Haproxy and docker: how to forward original client IP?

Hi all,

I am using haproxy as a reverse proxy inside a docker container on a Synology NAS. I’m using the official haproxy image, v1.5.14. Depending on the URL, haproxy forwards the connection to web services hosted by the same NAS. This works pretty well.

The NAS has a “blocking IP” feature, which allows to block certain IP trying to connect too often to certain backends. The problem is, the original client IP is lost between the container and the backend. For haproxy (inside its container), the client IP seems to be the docker bridge IP, and not the actuel client IP. As a consequence, the docker bridge is sometimes blocked, since everyone trying to connect to the backends appear with the same docker bridge IP.

Is there any way to avoid this, i.e. to propagate the original client IP to the backend, so as to allow the system to block the correct IP?
FYI, the docker version used by Synology is pretty old:
root:~ # docker -v Docker version 1.6.2, build a263667

Thank you very much for your help.

2 Likes

Hi @sylar ,

Did you managed to find a problem to your probem? I am also facing the same issue

Hi @surenderthakran,

I think I have found a way to forward the original IP, yes.
First, I have in the frontend the following directives:
# add X-FORWARDED-FOR & X-CLIENT-IP option forwardfor http-request add-header X-CLIENT-IP %[src]

Next, you must launch your haproxy container with --net=host so as to use the same network stack than your host. For instance, I use the following command to launch the container:
docker run -d --net=host -v /volume1/docker/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro -v /volume1/docker/haproxy/default.pem:/usr/local/etc/haproxy/default.pem:ro --name=Haproxy haproxy:1.5
You will not be able to use such a command from the DSM web interface, you will have to log in with SSH.

Hope it helps!

1 Like