Proxing to Perlbal and keeping the X-Forward-For header

[Frankie]

Hi there,

We have two separate proxies - Pound and Perlbal. Pound is used for
https and Perlbal for http connections. We have various backend
servers which are in a private network. Both Pound and Perlbal are
used as load balancers and proxy to these backend servers.

http: Perlbal -> Backend -> Perlbal
https: Pound -> Backend ->Pound

We now want to change this setup (for various reasons), so Pound still
serves https but proxies to Perlbal instead of the backend servers.

http: Perlbal -> Backend -> Perlbal
https: Pound -> Perlbal -> Backend -> Perlbal -> Pound

I get Pound's ip address in the backend logs instead of the client's
ip address. If I enable "always_trusted" in Perlbal, I can then get
the client's ip address in the backend server logs.

Is there a way to enable Pound's ip address as trusted instead of
enabling "always_trusted". Or is there any other parameter I can set
so that Perlbal can pass on Pound's X-Forward-For header to the
backend?

Many thanks.

Francoise

[Ask Bjørn Hansen]

On Nov 10, 2011, at 8:49, Frankie wrote:

> Is there a way to enable Pound's ip address as trusted instead of
> enabling "always_trusted". Or is there any other parameter I can set
> so that Perlbal can pass on Pound's X-Forward-For header to the
> backend?

Look for the 'blind_proxy' (I think it is) setting.

Ask

[Frankie]

Yes I have tried that but it makes no difference. This is the config
below. I tried "SET blind_proxy = on" and "SET
trusted_upstream_proxies = 127.0.0.1" (ip for pound as they are on the
same server). Only blind_proxy works which we cannot have.

CREATE SERVICE backend_proxy
SET role = reverse_proxy
SET pool = foxtons_backends
SET persist_client = on
SET persist_backend = off
SET verify_backend = on
SET enable_error_retries = off
SET enable_reproxy = on
ENABLE backend_proxy

>  smime.p7s
> 6KViewDownload

[Abe Hassan]

The configuration we use is:

    SET trusted_upstream_proxies = 10.0.0.0/8

Afaik you can only list one upstream network though. In this case you could whitelist the IP(s) of the pound server so that its XFF header is trusted, and any other traffic is treated as coming directly from the outside.

-- Abe

[Ask Bjørn Hansen]

On Nov 10, 2011, at 16:55, Abe Hassan wrote:

> The configuration we use is:
>
> SET trusted_upstream_proxies = 10.0.0.0/8
>
> Afaik you can only list one upstream network though.

I changed that a few months ago, so in the next release that limitation will be gone.

> In this case you could whitelist the IP(s) of the pound server so that its XFF header is trusted, and any other traffic is treated as coming directly from the outside.

The TrustHeader plugin handles the task a little more generically. You can tell it any header name and it'll pass it through if the IP is in the trusted range or remove it if it's not.

http://search.cpan.org/~gbarr/Perlbal-Plugin-TrustHeader-0.02/lib/Perlbal/Plugin/TrustHeader.pm

- ask

[Frankie]

Thanks for your response.

In order to use Perlbal::Plugin::TrustHeader, I have to change role
from reverse_proxy to web_server. As we use perlbal for load
balancing, I would not be able to use this plugin.

If you have any more ideas, I would really appreciate it. Otherwise,
perhaps our approach is wrong and needs to be changed. But if you
think of anything, please let me know.

> http://search.cpan.org/~gbarr/Perlbal-Plugin-TrustHeader-0.02/lib/Per...
>
>  - ask
>
>  smime.p7s
> 6KViewDownload

[Ask Bjørn Hansen]

On Nov 11, 2011, at 5:03, Frankie wrote:

> In order to use Perlbal::Plugin::TrustHeader, I have to change role
> from reverse_proxy to web_server. As we use perlbal for load
> balancing, I would not be able to use this plugin.

TrustHeader works fine with reverse_proxy.

Ask

[Frankie]

Thanks again. I just cannot get this to work!

Here is a shortened version of my config:

LOAD vhosts
LOAD Stats
LOAD TrustHeader

TrustHeader backend_proxy X-Forward-For 127.0.0.0/8

CREATE POOL site_backends
SET nodefile = /etc/perlbal.dat

CREATE SERVICE backend_proxy
SET role = reverse_proxy

SET pool = site_backends
SET persist_client = off

SET persist_backend = off
SET verify_backend = on
SET enable_error_retries = off
SET enable_reproxy = on
ENABLE backend_proxy

CREATE SERVICE public
SET listen = 0.0.0.0:80
SET role = selector
SET plugins = stats, vhosts, TrustHeader
SET persist_client = off

VHOST www.mywebsite.com = backend_proxy

ENABLE public

# always good to keep an internal management port open:
CREATE SERVICE mgmt
SET role = management
SET listen = 127.0.0.1:8183
ENABLE mgmt

XS enable headers
SERVER aio_mode = ioaio
SERVER aio_threads = 2
SERVER crash_backtrace = 1

I even added SET plugins = TrustHeader to the "backend_proxy" service
section with no luck. I have Perlbal 1.76 currently installed on
Debian Lenny, 2.6.26-2-xen-686.

I still get pound's ip address instead of the client's ip in my
backend server logs. It only has the correct behaviour if I enable
blind_proxy.

Can you see anything wrong with my config above?

>  smime.p7s
> 6KViewDownload

[Ask Bjørn Hansen]

On Nov 14, 2011, at 8:46, Frankie wrote:

> TrustHeader backend_proxy X-Forward-For 127.0.0.0/8

Try putting it on your selector (the service the requests come in on):

TrustHeader public X-Forward-For 127.0.0.0/8

- ask

[Frankie]

That worked a treat. Thanks for spotting that.

Much appreciated

>  smime.p7s
> 6KViewDownload

[Frankie]

> > TrustHeader backend_proxy X-Forward-For 127.0.0.0/8
>
> Try putting it on your selector (the service the requests come in on):
>
> TrustHeader public X-Forward-For 127.0.0.0/8

Still getting pound's ip address in the backend logs after changing
backend_proxy to public!