Tag: haproxy

  • Enable HTTP_X_FORWARDED_FOR in Haproxy

    Enable HTTP_X_FORWARDED_FOR in Haproxy

    By default, Haproxy won’t forward visitor IP address to backend servers. To enable Haproxy forward visitor IP address to backend server using HTTP_X_FORWARDED_FOR header, edit haproxy.cfg

    vi /etc/haproxy/haproxy.cfg

    Add

    option forwardfor

    This can be added in blocks defaults, frontend, backend or listen.

    Example

    backend be_lamp
mode http
log global
option forwardfor
server fapi 10.0.3.106:80

  • Enable SSL in Haproxy Docker Container

    I have a haproxy container running on port 80. This container is started with command

    docker run -d -p 80:80 --name haproxy1 -v /home/ubuntu/haproxy:/usr/local/etc/haproxy:ro haproxy:1.7

    This haproxy used following configuration file /home/ubuntu/haproxy/haproxy.cfg

    global

defaults

frontend sok-front-end
    bind *:80
    mode http
    default_backend sok-front-end

backend sok-front-end
    mode http
    balance roundrobin
    server srv3 172.17.0.2:8000

    To make this haproxy work with SSL, first create a ssl.pem file with your SSL certificate contents in following order

    1) Your Private Key
2) Your SSL CRT
4) CA-BUNDLE

    copy and paste all those certs into ssl.pem file inside /home/ubuntu/haproxy/ssl.pem

    Now modify your /home/ubuntu/haproxy/haproxy.cfg file as follows

    global

defaults

frontend sok-front-end
    bind *:80
    bind :::443 ssl crt /usr/local/etc/haproxy/ssl.pem
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http  if !https
    http-request set-header X-Forwarded-Proto https if https
    mode http
    default_backend sok-front-end

backend sok-front-end
    mode http
    balance roundrobin
    server srv3 172.17.0.2:8000

    Now we need to stop current docker container as it only allow port 80 to be shared.

    docker container stop haproxy1

    Lets create a new haproxy container with port 443 forwaded.

    docker run -d -p 80:80 -p 443:443 --name haproxy2 -v /home/ubuntu/haproxy:/usr/local/etc/haproxy:ro haproxy:1.7

    See Haproxy

  • Haproxy Site With SSL

    To handle SSL/HTTPS traffic on haproxy, use following config in your /etc/haproxy/haproxy.cfg file.

    frontend https-frontend-new
	bind :::443 ssl crt domain.pem

	acl https ssl_fc
	http-request set-header X-Forwarded-Proto http  if !https
	http-request set-header X-Forwarded-Proto https if https

	option forwardfor

	acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
	http-response replace-header Set-Cookie (.*) \1;\ secure if https !secured_cookie
	
	default_backend https-backend-new

backend https-backend-new
	balance static-rr
	option httpchk
	cookie SRV insert indirect nocache maxidle 30m maxlife 8h
	server web1 BACKEND_SERVER_IP:443 check ssl verify none

    domain.pem

    SSL certificate of your domain in PEM format. This is done by using combining your SSL cert, private key and ca bundle.

    cat yourdomain.crt yourdomain.key yourdomain.ca-bundle > yourdomain.pem

    If you have more sites with SSL, you can specify SSl certs like

    bind :::443 ssl crt domain.pem crt domain-2.pem crt domain-3.pem

    BACKEND_SERVER_IP

    This is IP of your back end server.

    Restart Haproxy with

    systemctl restart haproxy

  • haproxy

    To install haproxy on Ubuntu, run

    apt install haproxy

    Haproxy config file is located at

    /etc/haproxy/haproxy.cfg

    Enable HTTP_X_FORWARDED_FOR in Haproxy
    Show X-Forwarded-For IP in Apache
    Haproxy Site With SSL
    Enable SSL in Haproxy Docker Container