4. Unable to connect to backend if Transparent ip is enabled in HAProxy

Unable to connect to backend if Transparent ip is enabled in HAProxy

  • J

    Hi ,
    I have HAProxy installed with frontend serving at 443. i have a backend serving with ssl enabled. When i enable Transparent IP, i am not able to connect to the backend.
    What i really want is to connect to the backend with HTTPS mode Frontend and get the source/client ip from the traffic.

    Regards,
    Justin X.

    0
    P
     1 Reply
  • P

    @justinxa

    • Does the (web)server use pfSense machine as its default route?
    • Is the client on a different subnet as the (web)server?

    If these criteria are not met, then it will not work due to asynchronous routing and the fact that haproxy is a full proxy that terminates the client connections.

    0
  • J

    @PiBa

    • Does the (web)server use pfSense machine as its default route? - Yes.
    • Is the client on a different subnet as the (web)server? - No. Pfsense has two NiCs attached which are on two subnet i.e. External subnet and Internal Subnet. the webserver is on the internal subnet.

    Are you suggesting i keep pfsense and webserver on the same subnet.

    Regards,
    Justin X.

    0
    P
     1 Reply
  • P

    @justinxa
    For using transparent-client-ip i suggest moving the webserver to a different lan / vlan / OPT1 network than from where the clients are connecting from. So traffic to/from it will always pass through pfSense.

    As for your question about pfSense being on the same subnet, 'yes too all'..

    • pfSense and the webserver will be on the same subnet
    • also pfSense and the ISP should be on the same subnet
    • AND also client and pfSense would be on the same subnet...

    pfSense would have 3 nic's one for each network.. (those could be vlan's which are effectively treated as additional nic's) But well needs a managed switch that can be configured to trunk and tag certain ports with vlan traffic..

    .

    Or, use a different solution like X-Forward-For header or proxyprotocol. Either of which would also need to be configured / supported by the (web)-server.. So the chance of these being possible are low if traffic it isn't send to a regular webserver.. And even then might need some extra plugin to support the proxyprotocol. Personally i think transparent-client-ip is the 'most compatible' option.. but well it does require separated client<>server networks....

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy