Haproxy and Discourse IP issue


(Michael) #1

We are using Haproxy in front of Discourse. haproxy.cfg has “option forwardfor” under “defaults”. But Discourse is logging/receiving server ip, not user ip. We also tried with “http-request set-header X-Real-IP %[src]” in frontend and backend. But no help. We’re unable to block IPs now. Please suggest/help.

haproxy -vv output:

HA-Proxy version 1.7.8 2017/07/07
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [COMP] compression
        [TRACE] trace
        [SPOE] spoe

(Sam Saffron) #2

This is nothing to do with HAProxy misbehaving you need to teach NGINX in the Discourse container to respect the header.

Example here: Last IP address and action_dispatch.trusted_proxies


(Jay Pfaffman) #3

Aha! I’ve been trying to figure this out (on and, mostly, off) since April. And the post you linked to didn’t include “haproxy” in it, making it harder find. Thanks for this.


Troubleshooting a 429 (rate limit)