haproxy -> varnish -> backend server

Hi guys

Originally we had haproxy in front and connecting to backend server

haproxy -> backend server

and applications and backend server see the real client ip fine without any issues

But we decided to try adding Varnish cache in between

haproxy -> varnish -> backend server

Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips.

varnish has the appropriate forwarding of client ips,

remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;

and works if Varnish only in front of backends.

So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ?

Using haproxy v1.3 here with Varnish 3.0.2.

thanks

Is haproxy adding X-Forwarded-For to the request it sends varnish? If
so, just don't have varnish manipulate X-Forwarded-For and your app will
use the header added by HAProxy.

David

On 6/5/12 9:04 PM, haproxy@serverphorums.com wrote:
> Hi guys
>
> Originally we had haproxy in front and connecting to backend server
>
> haproxy -> backend server
>
> and applications and backend server see the real client ip fine without any issues
>
> But we decided to try adding Varnish cache in between
>
> haproxy -> varnish -> backend server
>
> Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips.
>
> varnish has the appropriate forwarding of client ips,
>
> remove req.http.X-Forwarded-For;
> set req.http.X-Forwarded-For = client.ip;
>
> and works if Varnish only in front of backends.
>
> So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ?
>
> Using haproxy v1.3 here with Varnish 3.0.2.
>
> thanks
>
> ---
> posted at http://www.serverphorums.com
> http://www.serverphorums.com/read.php?10,508289,508289#msg-508289
>

why not put varnish in front of haproxy like this:
haproxy listen on ip public 1 and localhost
varnish listen on ip public 2 and forward to localhost

so cached traffic is immediately served by varnish without hitting haproxy.

and when you don t need to cache the traffic you use ip public 1 (haproxy)

in our setup the varnish ip is s.mydomain.com serving image/css/js
and haproxy is www.mydomain.com serving dynamic content containing urls in s..mydomain.com.

as a bonus no cookie is sent to s.mydomain.com

--
Sebastien E.


Le 5 juin 2012 à 21:06, David Coulson <[email protected]> a écrit :

> Is haproxy adding X-Forwarded-For to the request it sends varnish? If so, just don't have varnish manipulate X-Forwarded-For and your app will use the header added by HAProxy.
>
> David
>
> On 6/5/12 9:04 PM, haproxy@serverphorums.com wrote:
>> Hi guys
>>
>> Originally we had haproxy in front and connecting to backend server
>>
>> haproxy -> backend server
>>
>> and applications and backend server see the real client ip fine without any issues
>>
>> But we decided to try adding Varnish cache in between
>>
>> haproxy -> varnish -> backend server
>>
>> Problem now is backend server and ips are seeing the client ip of the haproxy server and not real visitor client ips.
>>
>> varnish has the appropriate forwarding of client ips,
>>
>> remove req.http.X-Forwarded-For;
>> set req.http.X-Forwarded-For = client.ip;
>>
>> and works if Varnish only in front of backends.
>>
>> So what setting if any in haproxy would I need to add or check for, to get the proper client ip from haproxy through varnish into the backend ?
>>
>> Using haproxy v1.3 here with Varnish 3.0.2.
>>
>> thanks
>>
>> ---
>> posted at http://www.serverphorums.com
>> http://www.serverphorums.com/read.php?10,508289,508289#msg-508289
>>
>

Thanks David, your suggestion helped move me closer to solution, just have to confirm whether it's working completely as some visitors still show haproxy ip within the app itself on backend, but not sure if that is a cached value by the app.

Sebastien, yeah normally that would be what I'd do, just haproxy is a managed service so I have no direct control over it only from varnish downwards.

you might also want to look at having varnish prepend the haproxy IP to
the X-Forwarded-For line, rather than just pass it along - Most proxies
seem to comma delimit a list of IPs of all the devices the request has
passed through.

On 6/5/12 9:46 PM, haproxy@serverphorums.com wrote:
> Thanks David, your suggestion helped move me closer to solution, just have to confirm whether it's working completely as some visitors still show haproxy ip within the app itself on backend, but not sure if that is a cached value by the app.
>
> Sebastien, yeah normally that would be what I'd do, just haproxy is a managed service so I have no direct control over it only from varnish downwards.
>
> ---
> posted at http://www.serverphorums.com
> http://www.serverphorums.com/read.php?10,508289,508298#msg-508298
>

On Wed, Jun 6, 2012 at 3:50 AM, David Coulson <[email protected]> wrote:
> you might also want to look at having varnish prepend the haproxy IP to the
> X-Forwarded-For line, rather than just pass it along - Most proxies seem to
> comma delimit a list of IPs of all the devices the request has passed
> through.
>
>

Hey David,

Having a "single" line with values separated by commas or having
multiple lines, one per value are both ways allowed by RFC to write
headers in HTTP.
So any HTTP processing tool should make no difference whatever way
headers are written.

Saying that, it is usually recommended to chain proxies like this:
Varnish -> HAProxy -> server.
Now, if you can't and must let Varnish behind HAProxy, it should be
not complicated to do the X-Forwarded-For clean up (untill Varnish can
understand proxy-protocol).

cheers

Just coming back to update you all on the solution. It was as David suggested just not letting varnish manipulate X-Forwarded-For, allowed haproxy -> varnish configuration to work for the app :D

Thanks for your help guys..