HAPROXY issue - Transparent ClientIP breaks my ssl



  • Hello all,

    I have a haproxy that is serving an https/tcp ssl connection between 5 servers: It switches between servers based on the "req.ssl_sni -i domain.com" flag.
    It had always worked with the  Transparent ClientIP set.

    Since recently and after the previous update (pfsense version), it started closing connections on the ssl ports after 49152 bytes.
    The message on the app is: {"Message":"HTTP\/1.1 400 expected filesize 165084 got 49152

    The sticky tables are set for a large volume of traffic and number of connections. I've even stopped all but one of the backends to see if it would help but it does not.
    I've tried to change the configuration around, but nothing works besides disabling Transparent ClientIP.

    What i am missing? Is something that i need to pass to the ipfw engine itself to allow the flow of this traffic?

    My config file is:

    frontend https-vpnssl
    bind 192.168.1.1:4443 name 192.168.1.1:4443 
    mode tcp
    log global
    option dontlognull
    option dontlog-normal
    option log-separate-errors
    timeout client 30000
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl proto_tls req.ssl_hello_type 1
    acl ocserv req.ssl_sni -i host.domain.com
    use_backend b_ocserv_tcp_ipvANY  if  ocserv
    use_backend b_https_tcp_ipvANY  if  proto_tls
    default_backend b_https_tcp_ipvANY

    backend b_ocserv_tcp_ipvANY
    mode tcp
    log global
    stick-table type ip size 50k expire 8h
    stick on src
    balance roundrobin
    timeout connect 30000
    timeout server 30000
    retries 3
    option tcplog
    server b_ocserv_lxcVpar24 172.16.3.150:443 check inter 1000  weight 20
    server b_ocserv_lxcVpar20 172.16.3.149:443 check inter 1000  weight 10
    server b_ocserv_lxcVpar30 172.16.3.148:443 check inter 1000  weight 50

    backend b_https_tcp_ipvANY
    mode tcp
    log global
    stick-table type ip size 512k expire 30m
    stick on src
    balance leastconn
    timeout connect 30000
    timeout server 30000
    retries 3
    option ssl-hello-chk
    option tcplog
    server lxcVpar39 172.16.3.161:443 check inter 1000 
    server lxcVpar40 172.16.3.162:443 check inter 1000

    Thanks for your help!


Log in to reply