ProxyProtocol get Source IP
Get real visitor IP using OVH Load Balancer with ProxyProtocol
Introduction
In this case, we want to get sourceIP, scheme trouth OVH API LoadBalancing, without install our SSL Certitificate on it. This is helpfull if you have many domains with many SSL certificates.
Requirements
We assume you have already an OVH Load Balancer HTTP configured, if not follow ..refs:fr/fr/cloud/iplb/configure-iplb
You have :
- An OVH Load Balancer service
- Nginx (or Apache with mod_proxyprotocol) on an OVH backend
- A domain (option)
- A SSL certificiate (option)
Nginx Configuration
For this example we use this minimal nginx configuration on each backend.
log_format proxyprotocol '$proxy_protocol_addr - $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$request_time"';
server {
listen 80;
listen [::]:80;
server_name domain.tld www.domain.tld;
root /var/www/domain.tld/htdocs;
access_log /var/www/domain.tld/logs/access.log;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name domain.tld www.domain.tld;
root /var/www/domain.tld/htdocs;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
access_log /var/www/domain.tld/logs/access.log;
}
server {
listen 8080 proxyprotocol;
listen [::]:8080 proxyprotocol;
server_name domain.tld www.domain.tld;
root /var/www/domain.tld/htdocs;
access_log /var/www/domain.tld/logs/access.log proxyprotocol;
}
server {
listen 4443 ssl proxyprotocol;
listen [::]:4443 ssl proxyprotocol;
server_name domain.tld www.domain.tld;
root /var/www/domain.tld/htdocs;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
access_log /var/www/domain.tld/logs/access.log proxyprotocol;
}
- Port 80 / 443 are used for direct connexion to backend (for test, management, ...)
- Port 8080 / 4443 are used with LoadBalancer
You can't use ProxyProtocol and HTTP on the same port, and theses protocols aren't cross-compatible.
Infrastructure
| Backend# | Public IP | Zone |
|---|---|---|
| backend_1 | 213.186.0.1 | rbx |
| backend_2 | 213.186.0.2 | rbx |
Configuration
Add backends
Create a new farm for each port on backend.
| Parameter | Return 1 | Return 2 |
|---|---|---|
| id | 1000 | 10001 |
| Parameter | Return 1 | Return 2 | Return 3 | Return 4 |
|---|---|---|---|---|
| id | 2000 | 20001 | 20002 | 20003 |
Add frontend
Apply changes
Firewall
Don't forget to allow IPLoadbalancing trafic to your backends:
iptables -A INPUT -s 10.108.0.0/16 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -s 10.108.0.0/16 -p tcp --dport 4443 -j ACCEPT
Did you find this guide useful?
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.