Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - aleks76

Pages1
#1
General Discussion / Re: haproxy issue with forwarding client ip to backend - apache [SOLVED]
September 17, 2023, 06:23:17 PM
Quote from: aleks76 on September 17, 2023, 09:57:55 AM
Hi
I installed haproxy with acme, it works great, the only thing is  forwarding the client IP to apache on backend is not working, i see only  the firewall IP as source/client ip, can someone help please?
this is my config:

opnsense version: OPNsense 23.7.4-amd64
config:
Code Select

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: HTTP_Frontend (Port 80)
frontend HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSLCondition
    acl acl_64ff73febf87d5.46667267 ssl_fc

    # ACTION: HTTP_to_HTTPS
    http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267

# Frontend: 0_SNI_Frontend (Listening 80 , 443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: HTTPS_Frontend (Port 443 SSL)
frontend HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

    # ACTION: PublicSubdomainsRules
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)]

# Backend: firstdomain ( firstdomain)
backend firstdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 ssl verify none

# Backend:  seconddomain (seconddomain)
backend seconddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server2 192.168.1.27:443 ssl verify none

# Backend: thirddomain (thirddomain)
backend thirddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: fourthdomain (fourthdomain)
backend fourthdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy

on apache 2.4:
Code Select

<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
RemoteIPTrustedProxyList conf/trusted-proxies.lst
</IfModule>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

content of trusted-proxies.lst
Code Select

192.168.1.29/32 # opnsense proxy

Any help would be appreciated
#2
General Discussion / Re: haproxy issue with forwarding client ip to backend - apache
September 17, 2023, 06:21:03 PM
meanwhile i could solve the problem, if someone has the same problem i was missing this option in apache vhost remoteip_module:
Code Select

RemoteIPTrustedProxy 192.168.1.29/32
#3
General Discussion / Re: Please Make a Donation to OPNsense
September 17, 2023, 10:09:07 AM
Donated 20€,thanks for the great work
#4
General Discussion / haproxy issue with forwarding client ip to backend - apache
September 17, 2023, 09:57:55 AM
Hi
I installed haproxy with acme, it works great, the only thing is  forwarding the client IP to apache on backend is not working, i see only  the firewall IP as source/client ip, can someone help please?
this is my config:

opnsense version: OPNsense 23.7.4-amd64
config:
Code Select

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: HTTP_Frontend (Port 80)
frontend HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSLCondition
    acl acl_64ff73febf87d5.46667267 ssl_fc

    # ACTION: HTTP_to_HTTPS
    http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267

# Frontend: 0_SNI_Frontend (Listening 80 , 443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: HTTPS_Frontend (Port 443 SSL)
frontend HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

    # ACTION: PublicSubdomainsRules
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)]

# Backend: firstdomain ( firstdomain)
backend firstdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 ssl verify none

# Backend:  seconddomain (seconddomain)
backend seconddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server2 192.168.1.27:443 ssl verify none

# Backend: thirddomain (thirddomain)
backend thirddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: fourthdomain (fourthdomain)
backend fourthdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy

on apache 2.4:
Code Select

<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
RemoteIPTrustedProxyList conf/trusted-proxies.lst
</IfModule>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

content of trusted-proxies.lst
Code Select

192.168.1.29/32 # opnsense proxy

Any help would be appreciated
#5
German - Deutsch / Re: HAProxy Real SRC IP auf einen Apachen hinter einem HAProxy sehen
September 16, 2023, 08:41:52 AM
Hallo
Ich habe das gleiche Problem, wurde hier eine Lösung bereits gefunden?
Danke
LG
Aleksandar
Pages1