OVH Guide

ProxyProtocol get Source IP

Get real visitor IP using OVH Load Balancer with ProxyProtocol

Introduction

In this case, we want to get sourceIP, scheme trouth OVH API LoadBalancing, without install our SSL Certitificate on it. This is helpfull if you have many domains with many SSL certificates.

Requirements

We assume you have already an OVH Load Balancer HTTP configured, if not follow ..refs:fr/fr/cloud/iplb/configure-iplb

You have :

  • An OVH Load Balancer service
  • Nginx (or Apache with mod_proxyprotocol) on an OVH backend
  • A domain (option)
  • A SSL certificiate (option)

Nginx Configuration

For this example we use this minimal nginx configuration on each backend.

log_format proxyprotocol '$proxy_protocol_addr - $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent  "$http_referer" "$http_user_agent" "$request_time"';
server {
    listen 80;
    listen [::]:80;

    server_name domain.tld www.domain.tld;
    root /var/www/domain.tld/htdocs;
    access_log    /var/www/domain.tld/logs/access.log;
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name domain.tld www.domain.tld;
    root /var/www/domain.tld/htdocs;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    access_log    /var/www/domain.tld/logs/access.log;
}
server {
    listen 8080 proxyprotocol;
    listen [::]:8080 proxyprotocol;

    server_name domain.tld www.domain.tld;
    root /var/www/domain.tld/htdocs;
    access_log    /var/www/domain.tld/logs/access.log proxyprotocol;
}
server {
    listen 4443 ssl proxyprotocol;
    listen [::]:4443 ssl proxyprotocol;

    server_name domain.tld www.domain.tld;
    root /var/www/domain.tld/htdocs;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    access_log    /var/www/domain.tld/logs/access.log proxyprotocol;
}
  • Port 80 / 443 are used for direct connexion to backend (for test, management, ...)
  • Port 8080 / 4443 are used with LoadBalancer

You can't use ProxyProtocol and HTTP on the same port, and theses protocols aren't cross-compatible.

Infrastructure

Backend# Public IP Zone
backend_1 213.186.0.1 rbx
backend_2 213.186.0.2 rbx

Configuration

Add backends

Create a new farm for each port on backend.

Parameter Return 1 Return 2
id 1000 10001
Parameter Return 1 Return 2 Return 3 Return 4
id 2000 20001 20002 20003

Add frontend

Apply changes

Firewall

Don't forget to allow IPLoadbalancing trafic to your backends:

iptables -A INPUT -s 10.108.0.0/16 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -s 10.108.0.0/16 -p tcp --dport 4443 -j ACCEPT