HAPROXY issue - Transparent ClientIP breaks my ssl
-
Hello all,
I have a haproxy that is serving an https/tcp ssl connection between 5 servers: It switches between servers based on the "req.ssl_sni -i domain.com" flag.
It had always worked with the Transparent ClientIP set.Since recently and after the previous update (pfsense version), it started closing connections on the ssl ports after 49152 bytes.
The message on the app is: {"Message":"HTTP\/1.1 400 expected filesize 165084 got 49152The sticky tables are set for a large volume of traffic and number of connections. I've even stopped all but one of the backends to see if it would help but it does not.
I've tried to change the configuration around, but nothing works besides disabling Transparent ClientIP.What i am missing? Is something that i need to pass to the ipfw engine itself to allow the flow of this traffic?
My config file is:
frontend https-vpnssl
bind 192.168.1.1:4443 name 192.168.1.1:4443
mode tcp
log global
option dontlognull
option dontlog-normal
option log-separate-errors
timeout client 30000
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl proto_tls req.ssl_hello_type 1
acl ocserv req.ssl_sni -i host.domain.com
use_backend b_ocserv_tcp_ipvANY if ocserv
use_backend b_https_tcp_ipvANY if proto_tls
default_backend b_https_tcp_ipvANYbackend b_ocserv_tcp_ipvANY
mode tcp
log global
stick-table type ip size 50k expire 8h
stick on src
balance roundrobin
timeout connect 30000
timeout server 30000
retries 3
option tcplog
server b_ocserv_lxcVpar24 172.16.3.150:443 check inter 1000 weight 20
server b_ocserv_lxcVpar20 172.16.3.149:443 check inter 1000 weight 10
server b_ocserv_lxcVpar30 172.16.3.148:443 check inter 1000 weight 50backend b_https_tcp_ipvANY
mode tcp
log global
stick-table type ip size 512k expire 30m
stick on src
balance leastconn
timeout connect 30000
timeout server 30000
retries 3
option ssl-hello-chk
option tcplog
server lxcVpar39 172.16.3.161:443 check inter 1000
server lxcVpar40 172.16.3.162:443 check inter 1000Thanks for your help!