Can I use HAProxy's new 'capture' feature to save the remote address in a TCP frontend, and use it as the `X-Forwarded-For` header in an HTTP backend?
To answer my own question, this does not seem possible, as the traffic 'leaves' HAProxy here:
TCP HTTP
frontend->backend (->leaving->) frontend->backend
So the context is lost and the capture cannot be preserved. Instead, as "PiBa-NL" suggested on IRC at #haproxy on Freenode yesterday:
[5:29pm] PiBa-NL: kvz, use proxy-protocol between back and front
[5:54pm] kvz: PiBa-NL: Thanks, does this mean my app also needs to understand
the proxy protocol, or will it be 'stripped' once it reaches the
backend. I don't think my node.js server could handle it without
significant changes to its stack
[6:07pm] kvz: Or let me rephrase: could I enable the proxy protocol on the first
frontend, then 'unwrap' it in the second frontend, taking the client ip
and putting it into the http header - so that my app would not have to
be proxy protocol compatible, and it would just be means to carry the
client ip from first frontend to the second?
[6:49pm] PiBa-NL: kvz, the last part you can still use the x-forwarded-for header
[6:50pm] PiBa-NL: but between haproxy backend and frontend you would use the
proxyprotocol to make the second frontent 'know' the original client ip
[6:50pm] PiBa-NL: server https_strong 127.0.0.1:1665 send-proxy
[6:50pm] PiBa-NL: bind 127.0.0.1:1665 ssl crt .... accept-proxy
[6:52pm] PiBa-NL: the second frontend can then still use the
'option forwardfor', and it should insert the wanted header
[6:53pm] PiBa-NL: so basically 'yes'
This means the PROXY protocol is only used to glue the two frontends together, encapsulating the Cient IP, but the second frontend unwraps it and saves it in the X-Forwarded-For header via option forwardfor, so that its backend can send a PROXY-protocol-less request to my app server, meaning I do not have to worry about compatibility issues up/downstream.