Forward IP headers in HAProxy to get the real IP of the client
TL;DR - option forwardfor and http-request set-header X-Real-IP %[src] are not working.
My setup is slightly complicated. I have a homeserver, with HAProxy installed and some docker containers. My homeserver is, then, connected to a VPS via WireGuard which also has HAProxy installed. HAProxy on homeserver forwards the docker containers with an SSL certificate to the VPS. The VPS, then, just does TLS pass through to the clients.
The issue is, if I do not use option forwardfor in either of the 2 HAProxy configurations, I get the internal IP address of the docker container (172.XX.XX.1). If I add option forwardfor on the homeserver's HAProxy config, I get the internal IP of the WireGuard of the home server (10.0.0.2). And if I add option forwardfor to the HAProxy config of the VPS as well, I get the internal IP of the WireGuard tunnel (10.0.0.1). And as far as I know, http-request set-header X-Real-IP %[src] has no impact. I have also tried using send-proxy and send-proxy-v2, but then the whole setup stops working.
Why are you running two HAProxy instances? You should be able to forward the traffic on your VPS to your homeserver with a firewall rule.
If that's not an option, this should still be doable using the X-Forwarded-For header. Instead of setting it to single value, you need to append to it:
If I understand this correctly, this solution might not work for me. The person who answered said,
Assuming you're doing port forwarding with the firewall on your VPS instead of using a reverse proxy like Nginx or HAProxy etc (which won't preserve original client addresses at the IP layer),
I am using HAProxy on the VPS and not doing any port forwarding using firewall rules. And that is the question, how do I forward the traffic?
Should I just paste these 3 lines:
Table = 123
PreUp = ip rule add from 10.0.0.2 table 123 priority 456
PostDown = ip rule del from 10.0.0.2 table 123 priority 456