Hi
I installed haproxy with acme, it works great, the only thing is forwarding the client IP to apache on backend is not working, i see only the firewall IP as source/client ip, can someone help please?
this is my config:
opnsense version: OPNsense 23.7.4-amd64
config:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: HTTP_Frontend (Port 80)
frontend HTTP_Frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSLCondition
acl acl_64ff73febf87d5.46667267 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267
# Frontend: 0_SNI_Frontend (Listening 80 , 443)
frontend 0_SNI_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_Backend
# logging options
# Frontend: HTTPS_Frontend (Port 443 SSL)
frontend HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACTION: PublicSubdomainsRules
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)]
# Backend: firstdomain ( firstdomain)
backend firstdomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server1 192.168.1.4:443 ssl verify none
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580 ssl verify none
# Backend: seconddomain (seconddomain)
backend seconddomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server2 192.168.1.27:443 ssl verify none
# Backend: thirddomain (thirddomain)
backend thirddomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server1 192.168.1.4:443 ssl verify none
# Backend: fourthdomain (fourthdomain)
backend fourthdomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server1 192.168.1.4:443 ssl verify none
# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy
on apache 2.4:
<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
RemoteIPTrustedProxyList conf/trusted-proxies.lst
</IfModule>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
content of trusted-proxies.lst
192.168.1.29/32 # opnsense proxy
Any help would be appreciated
meanwhile i could solve the problem, if someone has the same problem i was missing this option in apache vhost remoteip_module:
RemoteIPTrustedProxy 192.168.1.29/32
Quote from: aleks76 on September 17, 2023, 09:57:55 AM
Hi
I installed haproxy with acme, it works great, the only thing is forwarding the client IP to apache on backend is not working, i see only the firewall IP as source/client ip, can someone help please?
this is my config:
opnsense version: OPNsense 23.7.4-amd64
config:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: HTTP_Frontend (Port 80)
frontend HTTP_Frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSLCondition
acl acl_64ff73febf87d5.46667267 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267
# Frontend: 0_SNI_Frontend (Listening 80 , 443)
frontend 0_SNI_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_Backend
# logging options
# Frontend: HTTPS_Frontend (Port 443 SSL)
frontend HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACTION: PublicSubdomainsRules
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)]
# Backend: firstdomain ( firstdomain)
backend firstdomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server1 192.168.1.4:443 ssl verify none
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580 ssl verify none
# Backend: seconddomain (seconddomain)
backend seconddomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server2 192.168.1.27:443 ssl verify none
# Backend: thirddomain (thirddomain)
backend thirddomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server1 192.168.1.4:443 ssl verify none
# Backend: fourthdomain (fourthdomain)
backend fourthdomain
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server server1 192.168.1.4:443 ssl verify none
# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy
on apache 2.4:
<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
RemoteIPTrustedProxyList conf/trusted-proxies.lst
</IfModule>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
content of trusted-proxies.lst
192.168.1.29/32 # opnsense proxy
Any help would be appreciated