How to configure "X-Forwarded-For" Header?

[KidFeng]

Hello,

I need to log the ip adress at the backend, so I need to add "X-Forwarded-For" header.

But it seem to be unable add header in HTTPS request, right?

[dlundquist]

@KidFeng Good question! SNIProxy operates at the TCP session layer, not the HTTP protocol layer. While it does have a limited HTTP/TLS parser to extract the hostname, it does not proxy HTTP requests but merely patches through TCP sessions. A (poor) telephone analogy: rather an customer service representative listening to each customer question and then asking an engineer and replying to the customer, sniproxy simply listens to the customers initial greeting and transfers the call to that department. As such SNIProxy can not insert/modify any data into the TLS/HTTPS stream, this is due to not having the private key for each backend server. There has been a long standing TODO item to make the original client source address available to the backend server out of band via simple HTTP API. If your looking for more full featured HTTP header manipulation and have access to the backend server private keys, I would recommend you use Nginx or HAProxy, if you don't want to distribute those cryptographic secrets you will need to make due with limitations of SNIProxy.

[KidFeng]

Thank you @dlundquist, sniproxy is light and fast :) I deploy ocserv behind of sniproxy, it seems faster and more stable than nginx (why?) except "x-forwarded-for". I have to using different ports to isolate ngx and ocserv, what a pity.

[dlundquist]

@KidFeng I haven't used ocserv myself, but I would venture a guess that SNIProxy preforms faster than nginx for ocserv because it doesn't follow the HTTP protocol but forwards data from the client or server as soon as it is received and the corresponding socket is available for writing.