Last active
August 2, 2024 06:40
-
-
Save efenfauzi/f7f478799ed815a7921b70ccc8e2abd3 to your computer and use it in GitHub Desktop.
haproxy + traefik docker get real ip from options xforwardedfor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #--------------------------------------------------------------------- | |
| # Example configuration for a possible web application. See the | |
| # full configuration options online. | |
| # | |
| # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt | |
| # | |
| #--------------------------------------------------------------------- | |
| #--------------------------------------------------------------------- | |
| # Global settings | |
| #--------------------------------------------------------------------- | |
| global | |
| # to have these messages end up in /var/log/haproxy.log you will | |
| # need to: | |
| # | |
| # 1) configure syslog to accept network log events. This is done | |
| # by adding the '-r' option to the SYSLOGD_OPTIONS in | |
| # /etc/sysconfig/syslog | |
| # | |
| # 2) configure local2 events to go to the /var/log/haproxy.log | |
| # file. A line like the following can be added to | |
| # /etc/sysconfig/syslog | |
| # | |
| # local2.* /var/log/haproxy.log | |
| # | |
| # log 127.0.0.1 local2 | |
| log /dev/log local0 | |
| # chroot /var/lib/haproxy | |
| # pidfile /var/run/haproxy.pid | |
| maxconn 4000 | |
| user haproxy | |
| group haproxy | |
| daemon | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # turn on stats unix socket | |
| stats socket /var/lib/haproxy/stats | |
| #--------------------------------------------------------------------- | |
| # common defaults that all the 'listen' and 'backend' sections will | |
| # use if not designated in their block | |
| #--------------------------------------------------------------------- | |
| defaults | |
| mode http | |
| log global | |
| option httplog | |
| option dontlognull | |
| option http-server-close | |
| option forwardfor except 127.0.0.0/8 | |
| option redispatch | |
| retries 3 | |
| timeout http-request 10s | |
| timeout queue 1m | |
| timeout connect 10s | |
| timeout client 1m | |
| timeout server 1m | |
| timeout http-keep-alive 10s | |
| timeout check 10s | |
| maxconn 3000 | |
| #--------------------------------------------------------------------- | |
| # main frontend which proxys to the backends | |
| #--------------------------------------------------------------------- | |
| #frontend main *:5000 | |
| # acl url_static path_beg -i /static /images /javascript /stylesheets | |
| # acl url_static path_end -i .jpg .gif .png .css .js | |
| # | |
| # use_backend static if url_static | |
| # default_backend app | |
| #--------------------------------------------------------------------- | |
| # static backend for serving up images, stylesheets and such | |
| #--------------------------------------------------------------------- | |
| #backend static | |
| # balance roundrobin | |
| # server static 127.0.0.1:4331 check | |
| #--------------------------------------------------------------------- | |
| # round robin balancing between the various backends | |
| #--------------------------------------------------------------------- | |
| frontend swarm_traefik_frontend | |
| mode http | |
| option forwardfor | |
| bind *:80 | |
| bind *:443 ssl crt /home/mycert/2023/certificate.pem | |
| http-request redirect scheme https unless { ssl_fc } | |
| #redirect scheme https code 301 if !{ ssl_fc } | |
| default_backend swarm_traefik_backend | |
| backend swarm_traefik_backend | |
| mode http | |
| balance leastconn | |
| option forwardfor | |
| server swarm01 192.168.0.15:443 ssl check verify none | |
| server swarm02 192.168.0.16:443 ssl check verify none | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request add-header X-Forwarded-Proto https if { ssl_fc } |
Author
efenfauzi
commented
Feb 15, 2024
- SSL terminations on haproxy
- traefik docker : dont set redirect https , dont use mode=host
- sample get real ip with httpbin container : httpbin.org expose to traefik frontend rule
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment