wouldn't that mean that a client could provide an X-Forwarded-For header themselves, bypassing the IP restriction? I'm not opposed to adding the config option, I just want to make sure that it would actually be suitable for your use-case.
Another option for you may be to run multiple proxy-server instances -- one that haproxy talks to which has require_proxy_protocol = true and is only bound to localhost, and another for general traffic...
That makes some sense... but if
> not all connections are coming through haproxy
wouldn't that mean that a client could provide an X-Forwarded-For header themselves, bypassing the IP restriction? I'm not opposed to adding the config option, I just want to make sure that it would actually be suitable for your use-case.
Another option for you may be to run multiple proxy-server instances -- one that haproxy talks to which has require_ proxy_protocol = true and is only bound to localhost, and another for general traffic...