'HAproxy within Pfsense, how to set header like in NGINX (Host, X-Real, X-Forwarded...)

could anyone help me please how I can set the following headers within a frontend(?) configuration via HAproxy in Pfsense for the following rules like I used them in NGINX?

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;

Think the following header I can set easily via the Checkbox "Use "forwardfor" option":

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Think that is been done in Advanced pass thru via:

http-request set-header Host ???
http-request set-header X-Real-IP ???
http-request set-header X-Forwarded-Proto ???

But how do I get the correct variables?

Thank you very much in advance.

Regards

reverse-proxyhaproxypfsense


Solution 1:[1]

I'm not an expert at all, but I recently needed to set the X-Forwarded-Proto header from the CloudFront-Forwarded-Proto header. This is how I did it:

  1. Go to the frontend and scroll down to Actions
  2. From the Action dropdown select http-request header set
  3. For Name set X-Forwarded-Proto
  4. For Fmt set %[req.hdr(CloudFront-Forwarded-Proto)]
  5. Under Condition acl names select the ACL representing your backend

But adding them as lines in Advanced pass thru will probably work too. To answer your question specifically, from what I can find in section 7.3.3 of the official docs, I think you can do something like this:

  • http-request set-header Host ??? -> http-request set-header Host %[bc_src] (bc_src)
  • http-request set-header X-Real-IP ??? -> http-request set-header X-Real-IP %[src] (src)
  • http-request set-header X-Forwarded-Proto ??? -> http-request set-header X-Forwarded-Proto %[dst_port] (dst_port)

I used the pfSence GUI as described above and used Openresty to log the result:

2022/03/10 15:24:12 [crit] 8#8: *2 [lua] request_logger.lua:35: {"response":{"time":1646925852.22,"body":"GET \/abc x=2&y=z\n","headers":{"connection":"close","content-type":"text\/html","transfer-encoding":"chunked"},"status":200,"duration":"0.000"},"request":{"host":"jpl-pfsense.local.lan","uri":"\/abc","post_args":{},"method":"GET","headers":{"host":"jpl-pfSense.local.lan","user-agent":"curl\/7.79.1","accept":"*\/*","x-forwarded-proto":"80","x-real-ip":"10.33.20.127"},"get_args":{"y":"z","x":"2"},"time":1646925852.22}} while logging request, client: 10.33.30.1, server: _, request: "GET /abc?x=2&y=z HTTP/1.1", upstream: "http://127.0.0.1:8081/abc?x=2&y=z", host: "jpl-pfSense.local.lan"

Specifically:

"request": {
    ...
    "headers": {
        "host": "jpl-pfSense.local.lan",
        ...
        "x-forwarded-proto": "80",
        "x-real-ip": "10.33.20.127"
    },
    ...
}

I know I'm late, but hope this helps.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 joeplaa

Related Questions

How would you create a reverse proxy using a Firebase function?

Apache HTTPS Reverse Proxy URL Redirection

Nginx reverse proxy issue long request

Golang gin gonic web framework proxy route to another backend

How to setup apache 2 reverse proxy to forward different domain and pretend as that domain name?

Nginx follow redirect and reverse proxy last location

nginx 431 Request Header Fields Too Large

Unable to access Kibana behind NginX reverse proxy on Docker

Can a response from an http request alter the base address in the next client request?

Traefik V2 docker provider path /ws routing to external websocket server

Can traefik rewrite the location header of redirect responses (302)

Use Nginx as reverse proxy, mount server at subfolder and add all links with the subfolder

403.7 forbidden access denied on exchange server 2019 error with reverse proxy when certificate based authentication enabled

Proxy pass to a sub directory using nginx

Reverse Proxy and Akamai