Troubleshooting Digital experience monitoring (DEM) geolocation failure

Sometimes you might not get the correct geolocation information. To troubleshoot this problem, follow the procedure.

Symptom

Only the IP address of the HAProxy can be captured, instead of the IP addresses of real client hosts. As a result, the geolocation information can't be retrieved correctly.

Root cause

Some private cloud platforms have an HAProxy in front of OCP cluster. The source.ip is the IP of the kube-proxy, not the the source IP of the real client host. In this case, DEM can't detect the correct geolocation information.

Solution for HTTP protocol

If the geolocation information can't be retrieved correctly for HTTP, follow the steps.

X-Forwarded-For is used in the header to capture client IP addresses to enrich geolocation information. You need to turn on the option forwardfor, and ensure mode http is used for ingress-http in the file /etc/haproxy/haproxy.cfg.

1. Ensure option forwardfor are set in the defaults section as follows.

    global
        log         127.0.0.1 local2
        chroot      /var/lib/haproxy
        ... ...
   
    defaults
        mode                    http
        log                     global
        option                  httplog
        option                  dontlognull
        option http-server-close
        option forwardfor       except 127.0.0.0/8
        ... ...
   

2. Ensure both frontend and backend ingress-http use mode http as follows. By default, it's mode tcp.

    frontend ingress-http
        bind *:80
        default_backend ingress-http
        mode http
        option tcplog
    backend ingress-http
        balance source
        mode http
        server worker0 10.16.18.53:80 check
        server worker1 10.16.18.54:80 check
        server worker2 10.16.18.107:80 check
   

3. Restart HAProxy to take effect.

4. Ensure that HAProxy is restarted successfully.

Then, you can get correct client IP addresses from X-Forwarded-For.

Solution for HTTPS protocol

If the geolocation information can't be retrieved correctly for HTTPS, you need to check whether both HAProxy and OpenShift are configured to support Proxy Protocol. For more information, see Proxy Protocol and Configuring the HAProxy Router to Use the PROXY Protocol.

If you need help for configuring OpenShift to support HAProxy, you can engage OpenShift support.