Article overview

Help article

What are the different modes for HA-IP?

HA-IP is a ‘highly-available’ IPv4 and IPv6 address that allows you to forward TCP traffic to a single BladeVPS. Besides TCP traffic also offers the option for three other modes which can be used for forwarding traffic.

You can choose between the following modes:

De verschillende doorstuursmodi van HA-IP

TCP

This is the deafult mode. While active, all TCP traffic for a specific port will be forwarded via the HA-IP loadbalancers to the same port on the connected VPS. For this to work, it's important that you set up this port in the control panel. Otherwise this traffic will be dropped by HA-IP.

- Pro: All TCP traffic will be forwarded to your VPS without it requiring any modification or configuration on your VPS.
- Con: The 'remote' IP headers will not be forwarded, so your server has no way of knowing which IP is the original visitor. 


HTTP

When using the HTTP mode the X-Forwarded-For header is added to the traffic. As long as support for the remote headers is enabled in the configuration of your webserver, you can use $_SERVER['REMOTE_ADDR'] for example to see the original IP.

  • Are you using NGINX?
    Add the following information to the configuration of Nginx:
    set_real_ip_from 136.144.151.0/24;
    set_real_ip_from 89.41.168.0/26;  
    set_real_ip_from 2a01:7c8:ba1a::/48;
    set_real_ip_from 2a01:7c8:e000::/48;
    real_ip_header   X-Forwarded-For;
    
  • Are you using Apache? 
    In that case you use the mod_remoteip module (documentation). It's configuration could look like the following:
    RemoteIPHeader X-Forwarded-For 
    RemoteIPTrustedProxy 136.144.151.0/24 
    RemoteIPTrustedProxy 89.41.168.0/26
    RemoteIPTrustedProxy 2a01:7c8:ba1a::/48 
    RemoteIPTrustedProxy 2a01:7c8:e000::/48
    
  • Are you using IIS?
    For enabling remote headers multiple changes are required, for which you can find a detailed guide on docs.microsoft.com.

- Pro: When enable in the configuration, the remote IP will be visible / logged in your visitor logs.
- Con: This option is not enabled by default in webserver software and only works for HTTP traffic, not for HTTPS (without installing an SSL certificate) and / or other TCP traffic.


HTTPS

When using the HTTPS mode, so called 'SSL termination' is already performed on our HA-IP platform. This is possible due to an SSL certificate being installed for your domain / application. Via this mode HTTPS traffic can be forwarded to the connected VPS including the remote IP headers. 

In order for this to work, it is required that you also have an SSL certificate installed on your VPS for the domains you want routed via HA-IP. This does not necessary needs to be a validated SSL certificate, so a 'selfsigned' (or 'snakeoil') certificate may be used as well. Furthermore, the 'X-Forwarded-For' option needs be enabled in the configuration of your webserver (same as with the HTTP mode).

More information on how to install an SSL certificate for HA-IP can be found here.

- Pro: When enable in the configuration, the remote IP will be visible / logged in your visitor logs.
- Con: You will need to install an SSL certificate on both our HA-IP platform as your VPS and need to enable 'X-Forwarded-For' in your webserver configuration.
- Con: To use an SSL-certificate with HA-IP (Pro), you can only use our Comodo SSL-certificates, or generate Let's Encrypt certificates, for domains that are in the same TransIP-account that also contains HA-IP (Pro).


PROXY

When using the PROXY mode, all traffic including the original headers are being forwarded to your server. This makes it sounds ideal, however does require that the software listening on that port support the PROXY protocol. Furthermore, use of the PROXY mode causes the specific service on that port to only be reachable via HA-IP. Direct connections to the IP address of your VPS are no longer possible (for that port / service). Detailed information on the PROXY mode can be found on HAProxy's website.

- Pro: This offers the option to forward traffic 'transparantly' to other services than HTTP (such as mail). Furthermore, the PROXY mode offer the option to 'terminate' SSL on your own VPS. This ensures that management of your SSL certificates remains under your own control.
- Con: Not many software / applications support this protocol and it causes the specific port to only be reachable via HA-IP.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us