Description

I decided to try out HAproxy as Synapse reverse proxy. It looks like the advised configuration sends an incorrect IP with X-Forwarded-For, at least if your server supports both IPv4 and IPv6. It seems to "append" v6 address to your v4 address. I'm assuming this will cause problems with black-/whitelisting and such.

Also visible on HAproxy logs

Steps to reproduce

• Install Synapse
• Install HAproxy 2.5.4
• Follow the reverse proxy instructions here
• Start up Synapse and connect.

Expected behavior: Client and server being reported with a correct IP address, not this "v4 + v6 hybrid".

Fix

I just followed the instructions here instead: LINK

Instead of:
frontend https
bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
[...]

...use this:
frontend https
bind *:443,:::443 v6only ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
[...]

(and do the same for the federation port if needed)

Reverse proxy now forwards correct IPv4 and IPv6 address to Synapse.

Perhaps the guide should be updated?

Version information

• Homeserver: Synapse

• Version: 1.53.0

• Install method: pip (python 3.9)

• Platform: Slackware Linux.

(My first post here. Hope I got this right :)