Hi all, I'm seeing some odd behaviour with our haproxy balancer and am
looking for some insights.
The setup:
I have a webserver that is behind two haproxy balancers (version 1.5.18 on
EL7), which are behind CloudFlare. In effect the request goes
client->CF->haproxy1->haproxy2->server.
On both haproxy balancers I have "option forwardfor" and "capture request
header X-Forwarded-For len 128" set. On the server I also capture
X-Forwarded-For
Now here is where the odd behaviour (*highlighted*) happens:
* haproxy1 logs the full X-Forwarded-For header.
* *haproxy2 only logs the IP of the CF proxy (the last address in
X-Forwarded-For)*
* server logs the full X-Forwarded-For header.
* If I turn off "option forwardfor" on haproxy1, then haproxy2 logs the
full header as received by CF.
* Changing the length of the capture request does not seem to make a
difference.
* I noticed that haproxy uses spaces after the comma between the header
entries, but CF does not. I tried replicating this issue with a direct
curl request to haproxy2 replicating the x-forwarded-for header that
haproxy1 would have sent, and I cannot reproduce the issue.
The only thing that I notice is that CF
Am I missing something obvious here? Below are the full options I'm using
on haproxy1 and haproxy2. Everything after that is ACLs
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
frontend http *:80
mode http
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301
frontend https
bind *:443 ssl crt /etc/pki/tls/certs/hacert.pem
mode http
capture request header Host len 50
looking for some insights.
The setup:
I have a webserver that is behind two haproxy balancers (version 1.5.18 on
EL7), which are behind CloudFlare. In effect the request goes
client->CF->haproxy1->haproxy2->server.
On both haproxy balancers I have "option forwardfor" and "capture request
header X-Forwarded-For len 128" set. On the server I also capture
X-Forwarded-For
Now here is where the odd behaviour (*highlighted*) happens:
* haproxy1 logs the full X-Forwarded-For header.
* *haproxy2 only logs the IP of the CF proxy (the last address in
X-Forwarded-For)*
* server logs the full X-Forwarded-For header.
* If I turn off "option forwardfor" on haproxy1, then haproxy2 logs the
full header as received by CF.
* Changing the length of the capture request does not seem to make a
difference.
* I noticed that haproxy uses spaces after the comma between the header
entries, but CF does not. I tried replicating this issue with a direct
curl request to haproxy2 replicating the x-forwarded-for header that
haproxy1 would have sent, and I cannot reproduce the issue.
The only thing that I notice is that CF
Am I missing something obvious here? Below are the full options I'm using
on haproxy1 and haproxy2. Everything after that is ACLs
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
frontend http *:80
mode http
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301
frontend https
bind *:443 ssl crt /etc/pki/tls/certs/hacert.pem
mode http
capture request header Host len 50