HAProxy "Use Client-IP to connect to backend servers." & OpenVPN



  • Hello,

    I've got a couple of Web Server sat behind HAProxy so that I can use the same port with a different domain name for both on https & also for the ACMA package.

    All this is working fine but I noticed if a device is connected over OpenVPN and attempts to access the backend server directly it times out if using port 80 or port 443 (other ports all work fine) the connection just times out.

    I worked out that I could see in a Packet capture on the OpenVPN interface the Syn part of the handshake but if i run a capture on the LAN interface I can see the Syn & Syn Ack parts of the handshake but SynAck seems to disappear after it hits my pfSense and never gets to the OpenVPN Interface

    after a while enabling/disabling rules I ran the "pfctl -vvsr" command and looked for anything doing anything with those ports and i noticed this rule.
    "pass out quick on re0_vlan10 inet proto tcp from any to 10.10.0.11 port = http flags S/SA keep state (sloppy) label "HAPROXY_transparent_rule_EXCHANGE" which is added if I enable "Use Client-IP to connect to backend servers" in HAProxy's backend server configuration, if I disable that connections via OpenVPN work again.

    I've disabled it as a work around but would like that enabled, the only other way I could think would be an additional VLAN exclusively for haproxy to communicate with these servers on but I am not sure if this is a bug in HAProxy or if its something in my configuration that would be causing it.


Log in to reply