## Automatically generated configuration.# Do not edit this file manually.#global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 4 hard-stop-after 60s no strict-limits maxconn 10000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 5000# autogenerated entries for ACLs# autogenerated entries for config in backends/frontends# autogenerated entries for stats# Frontend: HTTP_Frontend (Port 80)frontend HTTP_Frontend bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist mode http option http-keep-alive option forwardfor # logging options # ACL: NoSSLCondition acl acl_64ff73febf87d5.46667267 ssl_fc # ACTION: HTTP_to_HTTPS http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267# Frontend: 0_SNI_Frontend (Listening 80 , 443)frontend 0_SNI_Frontend bind 0.0.0.0:80 name 0.0.0.0:80 bind 0.0.0.0:443 name 0.0.0.0:443 mode tcp default_backend SSL_Backend # logging options# Frontend: HTTPS_Frontend (Port 443 SSL)frontend HTTPS_Frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist mode http option http-keep-alive option forwardfor # logging options # ACTION: PublicSubdomainsRules # NOTE: actions with no ACLs/conditions will always match use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)] # Backend: firstdomain ( firstdomain)backend firstdomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server1 192.168.1.4:443 ssl verify none# Backend: acme_challenge_backend (Added by ACME Client plugin)backend acme_challenge_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server acme_challenge_host 127.0.0.1:43580 ssl verify none# Backend: seconddomain (seconddomain)backend seconddomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server2 192.168.1.27:443 ssl verify none# Backend: thirddomain (thirddomain)backend thirddomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server1 192.168.1.4:443 ssl verify none# Backend: fourthdomain (fourthdomain)backend fourthdomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server1 192.168.1.4:443 ssl verify none# Backend: SSL_Backend (SSL_Backend)backend SSL_Backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy
<IfModule remoteip_module>RemoteIPHeader X-Forwarded-ForRemoteIPProxiesHeader X-Forwarded-ByRemoteIPTrustedProxyList conf/trusted-proxies.lst</IfModule>LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
192.168.1.29/32 # opnsense proxy
RemoteIPTrustedProxy 192.168.1.29/32
HiI installed haproxy with acme, it works great, the only thing is forwarding the client IP to apache on backend is not working, i see only the firewall IP as source/client ip, can someone help please?this is my config:opnsense version: OPNsense 23.7.4-amd64config:Code: [Select]## Automatically generated configuration.# Do not edit this file manually.#global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 4 hard-stop-after 60s no strict-limits maxconn 10000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 5000# autogenerated entries for ACLs# autogenerated entries for config in backends/frontends# autogenerated entries for stats# Frontend: HTTP_Frontend (Port 80)frontend HTTP_Frontend bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist mode http option http-keep-alive option forwardfor # logging options # ACL: NoSSLCondition acl acl_64ff73febf87d5.46667267 ssl_fc # ACTION: HTTP_to_HTTPS http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267# Frontend: 0_SNI_Frontend (Listening 80 , 443)frontend 0_SNI_Frontend bind 0.0.0.0:80 name 0.0.0.0:80 bind 0.0.0.0:443 name 0.0.0.0:443 mode tcp default_backend SSL_Backend # logging options# Frontend: HTTPS_Frontend (Port 443 SSL)frontend HTTPS_Frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist mode http option http-keep-alive option forwardfor # logging options # ACTION: PublicSubdomainsRules # NOTE: actions with no ACLs/conditions will always match use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)] # Backend: firstdomain ( firstdomain)backend firstdomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server1 192.168.1.4:443 ssl verify none# Backend: acme_challenge_backend (Added by ACME Client plugin)backend acme_challenge_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server acme_challenge_host 127.0.0.1:43580 ssl verify none# Backend: seconddomain (seconddomain)backend seconddomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server2 192.168.1.27:443 ssl verify none# Backend: thirddomain (thirddomain)backend thirddomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server1 192.168.1.4:443 ssl verify none# Backend: fourthdomain (fourthdomain)backend fourthdomain # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server server1 192.168.1.4:443 ssl verify none# Backend: SSL_Backend (SSL_Backend)backend SSL_Backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxyon apache 2.4:Code: [Select]<IfModule remoteip_module>RemoteIPHeader X-Forwarded-ForRemoteIPProxiesHeader X-Forwarded-ByRemoteIPTrustedProxyList conf/trusted-proxies.lst</IfModule>LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedcontent of trusted-proxies.lstCode: [Select]192.168.1.29/32 # opnsense proxyAny help would be appreciated
