HAProxy causing issues with port 443



  • I have port 80 through HAproxy working perfectly.
    Currently I have a NAT Forward rule for port 443 to my mail server. I want to remove this and use HAProxy to forward any mail requests to my mail server.
    So I set up two back ends with one being a default and the other looking for /owa. All good so far.
    Then I set up a front end and set it for disabled so that I can continue to get email until I am ready to test.

    At this point the NAT Port forward stops working and my email won't go through. I can delete the frontend and backend but still can't get forwarding to port 443 happening. Only way is to restore from a backup config from just before I started doing the backend.

    Any idea what is going on?



  • Okay just adding the backends causes the NAT forward rule to stop working with no way to recover. Even stopping the HAProxy service does not fix it. These backends are not even linked to a front end.

    I have one set as a default to 192.168.0.3 port 443 and the only option set is the IPFor.

    Save it and boom my email stops working



  • @veldthui
    You have probably configured the 'transparent client ip' feature on the backend.. This adds a special firewall rule to intercept reply traffic coming from the backend and send it to localhost ( haproxy )..

    To disable haproxy service and all of its background things that might interfere, disable the 'enabled' checkbox and save/apply that setting.. That should make rules and other things return to as if haproxy wasn't installed.



  • @PiBa said in HAProxy causing issues with port 443:

    @veldthui
    You have probably configured the 'transparent client ip' feature on the backend.. This adds a special firewall rule to intercept reply traffic coming from the backend and send it to localhost ( haproxy )..

    To disable haproxy service and all of its background things that might interfere, disable the 'enabled' checkbox and save/apply that setting.. That should make rules and other things return to as if haproxy wasn't installed.

    Yes I did set the transparent client ip. Do I not need this? I just want to pass traffic straight through to the mail server if it matches a few exchange things like /owa and /oab, etc and to a web site if the host matches a name.

    Shouldn't deleting the backend in question remove the rule? I deleted all the 443 backend and frontend stuff and still could not get access to port 443 or rather get my emails unless I was on the LAN network.
    I did try disabling HAProxy on the settings tab and same result. Still no emails.

    I have been reading quite a few setups from searches for setting up HTTPS forwarding with HAProxy but details are missing on most.



  • @veldthui
    Deleting the backend would prevent the rule from being applied when rules get loaded again.. Maybe reloading rules is not triggered when applying settings for a disabled haproxy.. You could 'force' a reload of the rules from the status/filterreload page (if i remember the name of that menu correctly).. That would load the new ruleset without haproxy adding its rules at that time if the backend was deleted..

    As for 'needing' transparent client ip.. to get traffic going its not needed. if you want make rules based on the client-ip on the server, then it might be required if proxy-protocol and http-headers are out of the question..
    It does come with these disadvantages though that it needs to be in the reply path, and will 'block' other direct requests...

    It might be possible to open a second port or adding a second private IP on the webserver for the purpose of haproxy connecting to it with client-ip's thus 'avoiding' blocking the regular direct traffic and your nat-portforward..


Log in to reply