net/haproxy: add forwardfor option to backend settings

net/haproxy/pkg-descr

@@ -9,6 +9,7 @@ Plugin Changelog
 Added:
 * add support for built-in OCSP update feature
 * add support for forwarded header (RFC7239)
+* add option "X-Forwarded-For Header" to backend settings
 
 Fixed:
 * fix typo in cert sync script
@@ -17,6 +18,9 @@ Changed:
 * move OCSP settings from "Service" to "Global" section
 * replace bundled haproxyctl library with haproxy-cli
 
+Deprecated:
+* frontend option "X-Forwarded-For Header" (the backend option should be used)
+
 Removed:
 * remove OSCP update cron job
 

net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml

@@ -188,6 +188,12 @@
         <sortable>true</sortable>
         <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
     </field>
+    <field>
+        <id>backend.forwardFor</id>
+        <label>X-Forwarded-For header</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable insertion of the X-Forwarded-For header to requests sent to servers.]]></help>
+    </field>
     <field>
         <label>Persistence</label>
         <type>header</type>

net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml

@@ -207,9 +207,9 @@
     </field>
     <field>
         <id>frontend.forwardFor</id>
-        <label>X-Forwarded-For header</label>
+        <label>X-Forwarded-For (DEPRECATED)</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable insertion of the X-Forwarded-For header to requests sent to servers.]]></help>
+        <help><![CDATA[This option is DEPRECATED and should no longer be used. A new option is available in backend pool settings.]]></help>
     </field>
     <field>
         <id>frontend.prometheus_enabled</id>

net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml

@@ -814,6 +814,7 @@
                         <http10>HTTP/1.0</http10>
                     </OptionValues>
                 </advertised_protocols>
+                <!-- XXX: deprecated option (scheduled removal in os-haproxy 5.0) -->
                 <forwardFor type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
@@ -1053,6 +1054,10 @@
                         <http10>HTTP/1.0</http10>
                     </OptionValues>
                 </ba_advertised_protocols>
+                <forwardFor type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </forwardFor>
                 <forwardedHeader type="BooleanField">
                     <default>0</default>
                     <Required>N</Required>

net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf

@@ -1695,6 +1695,9 @@ backend {{backend.name}}
 {%         endif %}
     option forwarded {{forwarded_params|join(' ')}}
 {%       endif %}
+{%       if backend.forwardFor == '1' and backend.mode == 'http' %}
+    option forwardfor
+{%       endif %}
 {%       if helpers.exists('OPNsense.HAProxy.general.cache') and OPNsense.HAProxy.general.cache.enabled|default("") == "1" and backend.tuning_caching|default("") == "1" and backend.mode == "http" %}
     http-request cache-use opnsense-haproxy-cache
     http-response cache-store opnsense-haproxy-cache