[Resolved] HAProxy Client IP

bradford

Hi there,

I am using HAProxy as a reverse proxy to a docker container running apache2 and php to serve osTicket. I cannot get the forwardfor option in HAProxy to reflect client IP in osTicket. Currently in all logs I see HAProxy as the client IP.

I have also tried adding the X-Real-IP header but at this point I am just shooting in the dark. Can someone tell me how to get client IP information to feed through properly?

Thanks!
-Bradford

KevinTheJedi

@bradford

Have you added the proxy to TRUSTED_PROXIES in the Config File (include/ost-config.php)?

Cheers.

bradford

KevinTheJedi

Yes, line reads exactly:
define('TRUSTED_PROXIES', '192.168.0.0/24');

The IP address of HAProxy is currently 192.168.0.13 so this should match, right?

Thanks!

KevinTheJedi

@bradford

Set it to the actual IP address instead of an IP range, restart Apache, and retest.

Cheers .

bradford

KevinTheJedi

Set to:
define('TRUSTED_PROXIES', '192.168.0.13');

Same result. I am checking from apache2 access logs, not sure if that matters.

KevinTheJedi

@bradford

Do you have the X-Forwarded-For header set? If not this is the issue. We use get_client_ip which attempts to grabe the IP from the aforementioned header. If not it defaults to the request IP which is HAProxy’s IP in your case.

Cheers.

bradford

KevinTheJedi

In HAProxy frontend i have option forwardfor which should add this header. I don't think I need to add this also to backend, but I had moved the option around to see if that was the issue, it doesn't seem to make a difference. Other applications behind this proxy do have client IP's though, just not this instance of osTicket.

Does Apache2 typically need to be configured to allow this? I did try loading mod_remoteip but unless configuration is required that didn't seem to help either.

KevinTheJedi

@bradford

Look at the request in the browser and see if it has the X-Forwarded-For header set and ensure it’s set to the correct IP.

Cheers.

bradford

KevinTheJedi

Both the proxy and the webserver are in containers so I'll need to find a way to get tpcdump in between. I'll get back to you when I can get you that information.

Thanks for your help so far.

bradford

KevinTheJedi

I do have X-Forwarded-For with my client IP address listed in the GET coming from the proxy (192.168.0.13) to the webserver (192.168.0.14).

X-Forwarded-Proto: https\r\n X-Forwarded-Port: 443\r\n X-Forwarded-For: 10.18.1.45\n\n

KevinTheJedi

@bradford

Let me ask you this (should’ve asked at the beginning) where exactly is the IP showing incorrectly?

Cheers.

bradford

KevinTheJedi

Well, previously under scp/logs.php but it looks like this is working now...

I did set the TRUSTED_PROXIES back to CIDR range and it's still working as expected. Not sure where the kink was worked out but I appreciate your help.

KevinTheJedi

@bradford

Dude awesome! I have no idea why or what either. Maybe there was some weird caching going on or something and eventually expired? Who knows. I’m glad it’s working correctly now!

Cheers.