Forward IP headers in HAProxy to get the real IP of the client
TL;DR - option forwardfor and http-request set-header X-Real-IP %[src] are not working.
My setup is slightly complicated. I have a homeserver, with HAProxy installed and some docker containers. My homeserver is, then, connected to a VPS via WireGuard which also has HAProxy installed. HAProxy on homeserver forwards the docker containers with an SSL certificate to the VPS. The VPS, then, just does TLS pass through to the clients.
The issue is, if I do not use option forwardfor in either of the 2 HAProxy configurations, I get the internal IP address of the docker container (172.XX.XX.1). If I add option forwardfor on the homeserver's HAProxy config, I get the internal IP of the WireGuard of the home server (10.0.0.2). And if I add option forwardfor to the HAProxy config of the VPS as well, I get the internal IP of the WireGuard tunnel (10.0.0.1). And as far as I know, http-request set-header X-Real-IP %[src] has no impact. I have also tried using send-proxy and send-proxy-v2, but then the whole setup stops working.
You don't need haproxy on the vps at all, unless I'm misunderstanding you. Just route the traffic using iptables hooks in your wireguard config. This is exactly how I manage my email server and it's entirely transparent.
I have heard about this, but they all sounded complicated. You sound very simple. I have even considered creating a personal NAT over WireGuard at one point, lol.
Why are you running two HAProxy instances? You should be able to forward the traffic on your VPS to your homeserver with a firewall rule.
If that's not an option, this should still be doable using the X-Forwarded-For header. Instead of setting it to single value, you need to append to it: