Haproxy problem - HTTP POST file uploads to webserver behind fw fail
-
I'm running PF 2.1 with the only extra package installed being haproxy-devel 1.5-dev19 pkg v 0.6
EVERYTHING works great but one single thing:
When doing a HTTP file upload with a FORM multipart/form-data POST to any server behind the firewall it only works with very small files, aprox max 60kbyte. With slightly larger files I get a timeout page after a while and with even larger files I get nothing at all.
With no haproxy installed all this works as it should. I'm not doing any SSL, just simple HTTP.
I've really really searched for answers but haven't been able to find anything. Would deeply appreciate any help!
-
I've done some more testing and it seems that when "Transparent ClientIP" is enabled and set to DMZ the large file uploads fail. With "Transparent ClientIP" disabled all seems okay. But I need the transparent to be on to have the real source ipnumbers available to functions on the webserver :-[ :P
-
(This solution was confirmed by magnust on the haproxy mailinglist. I want to document it here for others that might find this post with the same issue)
Hi magnust,To get 'transparent' traffic working it was needed to in the background also load and configure part of "ipfw".. (this is also done for captive portal..) This so HAProxy gets to see the tcp reply traffic, and prevent replies from being routed out the wan interface.. This makes pf break the connection after a few packets as it doesn't see/process all the traffic.
The solution is to configure a "floating rule" like this:
Action: Pass
Quick: YES
Interface: DMZ (the one pointing to your server..)
Direction: Out
Protocol: TCP
Source: ANY
Destination: Server-IP
Destination: Server-PORT
State Type: sloppy stateI'm currently in the process of automating the creation this rule. Needs a little more testing and together with some other new features i think it will be ready in a week or so it will be part of the package version "1.5-dev21 pkg v 0.7".
Greets PiBa-NL
-
Million thanks for the awesome help PiBa!
/Magnus
-
i use squid proxy and i face the same problem
can i use this way
Action: Pass
Quick: YES
Interface:LAN
Direction: Out
Protocol: TCP
Source: ANY
Destination: squid server ip
Destination: 3128
State Type: sloppy state -
Hi finalcut,
If the problem and cause really is the same the same solution could be applicable..
The pfSense firewall log does currently show blocked packets.?Also i'm not fully understanding your setup, your running squid on a server different from pfSense?. Are you reverse-proxying incoming webrequests to a website you host? Or proxying outbound requests from workstations on the lan.?
Would probably be best to start a new thread with squid in the subject for this issue if adding a rule didn't resolve it.
Greets PiBa-NL -
Thank you for you response
i use pfsense and squid3-dev on the same server
actually i came from juniper to pfsense an im not that good in identifying the problem
i need a way to track the problem
from system log there is almost nothing wrongfrom >>> chrome://net-internals/#events
tt=26735 [st=25497] SOCKET_READ_ERROR
–> net_error = -101 (ERR_CONNECTION_RESET)
--> os_error = 10054
t=26737 [st=25499] -SOCKET_IN_USE
t=26738 [st=25500] -SOCKET_IN_USE
t=26738 [st=25500] -SOCKET_IN_USE
t=26738 [st=25500] -SOCKET_ALIVE -
I've found you did start another thread a while before.. https://forum.pfsense.org/index.php?topic=74085
That you never got a reply is likely due to the very small amount of fragmented information you have given. "uploading file failed" is not a very descriptive title for someone to look at.As it has nothing to do with HAProxy, and unlikely to be related to floating rules i'm not going to continue the discussion here.