Page 1 of 1

HAproxy and client IP

Posted: Sunday 07 July 2024 15:36
by Varazir
Hello,

I have HA proxy in front of Domoticz for SSL offloading.
I can't get Domoticz see the client IP.

I did a tcpdump and checked the output in wireshark.

I can see this.
Image

Re: HAproxy and client IP

Posted: Monday 08 July 2024 8:50
by gizmocuz
Did you add your HAproxy IP Address in the "Trusted Networks" under Settings?

Re: HAproxy and client IP

Posted: Friday 12 July 2024 18:56
by Varazir
gizmocuz wrote: Monday 08 July 2024 8:50 Did you add your HAproxy IP Address in the "Trusted Networks" under Settings?
No, I don't want that at the moment. As even if you access domoticz external you will get the HAproxy IP

Re: HAproxy and client IP

Posted: Monday 22 July 2024 11:41
by viralkuinfo7
thanks very much

Re: HAproxy and client IP

Posted: Thursday 01 August 2024 22:55
by Varazir
Anyone that can help out here ?

Re: HAproxy and client IP

Posted: Thursday 15 August 2024 22:07
by kiddigital
Varazir wrote:
gizmocuz wrote: Monday 08 July 2024 8:50 Did you add your HAproxy IP Address in the "Trusted Networks" under Settings?
No, I don't want that at the moment. As even if you access domoticz external you will get the HAproxy IP
I think you want that Image
Domoticz needs to know if it can trust Proxy headers it receives. Otherwise anyone can pretend to be a proxy.
So when you add the Proxy IP address to the trusted network, domoticz will process the proxy headers. And with the proper proxy headers it will also see the real client IP and act accordingly.

Re: HAproxy and client IP

Posted: Thursday 15 August 2024 22:10
by Varazir
kiddigital wrote: Thursday 15 August 2024 22:07
Varazir wrote:
gizmocuz wrote: Monday 08 July 2024 8:50 Did you add your HAproxy IP Address in the "Trusted Networks" under Settings?
No, I don't want that at the moment. As even if you access domoticz external you will get the HAproxy IP
I think you want that Image
Domoticz needs to know if it can trust Proxy headers it receives. Otherwise anyone can pretend to be a proxy.
So when you add the Proxy IP address to the trusted network, domoticz will process the proxy headers. And with the proper proxy headers it will also see the real client IP and act accordingly.
You are talking about "Trusted Networks (no username/password):" I don't wan't to set my proxy adress then everyone just bypass logon...

Re: HAproxy and client IP

Posted: Thursday 15 August 2024 22:25
by janpep
Varazir wrote: Thursday 15 August 2024 22:10 You are talking about "Trusted Networks (no username/password):" I don't wan't to set my proxy adress then everyone just bypass logon...
Did you test that or do you think that?
Domoticz is connected by the ip adress of the proxy, but it should see the remote addres (that is forwarded by the proxy if headers are set right), so that should not be the case.

Re: HAproxy and client IP

Posted: Thursday 15 August 2024 22:27
by kiddigital
Varazir wrote:
kiddigital wrote: Thursday 15 August 2024 22:07
Varazir wrote: No, I don't want that at the moment. As even if you access domoticz external you will get the HAproxy IP
I think you want that Image
Domoticz needs to know if it can trust Proxy headers it receives. Otherwise anyone can pretend to be a proxy.
So when you add the Proxy IP address to the trusted network, domoticz will process the proxy headers. And with the proper proxy headers it will also see the real client IP and act accordingly.
You are talking about "Trusted Networks (no username/password):" I don't wan't to set my proxy adress then everyone just bypass logon...
When you add the Proxy IP to the Trusted list, it does NOT mean everyone will bypass the login. Give it a try and test it (I assume you are using a recent version of Domoticz).
The users that want to access domoticz through your Proxy will be checked against their real IP address and NOT the Proxy IP.
Try and test!