Is there a way to get real client ip address from services that run through dockercloud-haproxy in swarm mode?

[virtuman]

I noticed there's another ticket somewhat relevant but not about this:

We have a bunch of websites running on nginx in docker swarm (1.13) and dockercloud-haproxy as the ssl termination + load balancing.

I can't figure out if there's a way to get real client's IP address from nginx containers? I think I may have found some information that because of MESH networking it's not at all possible, unless the haproxy was running in --net=host mode, but then I'm not able to have all our website's containers communicate with haproxy's swarm service since --net=host is exclusive and won't allow additional networks to this container.

Maybe i'm looking at this whole thing from the wrong perspective and any input is super highly appreciated.

here's one option that I found in default haproxy's config that is generated by dockercloud-haproxy:

defaults
  balance roundrobin
  log global
  mode http
  option redispatch
  option httplog
  option dontlognull
  option forwardfor
  timeout connect 5000
  timeout client 50000
  timeout server 50000

I think that option forwardfor is responsible for sending X-Forwarded-For header to containers.

Then in nginx containers - i have nginx configured with real-ip module enabled and specified

set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

when I dump headers with PHP - I notice that the X-Forwarded-For variable has the value of haproxy's network of 10.255.0.14 and not my client's IP address

Thank you.

[tifayuki]

According to the manual here: http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-option%20forwardfor

option forwardfor is the one who is responsible for setting up the X-Forwarded-For header. Can you check directly if the haproxy appends the correct IP address in the header?