haproxy spoa bouncer

HI all, I am trying to use haproxy spoa bouncer but the issue I am seeing is that my webiste is behind cloudflare, I've managed to pass the real IPs to both haproxy logs and down the line to nginx but the bouncer is still only seeing cloudflare's IPs. I've tried a few things using ai unfortunately nothing really helped
My crowdsec.cfg:

[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-ip crowdsec-http
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           100ms
    timeout     idle            30s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global

## Minimal test - just pass src directly
spoe-message crowdsec-ip
    args src-ip=src
    event on-frontend-http-request

spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) host=hdr(Host) method=method path=path
    event on-frontend-http-request

[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-ip crowdsec-http
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           100ms
    timeout     idle            30s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global

## Minimal test - just pass src directly
spoe-message crowdsec-ip
    args src-ip=src
    event on-frontend-http-request

spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) host=hdr(Host) method=method path=path
    event on-frontend-http-request

My haproxy.cfg frontend: ```frontend web_traffic_in
mode http
bind 10...:443 ssl crt /etc/ssl/ alpn h2,http/1.1

# ACL to identify Cloudflare traffic (needs to be tcp-request compatible)
acl from_cf src -f /etc/haproxy/CF_ips.list

# FIRST: Replace source IP with real client IP
http-request set-src req.hdr(CF-Connecting-IP) if from_cf

# Also set the header for other components
http-request set-header CF-Connecting-IP %[var(sess.real_ip)]

# Set source for logging
http-request set-src var(sess.real_ip)

# CrowdSec SPOE filter
filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg

http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)]
http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }

# Add headers
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# ACLs for routing
acl ** hdr(host) -i **

# Use ACLs to route requests
use_backend

[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-ip crowdsec-http
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           100ms
    timeout     idle            30s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global

## Minimal test - just pass src directly
spoe-message crowdsec-ip
    args src-ip=src
    event on-frontend-http-request

spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) host=hdr(Host) method=method path=path
    event on-frontend-http-request

[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-ip crowdsec-http
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           100ms
    timeout     idle            30s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global

## Minimal test - just pass src directly
spoe-message crowdsec-ip
    args src-ip=src
    event on-frontend-http-request

spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) host=hdr(Host) method=method path=path
    event on-frontend-http-request

haproxy spoa bouncer

Similar Threads

haproxy spoa bouncer

Similar Threads

Similar Threads

Similar Threads