Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAPROXY issue - Transparent ClientIP breaks my ssl

    Cache/Proxy
    1
    1
    770
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nuno
      last edited by

      Hello all,

      I have a haproxy that is serving an https/tcp ssl connection between 5 servers: It switches between servers based on the "req.ssl_sni -i domain.com" flag.
      It had always worked with the  Transparent ClientIP set.

      Since recently and after the previous update (pfsense version), it started closing connections on the ssl ports after 49152 bytes.
      The message on the app is: {"Message":"HTTP\/1.1 400 expected filesize 165084 got 49152

      The sticky tables are set for a large volume of traffic and number of connections. I've even stopped all but one of the backends to see if it would help but it does not.
      I've tried to change the configuration around, but nothing works besides disabling Transparent ClientIP.

      What i am missing? Is something that i need to pass to the ipfw engine itself to allow the flow of this traffic?

      My config file is:

      frontend https-vpnssl
      bind 192.168.1.1:4443 name 192.168.1.1:4443 
      mode tcp
      log global
      option dontlognull
      option dontlog-normal
      option log-separate-errors
      timeout client 30000
      tcp-request inspect-delay 5s
      tcp-request content accept if { req.ssl_hello_type 1 }
      acl proto_tls req.ssl_hello_type 1
      acl ocserv req.ssl_sni -i host.domain.com
      use_backend b_ocserv_tcp_ipvANY  if  ocserv
      use_backend b_https_tcp_ipvANY  if  proto_tls
      default_backend b_https_tcp_ipvANY

      backend b_ocserv_tcp_ipvANY
      mode tcp
      log global
      stick-table type ip size 50k expire 8h
      stick on src
      balance roundrobin
      timeout connect 30000
      timeout server 30000
      retries 3
      option tcplog
      server b_ocserv_lxcVpar24 172.16.3.150:443 check inter 1000  weight 20
      server b_ocserv_lxcVpar20 172.16.3.149:443 check inter 1000  weight 10
      server b_ocserv_lxcVpar30 172.16.3.148:443 check inter 1000  weight 50

      backend b_https_tcp_ipvANY
      mode tcp
      log global
      stick-table type ip size 512k expire 30m
      stick on src
      balance leastconn
      timeout connect 30000
      timeout server 30000
      retries 3
      option ssl-hello-chk
      option tcplog
      server lxcVpar39 172.16.3.161:443 check inter 1000 
      server lxcVpar40 172.16.3.162:443 check inter 1000

      Thanks for your help!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post