Unable to connect to backend if Transparent ip is enabled in HAProxy

  • Hi ,
    I have HAProxy installed with frontend serving at 443. i have a backend serving with ssl enabled. When i enable Transparent IP, i am not able to connect to the backend.
    What i really want is to connect to the backend with HTTPS mode Frontend and get the source/client ip from the traffic.

    Justin X.

  • @justinxa

    • Does the (web)server use pfSense machine as its default route?
    • Is the client on a different subnet as the (web)server?

    If these criteria are not met, then it will not work due to asynchronous routing and the fact that haproxy is a full proxy that terminates the client connections.

  • @PiBa

    • Does the (web)server use pfSense machine as its default route? - Yes.
    • Is the client on a different subnet as the (web)server? - No. Pfsense has two NiCs attached which are on two subnet i.e. External subnet and Internal Subnet. the webserver is on the internal subnet.

    Are you suggesting i keep pfsense and webserver on the same subnet.

    Justin X.

  • @justinxa
    For using transparent-client-ip i suggest moving the webserver to a different lan / vlan / OPT1 network than from where the clients are connecting from. So traffic to/from it will always pass through pfSense.

    As for your question about pfSense being on the same subnet, 'yes too all'..

    • pfSense and the webserver will be on the same subnet
    • also pfSense and the ISP should be on the same subnet
    • AND also client and pfSense would be on the same subnet...

    pfSense would have 3 nic's one for each network.. (those could be vlan's which are effectively treated as additional nic's) But well needs a managed switch that can be configured to trunk and tag certain ports with vlan traffic..


    Or, use a different solution like X-Forward-For header or proxyprotocol. Either of which would also need to be configured / supported by the (web)-server.. So the chance of these being possible are low if traffic it isn't send to a regular webserver.. And even then might need some extra plugin to support the proxyprotocol. Personally i think transparent-client-ip is the 'most compatible' option.. but well it does require separated client<>server networks....