Client IP preservation
Add an X-Forwarded-For header
When the load balancer proxies a TCP connection, it overwrites the client’s source IP address with its own when communicating with the backend server. However, when relaying HTTP messages, it can store the client’s address in a nonstandard HTTP header used for the purpose such as X-Forwarded-For. The backend server can then be configured to read the value from that header to retrieve the client’s IP address.
To configure the load balancer to add an X-Forwarded-For header to an incoming request:
-
Set the
option forwardfordirective in adefaultsfrontend,listen, orbackendsection:haproxybackend webserversbalance roundrobinoption forwardforserver s1 192.168.56.20:3000 checkserver s2 192.168.56.21:3000 checkhaproxybackend webserversbalance roundrobinoption forwardforserver s1 192.168.56.20:3000 checkserver s2 192.168.56.21:3000 check -
Optional: Disable the header for an IP address or IP range by adding the
exceptargument:haproxybackend webserversbalance roundrobinoption forwardfor except 192.168.56.10server s1 192.168.56.20:3000 checkserver s2 192.168.56.21:3000 checkhaproxybackend webserversbalance roundrobinoption forwardfor except 192.168.56.10server s1 192.168.56.20:3000 checkserver s2 192.168.56.21:3000 check -
Optional: Add the
if-noneargument to add the header only when it isn’t already present:haproxybackend webserversbalance roundrobinoption forwardfor if-noneserver s1 192.168.56.20:3000 checkserver s2 192.168.56.21:3000 checkhaproxybackend webserversbalance roundrobinoption forwardfor if-noneserver s1 192.168.56.20:3000 checkserver s2 192.168.56.21:3000 check
See also Jump to heading
- Store the client’s address in the HTTP
X-Forwarded-Forheader: option forwardfor
Do you have any suggestions on how we can improve the content of this page?