pfSense IP appears in my X-Forwarded-For IP header-field instead the real ip
by dr-ing from LinuxQuestions.org on (#5C8NQ)
Hey,
my server environment looks similar to this:
Code:
---------- ----------- ----------- ------------
| Client | -----> | HAproxy | -------> | pfSense | -------> | Server A |
--------- ----------- ----------- ------------
|
| ------------
|-----------------------------------> | Server B |
------------The HAproxy runs on a different server and the reason why there is a pfSense before server A but not before server B is that server A is a fairly old server that existed before the HAproxy and has grown over time. In the future I will revise the whole architecture, but for now I don't want to make any big changes, so I have to work with that.
My HAproxy passes through all SSL requests and so SSL termination is done directly on the web servers.
The problem is that now the IP from my HAproxy shows up in the server logs, which is a big problem because I have fail2ban running on both servers, which of course now blocks the HAproxy IP instead of the malicious one. So I know I have to work with the X-Forwarded-For IP, which is not a problem on server B, where the X-Forwarded-For IP seems to be the real client IP.
But on Server A, the X-Forwarded-For IP is instead the LAN IP from my pfSense, but only over SSL. When I visit Server A's website over HTTP, the real user IP seems to be in the logs, but with HTTPS I get the IP from the pfSense in the X-Forwarded-For field.
My pfSense has a very simple configuration, all it does is a 1:1 NAT (so public IP -> local IP from my vm) and acts as a firewall and dhcp server for my vm's which also contain the web server.
Does someone know this problem? Basically, I need the client IP in the X-Forwarded-For header field, but instead the LAN IP from my pfSense (which is the next node seen by web server A) appears in the logs.
my server environment looks similar to this:
Code:
---------- ----------- ----------- ------------
| Client | -----> | HAproxy | -------> | pfSense | -------> | Server A |
--------- ----------- ----------- ------------
|
| ------------
|-----------------------------------> | Server B |
------------The HAproxy runs on a different server and the reason why there is a pfSense before server A but not before server B is that server A is a fairly old server that existed before the HAproxy and has grown over time. In the future I will revise the whole architecture, but for now I don't want to make any big changes, so I have to work with that.
My HAproxy passes through all SSL requests and so SSL termination is done directly on the web servers.
The problem is that now the IP from my HAproxy shows up in the server logs, which is a big problem because I have fail2ban running on both servers, which of course now blocks the HAproxy IP instead of the malicious one. So I know I have to work with the X-Forwarded-For IP, which is not a problem on server B, where the X-Forwarded-For IP seems to be the real client IP.
But on Server A, the X-Forwarded-For IP is instead the LAN IP from my pfSense, but only over SSL. When I visit Server A's website over HTTP, the real user IP seems to be in the logs, but with HTTPS I get the IP from the pfSense in the X-Forwarded-For field.
My pfSense has a very simple configuration, all it does is a 1:1 NAT (so public IP -> local IP from my vm) and acts as a firewall and dhcp server for my vm's which also contain the web server.
Does someone know this problem? Basically, I need the client IP in the X-Forwarded-For header field, but instead the LAN IP from my pfSense (which is the next node seen by web server A) appears in the logs.