Recently configuredHaproxyI found a very interesting thing when I was acting as an agent：HaproxyOn behalf ofhttpThe request will be mindlessX-Forwarded-For（Hereinafter referred to asXFF），Instead of putting your ownIPAdd address to existingXFFAfter list，WTF！And this divine operation？

After confirmation，I'm hereHaproxyofgithubOpened oneissueFeedback on thisBUG（issueaddress），I finally learnedHaproxyThat's how it was designed，And get the solution，And thisissue's reply was very interesting，Special blog to share。

at first，myissuementionHaproxyNot turning itselfIPaddressappendTo existingXFFAfter list，But mindless added another，This should be aBUG：

Official developmentGGReply to let me upgrade to the latest stable version，I said the same thing when I upgraded，But they repliedHaproxyIt was designed like this：

I repliedHaproxyThis design will lead many open source programs to obtain realIPabnormal，such asTwistedandpacketbeat，But officials sayHaproxy Design of100%accord withHTTPProtocol Standardsbalabala....Since that's what they say，What can I say？We have to use the official suggestionsif noneTo refuseHaproxyadd toXFF，First solve my program to get the sourceIPWrong question。

I thought it was over，The upsurge came！

A cool French beard launched a warm support：

His general idea is that，sinceHaproxy 100% accord withHTTPstandard，Why didn't you follow XFF Standard convention of，Put your ownIPAdd address to existingXFFEnd of list？？Also mentioned severalXFFMany programs cannot be read，such astomcat-8.5。Why not add one option to select multipleXFFOr use oneXFFwaitbalabalaSay at once...

Then the officialHTTPInitiate a rebuttal explanation on the standard（A lot of content，Not shown here），And in the end, it is stated that this is to improveHaproxyperformance，If it exists firstXFFThe performance may decrease under high concurrency2-3times（UnspecifiedHaproxy）。

of course，The official finally gave a solution，Can makeHaproxyAlso likeNginxThat wayIPAdd address to existingXFFafter，Just use theHaproxyAdd the following configurations：

http-request replace-value x-forwarded-for ^ "%[hdr(x-forwarded-for)], %[sr]"

Although the official reply can solve the problem，However, I think the last paragraph of the reply from French Beard is very good：

It roughly means，I already know how to solve the problem through configuration，But why option forwardfor This option is not designed and developed as most people expect，And it's very complicated？

Then directly give the development design that he thinks is better，For example, use option forwardfor force replace：

http-request del-header x-forwarded-foroption forwardfor

Implement mandatory coverageXFF，Another example is to use option forwardfor append To replace：

http-request replace-value x-forwarded-for ^ "%[hdr(x-forwarded-for)], %[src]"

The implementation willIPAdd address to existingXFFafter。Obviously，This design is more readable，Better understanding！He finally mentioned，Apache/Nginx/Tomcat/Jetty/F5And so on are all aboutIPAdd address toXFFafter，Are youHaproxyThink that the utilization rate of these software is not high enough？？It's very exciting，Once again, praise the French beard！

in short，It's really an interesting oneissue，It also solves the problem，Friends who find the same problem can refer to the solution！