haproxy -> varnish -> backend server Hi guys Originally we had haproxy in front and connecting to backend server haproxy -> backend server and applications and backend server see the real client ip fine without any issues But we decided to try adding Varnish cache in between haproxy -> varnish -> backend server Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips. varnish has the appropriate forwarding of client ips, remove req.http.X-Forwarded-For; set req.http.X-Forwarded-For = client.ip; and works if Varnish only in front of backends. So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ? Using haproxy v1.3 here with Varnish 3.0.2. thanks http://www.serverphorums.com/read.php?10,508289,508289#msg-508289 Thu, 23 May 2013 07:01:05 +0200 Phorum 5.2.18 http://www.serverphorums.com/read.php?10,508289,515997#msg-515997 Re: haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,515997#msg-515997
Thanks for your help guys..]]> p4guru HAProxy Tue, 19 Jun 2012 19:11:58 +0200 http://www.serverphorums.com/read.php?10,508289,508373#msg-508373 Re: haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,508373#msg-508373 > you might also want to look at having varnish prepend the haproxy IP to the
> X-Forwarded-For line, rather than just pass it along - Most proxies seem to
> comma delimit a list of IPs of all the devices the request has passed
> through.
>
>

Hey David,

Having a "single" line with values separated by commas or having
multiple lines, one per value are both ways allowed by RFC to write
headers in HTTP.
So any HTTP processing tool should make no difference whatever way
headers are written.

Saying that, it is usually recommended to chain proxies like this:
Varnish -> HAProxy -> server.
Now, if you can't and must let Varnish behind HAProxy, it should be
not complicated to do the X-Forwarded-For clean up (untill Varnish can
understand proxy-protocol).

cheers]]> Baptiste HAProxy Wed, 06 Jun 2012 07:40:02 +0200 http://www.serverphorums.com/read.php?10,508289,508300#msg-508300 Re: haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,508300#msg-508300 the X-Forwarded-For line, rather than just pass it along - Most proxies
seem to comma delimit a list of IPs of all the devices the request has
passed through.

On 6/5/12 9:46 PM, haproxy@serverphorums.com wrote:
> Thanks David, your suggestion helped move me closer to solution, just have to confirm whether it's working completely as some visitors still show haproxy ip within the app itself on backend, but not sure if that is a cached value by the app.
>
> Sebastien, yeah normally that would be what I'd do, just haproxy is a managed service so I have no direct control over it only from varnish downwards.
>
> ---
> posted at http://www.serverphorums.com
> http://www.serverphorums.com/read.php?10,508289,508298#msg-508298
>]]> David Coulson HAProxy Wed, 06 Jun 2012 04:00:01 +0200 http://www.serverphorums.com/read.php?10,508289,508298#msg-508298 Re: haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,508298#msg-508298
Sebastien, yeah normally that would be what I'd do, just haproxy is a managed service so I have no direct control over it only from varnish downwards.]]> p4guru HAProxy Wed, 06 Jun 2012 03:46:42 +0200 http://www.serverphorums.com/read.php?10,508289,508295#msg-508295 Re: haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,508295#msg-508295 haproxy listen on ip public 1 and localhost
varnish listen on ip public 2 and forward to localhost

so cached traffic is immediately served by varnish without hitting haproxy.

and when you don t need to cache the traffic you use ip public 1 (haproxy)

in our setup the varnish ip is s.mydomain.com serving image/css/js
and haproxy is www.mydomain.com serving dynamic content containing urls in s..mydomain.com.

as a bonus no cookie is sent to s.mydomain.com

--
Sebastien E.


Le 5 juin 2012 à 21:06, David Coulson <david@davidcoulson.net> a écrit :

> Is haproxy adding X-Forwarded-For to the request it sends varnish? If so, just don't have varnish manipulate X-Forwarded-For and your app will use the header added by HAProxy.
>
> David
>
> On 6/5/12 9:04 PM, haproxy@serverphorums.com wrote:
>> Hi guys
>>
>> Originally we had haproxy in front and connecting to backend server
>>
>> haproxy -> backend server
>>
>> and applications and backend server see the real client ip fine without any issues
>>
>> But we decided to try adding Varnish cache in between
>>
>> haproxy -> varnish -> backend server
>>
>> Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips.
>>
>> varnish has the appropriate forwarding of client ips,
>>
>> remove req.http.X-Forwarded-For;
>> set req.http.X-Forwarded-For = client.ip;
>>
>> and works if Varnish only in front of backends.
>>
>> So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ?
>>
>> Using haproxy v1.3 here with Varnish 3.0.2.
>>
>> thanks
>>
>> ---
>> posted at http://www.serverphorums.com
>> http://www.serverphorums.com/read.php?10,508289,508289#msg-508289
>>
>]]> Sebastien Estienne HAProxy Wed, 06 Jun 2012 03:30:01 +0200 http://www.serverphorums.com/read.php?10,508289,508290#msg-508290 Re: haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,508290#msg-508290 so, just don't have varnish manipulate X-Forwarded-For and your app will
use the header added by HAProxy.

David

On 6/5/12 9:04 PM, haproxy@serverphorums.com wrote:
> Hi guys
>
> Originally we had haproxy in front and connecting to backend server
>
> haproxy -> backend server
>
> and applications and backend server see the real client ip fine without any issues
>
> But we decided to try adding Varnish cache in between
>
> haproxy -> varnish -> backend server
>
> Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips.
>
> varnish has the appropriate forwarding of client ips,
>
> remove req.http.X-Forwarded-For;
> set req.http.X-Forwarded-For = client.ip;
>
> and works if Varnish only in front of backends.
>
> So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ?
>
> Using haproxy v1.3 here with Varnish 3.0.2.
>
> thanks
>
> ---
> posted at http://www.serverphorums.com
> http://www.serverphorums.com/read.php?10,508289,508289#msg-508289
>]]> David Coulson HAProxy Wed, 06 Jun 2012 03:10:01 +0200 http://www.serverphorums.com/read.php?10,508289,508289#msg-508289 haproxy -> varnish -> backend server http://www.serverphorums.com/read.php?10,508289,508289#msg-508289
Originally we had haproxy in front and connecting to backend server

haproxy -> backend server

and applications and backend server see the real client ip fine without any issues

But we decided to try adding Varnish cache in between

haproxy -> varnish -> backend server

Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips.

varnish has the appropriate forwarding of client ips,

remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;

and works if Varnish only in front of backends.

So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ?

Using haproxy v1.3 here with Varnish 3.0.2.

thanks]]> p4guru HAProxy Wed, 06 Jun 2012 03:04:29 +0200