Using HAProxy in docker with host network

Question

When running HAProxy in a docker container, we can only see (and forward) the original client's IP when running the container with the --net=host option as described here.

Our question: Is this advisable from a security standpoint? Will this allow attackers more easily to exploit HAProxy vulnerabilities? Or is it common practice?

Answer 1

If you are running docker swarm then you will get an IP from swarm ingress network in your X-Forwarded-For header.

You can work around this by using --network=host but then you cannot connect the container to other overlay networks which might cause issues in your setup. For example if you want to connect HAProxy to other containers.

Fortunately you can use --publish mode=host,... instead of the default --publish mode=ingress to directly bind to the external ip.

Then HAProxy will see the real client ip. Also see https://github.com/docker-archive/dockercloud-haproxy/issues/134#issuecomment-288485710

Answer 2

Well --net=host is a common practice to expose a container to the public interface. If you don't set --net=host will the haproxy not be reachable outside of the docker network.