Welcome! Log In Create A New Profile

Advanced

X-Forwarded-For header chaining

Posted by Miguel Pilar Vilagran 
Miguel Pilar Vilagran
X-Forwarded-For header chaining
September 02, 2009 03:40PM
I am seeing (with option forwardfor) that HAProxy is replacing
X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
but the defacto standard is to chain the proxies by appending to the header..
For my usage it is not necessary but thought I'd point it out (Varnish also
doesn't handle the header properly but there's a workaround in VCL for it).

Is there a setting for this that I am missing?

--
Miguel Pilar
Alexander Staubo
Re: X-Forwarded-For header chaining
September 02, 2009 05:20PM
On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar
Vilagran<[email protected]> wrote:
> I am seeing (with option forwardfor) that HAProxy is replacing
> X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
> but the defacto standard is to chain the proxies by appending to the header.
> For my usage it is not necessary but thought I'd point it out (Varnish also
> doesn't handle the header properly but there's a workaround in VCL for it).
>
> Is there a setting for this that I am missing?

The issue is that X-Forwarded-For can be spoofed by clients, and to
prevent this, the proxy would need a list of upstream IPs for which it
will trust the X-Forwarded-For header and chain it.

We would very much like this functionality as well. We are in a
situation where we're using HAProxy simply to bounce requests onwards
to another HAProxy (for legacy issues related to IP address
ownership), and we've had to modify our app since the client IPs are
sometimes no longer available.

A.
Miguel Pilar Vilagran
Re: X-Forwarded-For header chaining
September 02, 2009 05:30PM
On 9/2/09 11:17 AM, "Alexander Staubo" <[email protected]> wrote:

On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar
Vilagran<[email protected]> wrote:
> I am seeing (with option forwardfor) that HAProxy is replacing
> X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
> but the defacto standard is to chain the proxies by appending to the header.
> For my usage it is not necessary but thought I'd point it out (Varnish also
> doesn't handle the header properly but there's a workaround in VCL for it).
>
> Is there a setting for this that I am missing?

The issue is that X-Forwarded-For can be spoofed by clients, and to
prevent this, the proxy would need a list of upstream IPs for which it
will trust the X-Forwarded-For header and chain it.

We would very much like this functionality as well. We are in a
situation where we're using HAProxy simply to bounce requests onwards
to another HAProxy (for legacy issues related to IP address
ownership), and we've had to modify our app since the client IPs are
sometimes no longer available.

A.

The typical way this is managed is an option to have the chaining software wipe the header to begin with or not. Essentially the default behavior should be optional (maybe have 'option chained-forwardfor', or something to the effect). For us haproxy isn't the first hop but we'd still like it to be in the chain, mostly because if we ever have to switch haproxy to their own server we can have the functionality.

--
Miguel Pilar
Willy Tarreau
Re: X-Forwarded-For header chaining
September 02, 2009 10:50PM
On Wed, Sep 02, 2009 at 05:17:28PM +0200, Alexander Staubo wrote:
> On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar
> Vilagran<[email protected]> wrote:
> > I am seeing (with option forwardfor) that HAProxy is replacing
> > X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
> > but the defacto standard is to chain the proxies by appending to the header.
> > For my usage it is not necessary but thought I'd point it out (Varnish also
> > doesn't handle the header properly but there's a workaround in VCL for it).
> >
> > Is there a setting for this that I am missing?

Miguel, there might be something special in your config, because
"option forwardfor" only appends a header, it does not remove it at
all. If you want haproxy to remove the existing header, you have to
explicitly tell it to do so using reqidel.

> The issue is that X-Forwarded-For can be spoofed by clients, and to
> prevent this, the proxy would need a list of upstream IPs for which it
> will trust the X-Forwarded-For header and chain it.
>
> We would very much like this functionality as well. We are in a
> situation where we're using HAProxy simply to bounce requests onwards
> to another HAProxy (for legacy issues related to IP address
> ownership), and we've had to modify our app since the client IPs are
> sometimes no longer available.

