Unable to connect to backend if Transparent ip is enabled in HAProxy
I have HAProxy installed with frontend serving at 443. i have a backend serving with ssl enabled. When i enable Transparent IP, i am not able to connect to the backend.
What i really want is to connect to the backend with HTTPS mode Frontend and get the source/client ip from the traffic.
- Does the (web)server use pfSense machine as its default route?
- Is the client on a different subnet as the (web)server?
If these criteria are not met, then it will not work due to asynchronous routing and the fact that haproxy is a full proxy that terminates the client connections.
- Does the (web)server use pfSense machine as its default route? - Yes.
- Is the client on a different subnet as the (web)server? - No. Pfsense has two NiCs attached which are on two subnet i.e. External subnet and Internal Subnet. the webserver is on the internal subnet.
Are you suggesting i keep pfsense and webserver on the same subnet.
For using transparent-client-ip i suggest moving the webserver to a different lan / vlan / OPT1 network than from where the clients are connecting from. So traffic to/from it will always pass through pfSense.
As for your question about pfSense being on the same subnet, 'yes too all'..
- pfSense and the webserver will be on the same subnet
- also pfSense and the ISP should be on the same subnet
- AND also client and pfSense would be on the same subnet...
pfSense would have 3 nic's one for each network.. (those could be vlan's which are effectively treated as additional nic's) But well needs a managed switch that can be configured to trunk and tag certain ports with vlan traffic..
Or, use a different solution like X-Forward-For header or proxyprotocol. Either of which would also need to be configured / supported by the (web)-server.. So the chance of these being possible are low if traffic it isn't send to a regular webserver.. And even then might need some extra plugin to support the proxyprotocol. Personally i think transparent-client-ip is the 'most compatible' option.. but well it does require separated client<>server networks....