Another option is you can have HAProxy rewrite the redirects from the backend application to the hostname you choose. Using HAProxy 2.1 you would do something like this:
http-response replace-header location https?://[^:/]*(:?[0-9]+/.*) https://1234.example.com\1 if { status 301:302 }
I'm modifying CGIProxy to be enable to pass client IP address to remote/target, so remote will identify that the request is from client (not proxy server). Is it possible to do this thing? CGIProxy uses SSLeay for sending request to SSL server. But I need to pass client IP address through all protocol provided (http, https, ftp). I'm not really understand about both of proxy concept and network programming.
Usually a proxy is not source-transparent, e.g. it will have it's own address as the client address in the connection to the target server and not the original client address. This is especially true for a CGI-script working as a proxy like in your case. This behavior is independent from using a TLS or a plain TCP connection.
But some (often misconfigured) servers check for an X-Forwarded-For request header to determine the original client IP. This header can be set from inside the proxy, but again this is independent from using TLS or plain TCP.