HA PROXY + Inline Snort -> Blocks HAPROXY IP



  • Hello.
    This is my scenario:

    PFSENSE-HAPROXY -> PFSENSE-SNORT -> WEBSERVER

    Snort is Blocking Offenders.

    if I attack public IP from the webserver, Snort see the attack and add HAPROXY Internal IP to the block lists.
    Added enable_xff in the snort configuration, X-Forwarded-For is captured in pcap, but not in logs and still blocking the HAPROXY internal ip .

    Can someone help me ?

    Thank you.
    Regards.



  • Well,
    I have been able to block real offenders instead of the internal IP of the HAPROXY configuring it in transparent mode.
    I don't like too much but it is a solution by now, I hope will be a workaround.

    kr