Article overview

Help article

What are the different modes for HA-IP?

HA-IP is a ‘highly-available’ IPv4 and IPv6 address that allows you to forward TCP traffic to a single VPS. Besides TCP traffic, HA-IP also offers the option for various other modes which can be used for forwarding traffic.

You can choose between the following modes:

ha-ip tcp port settings


TCP

This is the deafult mode. While active, all TCP traffic for a specific port will be forwarded via the HA-IP loadbalancers to the same port on the connected VPS. For this to work, it's important that you set up this port in the control panel. Otherwise this traffic will be dropped by HA-IP.

  • All TCP traffic will be forwarded to your VPS without it requiring any modification or configuration on your VPS.
  • The 'remote' IP headers will not be forwarded, so your server has no way of knowing which IP is the original visitor. 

HTTP

When using the HTTP mode the X-Forwarded-For and X-Forwarded-Proto headers are added to the traffic.


 

X-Forwarded-For

As long as support for the remote headers is enabled in the configuration of your webserver, you can use $_SERVER['REMOTE_ADDR'] for example to see the original IP.

  • Are you using Nginx? Add the following information to the configuration of Nginx:
    set_real_ip_from 136.144.151.0/24;
    set_real_ip_from 89.41.168.0/26;  
    set_real_ip_from 2a01:7c8:ba1a::/48;
    set_real_ip_from 2a01:7c8:e000::/48;
    real_ip_header   X-Forwarded-For;
    
  • Are you using Apache? In that case you use the mod_remoteip module (documentation). It's configuration could look like the following:
    RemoteIPHeader X-Forwarded-For 
    RemoteIPTrustedProxy 136.144.151.0/24 
    RemoteIPTrustedProxy 89.41.168.0/26
    RemoteIPTrustedProxy 2a01:7c8:ba1a::/48 
    RemoteIPTrustedProxy 2a01:7c8:e000::/48
    
  • Are you using IIS? For enabling remote headers multiple changes are required, for which you can find a detailed guide on docs.microsoft.com.

 

X-Forwarded-Proto

The X-Forwarded-Proto header is useful for example, to redirect HTTP traffic, so that people who visit your domains over HTTP are redirected to HTTPS:

  • Are you using Nginx? Je kunt dan bijvoorbeeld een http naar https redirect instellen met:
    if ($http_x_forwarded_proto = "http") {
        return 301 https://$server_name$request_uri; 
    }
  • Gebruik je Apache? Stel dan een redirect in een .htaccess-file in met de syntax:
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
  • Gebruik je IIS? Je kunt een redirect instellen in de web.config <system.Webserver> sectie met:
    <rewrite>
      <rules>
        <clear />
        <rule name="Force HTTPS" enabled="true">
          <match url="(.*)" ignoreCase="false" />
            <conditions>
              <add input="HTTP_X_Forwarded_Proto" pattern="https" negate="true" />
            </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>

HTTPS

When using the HTTPS mode, so called 'SSL termination' is already performed on our HA-IP platform. This is possible due to an SSL certificate being installed for your domain / application. Via this mode HTTPS traffic can be forwarded to the connected VPS including the remote IP headers. 

In order for this to work, it is required that you also have an SSL certificate installed on your VPS for the domains you want routed via HA-IP. This does not necessary needs to be a validated SSL certificate, so a 'selfsigned' certificate may be used as well. Furthermore, the 'X-Forwarded-For' option needs be enabled in the configuration of your webserver (same as with the HTTP mode).

More information on how to install a Let's Encrypt SSL certificate for HA-IP can be found here.


HTTP/2

HTTP2 is the successor of HTTP and uses, in addition to various improvements to existing protocols, compression and full request & response multiplexing. This allows HTTP/2 to utilize a single TCP connection to process multiplex streams in paralel (unlike HTTP). As a result, HTTP/2 sessions can be re-used so fewer TLS handshakes are required (usually just the one per session). This allows you to start multiple downloads over a single connection and in general will give you a better network performance.

The HTTP/2 mode uses SSL termination, like the HTTPS mode. This allows the HTTP/2 traffic to be sent to the VPS with the inclusion of the original 'remote IP', see the 'HTTPS' section for more information. For more information on HTTP/2, see for example this article.


PROXY

When using the PROXY mode, all traffic including the original headers are being forwarded to your server. This makes it sounds ideal, however does require that the software listening on that port supports the PROXY protocol.

Furthermore, use of the PROXY mode causes the specific service on that port to only be reachable via HA-IP. Direct connections to the IP address of your VPS are no longer possible (for that port / service). Detailed information on the PROXY mode can be found on HAProxy's website.

This offers the option to forward traffic 'transparantly' to other services than HTTP (such as mail). Furthermore, the PROXY mode offer the option to 'terminate' SSL on your own VPS. This ensures that management of your SSL certificates remains under your own control.


 

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.