The problem with this header (and a few others such as Via) is that it
can appear multiple times, but it must always be chained in the correct
sequence. Haproxy respects this. However I've already seen some applications
using any random occurrence of the header, instead of the one which
corresponds to the proxy position in their architecture. For instance,
if there are 2 proxies before the application, the application must
use occurrence N-2 where N is the number of occurrences of the header,
to find the original client's IP address.

Hoping this helps,
Willy
Miguel Pilar Vilagran
Re: X-Forwarded-For header chaining
September 02, 2009 11:10PM
On 9/2/09 4:43 PM, "Willy Tarreau" <[email protected]> wrote:

On Wed, Sep 02, 2009 at 05:17:28PM +0200, Alexander Staubo wrote:
> On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar
> Vilagran<[email protected]> wrote:
> > I am seeing (with option forwardfor) that HAProxy is replacing
> > X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
> > but the defacto standard is to chain the proxies by appending to the header.
> > For my usage it is not necessary but thought I'd point it out (Varnish also
> > doesn't handle the header properly but there's a workaround in VCL for it).
> >
> > Is there a setting for this that I am missing?

Miguel, there might be something special in your config, because
"option forwardfor" only appends a header, it does not remove it at
all. If you want haproxy to remove the existing header, you have to
explicitly tell it to do so using reqidel.

> The issue is that X-Forwarded-For can be spoofed by clients, and to
> prevent this, the proxy would need a list of upstream IPs for which it
> will trust the X-Forwarded-For header and chain it.
>
> We would very much like this functionality as well. We are in a
> situation where we're using HAProxy simply to bounce requests onwards
> to another HAProxy (for legacy issues related to IP address
> ownership), and we've had to modify our app since the client IPs are
> sometimes no longer available.

The problem with this header (and a few others such as Via) is that it
can appear multiple times, but it must always be chained in the correct
sequence. Haproxy respects this. However I've already seen some applications
using any random occurrence of the header, instead of the one which
corresponds to the proxy position in their architecture. For instance,
if there are 2 proxies before the application, the application must
use occurrence N-2 where N is the number of occurrences of the header,
to find the original client's IP address.

Hoping this helps,
Willy


Willy what I meant by chaining is what Squid does, which is not append another header but if a header exists it appends the proxy IP to a comma+space separated list that may be on the header.

See here: http://en.wikipedia.org/wiki/X-forwarded-for

I guess this can be done with some req* magic in HAProxy.
--
Miguel Pilar
Willy Tarreau
Re: X-Forwarded-For header chaining
September 02, 2009 11:30PM
On Wed, Sep 02, 2009 at 05:06:01PM -0400, Miguel Pilar Vilagran wrote:
> The problem with this header (and a few others such as Via) is that it
> can appear multiple times, but it must always be chained in the correct
> sequence. Haproxy respects this. However I've already seen some applications
> using any random occurrence of the header, instead of the one which
> corresponds to the proxy position in their architecture. For instance,
> if there are 2 proxies before the application, the application must
> use occurrence N-2 where N is the number of occurrences of the header,
> to find the original client's IP address.
>
> Hoping this helps,
> Willy
>
>
> Willy what I meant by chaining is what Squid does, which is not append another header but if a header exists it appends the proxy IP to a comma+space separated list that may be on the header.

There is no difference, it is 100% equivalent.

> See here: http://en.wikipedia.org/wiki/X-forwarded-for

Better read the original doc, isn't it ?

RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1

Page 32, section 4.2 - Message headers

Multiple message-header fields with the same field-name MAY be
present in a message if and only if the entire field-value for that
header field is defined as a comma-separated list [i.e., #(values)].
It MUST be possible to combine the multiple header fields into one
"field-name: field-value" pair, without changing the semantics of the
message, by appending each subsequent field-value to the first, each
separated by a comma. The order in which header fields with the same
field-name are received is therefore significant to the
interpretation of the combined field value, and thus a proxy MUST NOT
change the order of these field values when a message is forwarded.

It is exactly what is done here.

Willy
Sorry, only registered users may post in this forum.

Click here to login