HAProxy Enterprise Documentation 1.9r1

Add an X-Forwarded-For header

When HAProxy Enterprise proxies a TCP connection, it overwrites the client's source IP address with its own when communicating with the backend server. However, when relaying HTTP messages, it can store the client's address in the HTTP header X-Forwarded-For. The backend server can then be configured to read the value from that header to retrieve the client's IP address.

To configure HAProxy Enterprise to add an X-Forwarded-For header to an incoming request, set the option forwardfor directive in a defaults, frontend, listen, or backend section.

Adds an X-Forwarded-For header containing the client's source IP address.

backend webservers
  balance roundrobin
  option forwardfor
  server s1 192.168.56.20:3000 check
  server s2 192.168.56.21:3000 check

Optionally, disable the header for an IP address (or CIDR) by adding the except parameter.

Adds an X-Forwarded-For header except when the source IP is the address of a known proxy.

backend webservers
  balance roundrobin
  option forwardfor except 192.168.56.10
  server s1 192.168.56.20:3000 check
  server s2 192.168.56.21:3000 check

Add the if-none parameter to add the header only when it is not present.

Adds an X-Forwarded-For header unless it already exists.

backend webservers
  balance roundrobin
  option forwardfor if-none
  server s1 192.168.56.20:3000 check
  server s2 192.168.56.21:3000 check

Next up

Enable the Proxy Protocol