pfSense » pfSense Packages

By default haproxy creates new x-forward-for header and do not touch existing one. This could be found in documentation and on issue 44 of github.

Pfsense UI has checkbox for option forwardfor but it not allowing to customize behavior of this option.

I think it could be implemented:

1. default use case - add new x-forwarded-for even header already exists. This ok in terms of http, but some backends have problems with parsing such stuff
2. force - remove x-forwarded-for if it exists in client request and add just haproxy client IP. Actually this is most desired usually by sysadmins flow, at least from my opinion.
3. append - modify existing x-forwarded-for header by writing client ip to the end of existing header, or just add this header if it not exist.
4. name parameter is missing in pfsense

Append and force option could be conditional and could be enabled both with inversed meaning. E.g.:

1. force if srcip !trusted_proxy
2. append if srcip trusted_proxy

Syntax of haproxy config is next (condition could be added with if):
# forwardfor default, but with x-client header name option forwardfor header X-Client # forwardfor force http-request del-header x-forwarded-for http-request set-header x-forwarded-for "%[src]" # forwardfor append #http-request replace-header x-forwarded-for ^ "%[req.fhdr(x-forwarded-for)], %[src]"

Links:

1. HAproxy docs https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#option%20forwardfor
2. Github issue with discussion about usage https://github.com/haproxy/haproxy/issues/44