You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rob Cluett <ro...@robcluett.com> on 2012/11/30 07:45:00 UTC

[users@httpd] FW: Stunnel + HAProxy + Apache + mod_remoteip

All, I have everything working perfectly. However I cannot get any SSL
traffic which goes through the proxy to reveal it's true IP rather than the
proxy IP. I tried mod_rpaf and then moved over to mod_remoteip and I get the
same thing so I'm assuming it's something other than apache possibly?

So Using HTTP Traffic it comes in correctly but with with any HTTPS traffic
I get the proxy IP of 10.10.10.10. The logs were modfied to replace %h with
%{X-Forwarded-For}i

here are my configs:

HAPROXY.CFG:

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend http_proxy
  bind *:80
  option http-server-close
  option forwardfor
  acl is_rbc-com hdr_dom(host) -i robcluett.com
  acl is_rbc-net hdr_dom(host) -i robcluett.net
  acl is_iom-com hdr_dom(host) -i iomerge.com
  acl is_blog-rbc-com hdr_dom(host) -i blog.robcluett.com
  use_backend cluster1 if is_rbc-com
  use_backend cluster2 if is_rbc-net
  use_backend cluster3 if is_iom-com
  use_backend cluster1 if is_blog-rbc-com

backend cluster1
  server web2 10.10.10.51:80
backend cluster2
  server web3 10.10.10.52:80
backend cluster3
  server web4 10.10.10.53:80

STUNNEL.CONF

cert = /usr/local/etc/stunnel/stunnel.pem

sslVersion = SSLv3

chroot = /usr/local/var/lib/stunnel/
setuid = root
setgid = root
pid = /stunnel.pid
fips=no

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = /var/log/stunnel.log

[https]
accept  = 10.10.10.10:443
connect = 10.10.10.10:80
TIMEOUTclose = 0

HTTPD.CONF

#  Remote IP
RemoteIPHeader X-Forwarded-For