Unable to connect to backend if Transparent ip is enabled in HAProxy

Firewalling
Log in to reply
  • J

    Hi ,
    I have HAProxy installed with frontend serving at 443. i have a backend serving with ssl enabled. When i enable Transparent IP, i am not able to connect to the backend.
    What i really want is to connect to the backend with HTTPS mode Frontend and get the source/client ip from the traffic.

    Regards,
    Justin X.

    P 1 Reply 0
  • P

    @justinxa

    • Does the (web)server use pfSense machine as its default route?
    • Is the client on a different subnet as the (web)server?

    If these criteria are not met, then it will not work due to asynchronous routing and the fact that haproxy is a full proxy that terminates the client connections.

    0
  • J

    @PiBa

    • Does the (web)server use pfSense machine as its default route? - Yes.
    • Is the client on a different subnet as the (web)server? - No. Pfsense has two NiCs attached which are on two subnet i.e. External subnet and Internal Subnet. the webserver is on the internal subnet.

    Are you suggesting i keep pfsense and webserver on the same subnet.

    Regards,
    Justin X.

    P 1 Reply 0
  • P

    @justinxa
    For using transparent-client-ip i suggest moving the webserver to a different lan / vlan / OPT1 network than from where the clients are connecting from. So traffic to/from it will always pass through pfSense.

    As for your question about pfSense being on the same subnet, 'yes too all'..

    • pfSense and the webserver will be on the same subnet
    • also pfSense and the ISP should be on the same subnet
    • AND also client and pfSense would be on the same subnet...

    pfSense would have 3 nic's one for each network.. (those could be vlan's which are effectively treated as additional nic's) But well needs a managed switch that can be configured to trunk and tag certain ports with vlan traffic..

    .

    Or, use a different solution like X-Forward-For header or proxyprotocol. Either of which would also need to be configured / supported by the (web)-server.. So the chance of these being possible are low if traffic it isn't send to a regular webserver.. And even then might need some extra plugin to support the proxyprotocol. Personally i think transparent-client-ip is the 'most compatible' option.. but well it does require separated client<>server networks....

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy