Cloudflare > HaProxy > Home Assistant - Show Client IP

[bunchofreeds]

Hi all,

I currently proxy through Cloudflare (strict/full) then to HAproxy (OPNsense plugin) then to a local instance of Home Assistant.

I'd like to keep the Client IP intact so I can see in Home Assistant what originating Client IP connected.
Currently I see the Cloudflare IP which is not 'ideal' for me

From reading I see that Cloudflare, being the first Proxy in my chain, DOES pass on the Client IP but not using the usual X-Forwarded-For but instead within the http header as CF-Connecting-IP
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

This means my HAproxy cannot pass this onto Home Assistant through X-Forward-For currently

From further reading, I see I could 'possibly' configure my HAproxy to pick up the CF-Connecting-IP and add to X-Forward-For when a Cloudflare IP Address is seen
https://github.com/haproxy/haproxy/issues/90#issuecomment-718286982

Can anyone help me with how I can apply this configuration to my OPNsense/HAProxy?

Thanks for any help with this

Furthermore, I have X-Forwarded-For disabled in HAProxy for my Public Service as I've read this should only be added once at the first proxy, all other proxies in the chain should add their respective IP's to this header as they are passed. Enabling this also breaks Home Assistant for me, complaining it sees two when there should only be one.

Also... I have aliases for Cloudflare IP ranges which would be good to use for this if possible, to replace what is in the linked script... 

[bunchofreeds]

hmmmm...

It looks like OPNsense 24.1 includes HAProxy 4.2 which changes and adds some X Forward stuff.

I might need to also upgrade and check this out.

Has anyone done this already... tested X Forwarding with HAProxy 4.2 plugin?

[bunchofreeds]

Upgraded to 24.1 successfully

This version has HAproxy 4.2 which is moving the x-forwarded-for to the backend pool config and adding additional options.

Still need some help/advice on how to get this working to pass on the Client IP though when passing through Cloudflare if anyone has any ideas?


Thanks

[meyergru]

Did you look at the rules? You can add and/or transform headers. It is possible to use variables like backend_source_ip, see https://docs.haproxy.org/2.6/configuration.html#8.2.4.

[bunchofreeds]

Thanks I'll check that out and see how I get on

[bunchofreeds]

@meyergru I found this link which closely relates to OPNsense

https://forum.netgate.com/topic/176777/haproxy-cloudflare-restoring-original-ip/3

Do you know how/where to set HAproxy via GUI in OPNsense for the above?

Specifically I'm stuck with the 'Source IP matches IP or Alias'
I can create the Alias for cloudflare IP's within Firewall>Aliases
But can't see where to reference this alias in HAproxy GUI
Closest is HAproxy>Conditions>Condition Type>Source IP Matches Specified IP
But this only seems to want a single IP address

Thanks for any help with this. I'm obviously learning as I'm going here

[meyergru]

No, but you can try to ask for help in the HAproxy tutorial thread.

[bunchofreeds]

@meyergru thanks for your help so far

I'll ask in that thread

[bunchofreeds]

Found some answers
https://github.com/home-assistant/core/issues/40421#issuecomment-1667019787