Cloudflare > HaProxy > Home Assistant - Show Client IP

Started by bunchofreeds, February 01, 2024, 01:46:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 01, 2024, 01:46:52 AM
Hi all,

I currently proxy through Cloudflare (strict/full) then to HAproxy (OPNsense plugin) then to a local instance of Home Assistant.

I'd like to keep the Client IP intact so I can see in Home Assistant what originating Client IP connected.
Currently I see the Cloudflare IP which is not 'ideal' for me :)

From reading I see that Cloudflare, being the first Proxy in my chain, DOES pass on the Client IP but not using the usual X-Forwarded-For but instead within the http header as CF-Connecting-IP
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

This means my HAproxy cannot pass this onto Home Assistant through X-Forward-For currently

From further reading, I see I could 'possibly' configure my HAproxy to pick up the CF-Connecting-IP and add to X-Forward-For when a Cloudflare IP Address is seen
https://github.com/haproxy/haproxy/issues/90#issuecomment-718286982

Can anyone help me with how I can apply this configuration to my OPNsense/HAProxy?

Thanks for any help with this

Furthermore, I have X-Forwarded-For disabled in HAProxy for my Public Service as I've read this should only be added once at the first proxy, all other proxies in the chain should add their respective IP's to this header as they are passed. Enabling this also breaks Home Assistant for me, complaining it sees two when there should only be one.

Also... :) I have aliases for Cloudflare IP ranges which would be good to use for this if possible, to replace what is in the linked script... 

February 01, 2024, 01:53:53 AM #1
hmmmm...

It looks like OPNsense 24.1 includes HAProxy 4.2 which changes and adds some X Forward stuff.

I might need to also upgrade and check this out.

Has anyone done this already... tested X Forwarding with HAProxy 4.2 plugin?
February 01, 2024, 10:17:06 PM #2
Upgraded to 24.1 successfully

This version has HAproxy 4.2 which is moving the x-forwarded-for to the backend pool config and adding additional options.

Still need some help/advice on how to get this working to pass on the Client IP though when passing through Cloudflare if anyone has any ideas?


Thanks
February 01, 2024, 10:32:19 PM #3
Did you look at the rules? You can add and/or transform headers. It is possible to use variables like backend_source_ip, see https://docs.haproxy.org/2.6/configuration.html#8.2.4.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 02, 2024, 02:42:50 AM #4
Thanks I'll check that out and see how I get on
February 08, 2024, 08:29:36 PM #5
@meyergru I found this link which closely relates to OPNsense

https://forum.netgate.com/topic/176777/haproxy-cloudflare-restoring-original-ip/3

Do you know how/where to set HAproxy via GUI in OPNsense for the above?

Specifically I'm stuck with the 'Source IP matches IP or Alias'
I can create the Alias for cloudflare IP's within Firewall>Aliases
But can't see where to reference this alias in HAproxy GUI
Closest is HAproxy>Conditions>Condition Type>Source IP Matches Specified IP
But this only seems to want a single IP address

Thanks for any help with this. I'm obviously learning as I'm going here :)
February 08, 2024, 08:52:07 PM #6
No, but you can try to ask for help in the HAproxy tutorial thread.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 08, 2024, 09:07:10 PM #7
@meyergru thanks for your help so far

I'll ask in that thread
February 23, 2024, 12:40:44 AM #8
Print
Go Up Pages1
User actions