From 220b28f0c4777acf4c9c4efc0c3d39cf7318fbbe Mon Sep 17 00:00:00 2001 From: Josh Knapp Date: Thu, 14 May 2026 08:57:05 -0700 Subject: [PATCH] haproxy: use req.hdr_ip for real-IP resolution (string-IP crashed Coraza SPOA) --- templates/hap_listener.tpl | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl index 3a714cd..0ce73b8 100644 --- a/templates/hap_listener.tpl +++ b/templates/hap_listener.tpl @@ -13,10 +13,14 @@ frontend web acl has_x_real_ip req.hdr(X-Real-IP) -m found acl has_x_forwarded_for req.hdr(X-Forwarded-For) -m found - # Set the real IP based on available headers - http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if has_cf_connecting_ip - http-request set-var(txn.real_ip) req.hdr(X-Real-IP) if !has_cf_connecting_ip has_x_real_ip - http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For) if !has_cf_connecting_ip !has_x_real_ip has_x_forwarded_for + # Set the real IP based on available headers. Use hdr_ip (not hdr) so the + # variable is typed as IP — required by the Coraza SPOE arg `src-ip` which + # decodes binary IP bytes (passing a string IP panics the SPOA goroutine). + # `hdr_ip(X-Forwarded-For,1)` extracts the FIRST address from a possibly + # comma-separated chain (original client, not intermediate proxies). + http-request set-var(txn.real_ip) req.hdr_ip(CF-Connecting-IP) if has_cf_connecting_ip + http-request set-var(txn.real_ip) req.hdr_ip(X-Real-IP) if !has_cf_connecting_ip has_x_real_ip + http-request set-var(txn.real_ip) req.hdr_ip(X-Forwarded-For,1) if !has_cf_connecting_ip !has_x_real_ip has_x_forwarded_for http-request set-var(txn.real_ip) src if !has_cf_connecting_ip !has_x_real_ip !has_x_forwarded_for # --- Connection & rate tracking ---