Reverse Proxy Configuration - HAProxy
-
- step 5, you get access to XO.
- step 6 (I did a curl on
http://X.X.X.X:PORT/signin)
Request sent by HAProxy:
09:34:03.294200 IP 127.0.0.1.34134 > 127.0.0.1.8080: Flags [P.], seq 1:266, ack 1, win 512, options [nop,nop,TS val 2919287515 ecr 2919287515], length 265: HTTP: GET /signin HTTP/1.1 E..=^.@.@............V.PR,.5.........1..... ........GET /signin HTTP/1.1 host: xoau.ivy1.aquaray.com:8080 user-agent: curl/7.74.0 accept: */* haproxy: yes x-unique-id: AC1014F0:BCD6_AC1014F0:1F90_6576C97B_000A:1783DC forwarded: proto=http;for=X.X.X.X x-forwarded-for: X.XX.X connection: closeResponse from XO:
09:34:03.296545 IP 127.0.0.1.8080 > 127.0.0.1.34134: Flags [P.], seq 1:2009, ack 266, win 512, options [nop,nop,TS val 2919287517 ecr 2919287515], length 2008: HTTP: HTTP/1.1 200 OK E...t.@.@..`.........P.V....R,.>........... ........HTTP/1.1 200 OK X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: text/html; charset=utf-8 Content-Length: 1464 ETag: W/"5b8-OqUsZViW2KwDMOq1IfmEYkCzkN0" Set-Cookie: connect.sid=s%3A3imvxT96Uq9L224R8NpArAHuW5Ho7jOS.ArGj0Ms2cIXEalxqdYSk95JS7J0ihftv%2FcURH53p07A; Path=/; HttpOnly Vary: Accept-Encoding Date: Mon, 11 Dec 2023 08:34:03 GMT Connection: close -
Does it ring a bell @julien-f ?
-
@delaf Can you test the PR https://github.com/vatesfr/xen-orchestra/pull/7233?
You will need to set
http.useForwardedHeaderstotruein your xo-server's config.Let me know if that helps
closed feat(xo-server): http.useForwardedHeaders #7233
-
@julien-f it works
As it is said in the doc, relying on
x-forwarded-*should be done carefuly in a controlled network.
@julien-f FYI, some software (like mod_remoteip for apache) use another variable to know from which proxy it is safe to usex-forwarded-*(https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteiptrustedproxy).BWT thank you!
-
@delaf We could add the support for an array of IP addresses for
useForwardedHeadersif necessary in the future.Do you think it's required to do this now?
-
@delaf I've added the support for trusted addresses, if you can test it that would be great
-
@julien-f I have both case with a forwarding proxy on 127.0.0.1:
useForwardedHeaders = ['127.0.0.1']anduseForwardedHeaders = ['10.0.0.0/8']and all seems OK -
@delaf Great! Thank you so much!
-
O olivierlambert marked this topic as a question on
-
O olivierlambert has marked this topic as solved on
-
@julien-f I think we should add this in the reverse proxy documentaion (https://xen-orchestra.com/docs/configuration.html#reverse-proxy). I have created https://github.com/vatesfr/xen-orchestra/pull/7289
closed docs(configuration): useForwardedHeaders #7289
-
@delaf Thank you!
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login