Consider using send-proxy and accept-proxy in SNI + offloading docs.

[ryanjaeb]

When following the docs here I had a bit of trouble getting original client IPs into the X-Forwarded-For header when doing SSL offloading. I always ended up with X-Forwarded-For: 127.0.0.1.

The PROXY protocol seems to be a good fit for the configuration. Using your docs as an example:

On the backend named frontend3-offloading, use:

Per server pass thru: send-proxy

On the frontend named Frontend3-offloading use:

Bind pass thru: accept-proxy

Here's another doc I found useful.

[PiBa-NL]

Are you sure you configured it 'exacty' as is shown on the picture? (leaving address and port empty) [https://raw.githubusercontent.com/wiki/PiBa-NL/pfsense-haproxy-package-doc/pfsense_2_3_haproxy_sni_plus_offloading_backends/backend-offloading.png] The resulting config looks like this : bind /tmp/haproxy_chroot/testSecond.socket name unixsocket accept-proxy and: server frontend3-srv /testSecond.socket send-proxy-v2-ssl-cn check inter 1000

[ryanjaeb]

@PiBa-NL You are correct. I was using Address+Port rather than selecting the front end directly in the Forwardto field. Your example configuration is already better than what I suggested. Sorry for not double checking before starting an issue.