Monthly Archives: February 2016

1 post

Cloudflare and Haproxy Lodbalancer

We are currently trying out the cloudflare service to protect one of our company service. In front of this service we are using haproxy as SSL endpoint and loadbalancer. Cloudflare adds a number of custom headers((http://www.linuxorz.com/2014/10/cloudflare-haproxy-get-real-ip/)):

 _SERVER["HTTP_CF_IPCOUNTRY"]      CN
 _SERVER["HTTP_CF_RAY"]            17da8155355b0520-SEA
 _SERVER["HTTP_CF_VISITOR"]        {"scheme":"http"}
 _SERVER["HTTP_CF_CONNECTING_IP"]  XX.YY.ZZ.00

In order to extract the original client IP in the X_FORWARDD_FOR header, you need to use the following configuration((http://permalink.gmane.org/gmane.comp.web.haproxy/12019)) in haproxy:

  acl  FROM_CLOUDFLARE src -f /etc/haproxy/cf-ips-v4
  reqidel  ^X-Forwarded-For:.* if ! LOCALHOST
  reqirep  ^CF-Connecting-IP:(.*)$ X-Forwarded-For:\1 if FROM_CLOUDFLARE
  option  forwardfor if-none

Additionally you need to have the cloudlare IPs in the file /etc/haproxy/cf-ips-v4. You can retrieve their IP ranges from: https://www.cloudflare.com/ips/

Some additional links:

  • https://martensson.io/cloudflare-universal-ssl-with-haproxy/
  • https://github.com/analytically/haproxy-ddos
  • http://fsfe.soup.io/post/244661656/Alexandre-De-Dommelin-weblog-CloudFlare-HAProxy-and