Proxing to Perlbal and keeping the X-Forward-For header

121 views
Skip to first unread message

Frankie

unread,
Nov 10, 2011, 11:49:02 AM11/10/11
to perlbal
Hi there,

We have two separate proxies - Pound and Perlbal. Pound is used for
https and Perlbal for http connections. We have various backend
servers which are in a private network. Both Pound and Perlbal are
used as load balancers and proxy to these backend servers.

http: Perlbal -> Backend -> Perlbal
https: Pound -> Backend ->Pound

We now want to change this setup (for various reasons), so Pound still
serves https but proxies to Perlbal instead of the backend servers.

http: Perlbal -> Backend -> Perlbal
https: Pound -> Perlbal -> Backend -> Perlbal -> Pound

I get Pound's ip address in the backend logs instead of the client's
ip address. If I enable "always_trusted" in Perlbal, I can then get
the client's ip address in the backend server logs.

Is there a way to enable Pound's ip address as trusted instead of
enabling "always_trusted". Or is there any other parameter I can set
so that Perlbal can pass on Pound's X-Forward-For header to the
backend?

Many thanks.

Francoise

Ask Bjørn Hansen

unread,
Nov 10, 2011, 12:03:27 PM11/10/11
to per...@googlegroups.com

On Nov 10, 2011, at 8:49, Frankie wrote:

> Is there a way to enable Pound's ip address as trusted instead of
> enabling "always_trusted". Or is there any other parameter I can set
> so that Perlbal can pass on Pound's X-Forward-For header to the
> backend?

Look for the 'blind_proxy' (I think it is) setting.


Ask

Frankie

unread,
Nov 10, 2011, 12:21:42 PM11/10/11
to perlbal
Yes I have tried that but it makes no difference. This is the config
below. I tried "SET blind_proxy = on" and "SET
trusted_upstream_proxies = 127.0.0.1" (ip for pound as they are on the
same server). Only blind_proxy works which we cannot have.

CREATE SERVICE backend_proxy
SET role = reverse_proxy
SET pool = foxtons_backends
SET persist_client = on
SET persist_backend = off
SET verify_backend = on
SET enable_error_retries = off
SET enable_reproxy = on
ENABLE backend_proxy
>  smime.p7s
> 6KViewDownload

Abe Hassan

unread,
Nov 10, 2011, 7:55:28 PM11/10/11
to per...@googlegroups.com
The configuration we use is:

    SET trusted_upstream_proxies = 10.0.0.0/8

Afaik you can only list one upstream network though. In this case you could whitelist the IP(s) of the pound server so that its XFF header is trusted, and any other traffic is treated as coming directly from the outside.

-- Abe

Ask Bjørn Hansen

unread,
Nov 10, 2011, 11:01:49 PM11/10/11
to per...@googlegroups.com

On Nov 10, 2011, at 16:55, Abe Hassan wrote:

> The configuration we use is:
>
> SET trusted_upstream_proxies = 10.0.0.0/8
>
> Afaik you can only list one upstream network though.

I changed that a few months ago, so in the next release that limitation will be gone.

> In this case you could whitelist the IP(s) of the pound server so that its XFF header is trusted, and any other traffic is treated as coming directly from the outside.

The TrustHeader plugin handles the task a little more generically. You can tell it any header name and it'll pass it through if the IP is in the trusted range or remove it if it's not.

http://search.cpan.org/~gbarr/Perlbal-Plugin-TrustHeader-0.02/lib/Perlbal/Plugin/TrustHeader.pm


- ask

Frankie

unread,
Nov 11, 2011, 8:03:55 AM11/11/11
to perlbal
Thanks for your response.

In order to use Perlbal::Plugin::TrustHeader, I have to change role
from reverse_proxy to web_server. As we use perlbal for load
balancing, I would not be able to use this plugin.

If you have any more ideas, I would really appreciate it. Otherwise,
perhaps our approach is wrong and needs to be changed. But if you
think of anything, please let me know.
> http://search.cpan.org/~gbarr/Perlbal-Plugin-TrustHeader-0.02/lib/Per...
>
>  - ask
>
>  smime.p7s
> 6KViewDownload

Ask Bjørn Hansen

unread,
Nov 11, 2011, 12:31:12 PM11/11/11
to per...@googlegroups.com

On Nov 11, 2011, at 5:03, Frankie wrote:

> In order to use Perlbal::Plugin::TrustHeader, I have to change role
> from reverse_proxy to web_server. As we use perlbal for load
> balancing, I would not be able to use this plugin.

TrustHeader works fine with reverse_proxy.


Ask

Frankie

unread,
Nov 14, 2011, 11:46:28 AM11/14/11
to perlbal
Thanks again. I just cannot get this to work!

Here is a shortened version of my config:

LOAD vhosts
LOAD Stats
LOAD TrustHeader

TrustHeader backend_proxy X-Forward-For 127.0.0.0/8

CREATE POOL site_backends
SET nodefile = /etc/perlbal.dat

CREATE SERVICE backend_proxy
SET role = reverse_proxy
SET pool = site_backends
SET persist_client = off
SET persist_backend = off
SET verify_backend = on
SET enable_error_retries = off
SET enable_reproxy = on
ENABLE backend_proxy

CREATE SERVICE public
SET listen = 0.0.0.0:80
SET role = selector
SET plugins = stats, vhosts, TrustHeader
SET persist_client = off

VHOST www.mywebsite.com = backend_proxy

ENABLE public

# always good to keep an internal management port open:
CREATE SERVICE mgmt
SET role = management
SET listen = 127.0.0.1:8183
ENABLE mgmt

XS enable headers
SERVER aio_mode = ioaio
SERVER aio_threads = 2
SERVER crash_backtrace = 1

I even added SET plugins = TrustHeader to the "backend_proxy" service
section with no luck. I have Perlbal 1.76 currently installed on
Debian Lenny, 2.6.26-2-xen-686.

I still get pound's ip address instead of the client's ip in my
backend server logs. It only has the correct behaviour if I enable
blind_proxy.

Can you see anything wrong with my config above?
>  smime.p7s
> 6KViewDownload

Ask Bjørn Hansen

unread,
Nov 14, 2011, 11:51:01 AM11/14/11
to per...@googlegroups.com

On Nov 14, 2011, at 8:46, Frankie wrote:

> TrustHeader backend_proxy X-Forward-For 127.0.0.0/8

Try putting it on your selector (the service the requests come in on):

TrustHeader public X-Forward-For 127.0.0.0/8


- ask

Frankie

unread,
Nov 15, 2011, 5:45:00 AM11/15/11
to perlbal
That worked a treat. Thanks for spotting that.

Much appreciated
>  smime.p7s
> 6KViewDownload

Frankie

unread,
Nov 15, 2011, 7:35:47 AM11/15/11
to perlbal
> > TrustHeader backend_proxy X-Forward-For 127.0.0.0/8
>
> Try putting it on your selector (the service the requests come in on):
>
> TrustHeader public X-Forward-For 127.0.0.0/8

Still getting pound's ip address in the backend logs after changing
backend_proxy to public!
Reply all
Reply to author
Forward
0 new messages