haproxy-devel (2.0.14) bug: automagic additional server entries for each backend



  • I think this is a bug, but I'd like to discuss it here first.

    Running 2.4.5-RELEASE-p1 on an XCP-ng virtual machine. haproxy-devel (2.0.14) has been working well in my IPv4 environment for some time without fault.

    I've recently gone dual-stack and added a listener to my frontend on the WAN IPv6 address. At this point, pfSense seems to have added an additional server entry to each backend:

    backend grafana_ipvANY
    	mode			http
    	id			124
    	log			global
    	timeout connect		60000
    	timeout server		60000
    	retries			3
    	option			httpchk GET /api/health 
    	server			grafana_0 172.16.4.7:8087 check inter 1000  
    	server			grafana_1 2403:5800:5000:db:561:3810:3941:1c03:8087 check inter 1000  
    

    In this example, the server grafana_1 was not specified by me in the GUI. The address is the pfSense machine's address.

    Obviously, this creates a server that is constantly down for haproxy.

    I can't see an obvious GUI configuration option that would cause this.

    Interestingly, if I disable IPv6 entirely on the pfSense box (remove it from the interfaces, remove the listeners in haproxy) so that it doesn't show up at all in the GUI, the haproxy.cfg still has the "loopback" server pointing at it's no longer used IPv6 address.

    Am I missing something, or does this need a bug report?


  • LAYER 8

    tested it on my pfsense but i don't have this behavior
    i'm using he.net tunnel and on mine the ipv6 wan interface does not show up so i can only test with custom address or localhost ipv6
    in any case i don't have any automagic addition

    frontend any-merged
    	bind			151.3.xxx.xxx:443 name 151.3.xxx.xxx:443   ssl crt-list /var/etc/haproxy/any.crt_list  
    	bind			2001:470:xx:xxx::x:443 name 2001:470:xx:xx::x:443   ssl crt-list /var/etc/haproxy/any.crt_list  
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			src_is_ipv4	src 0.0.0.0/0
    	acl			aclcrt_any	var(txn.txnhost) -m reg -i ^pfSense-5bf30ab89ffdf(:([0-9]){1,5})?$
    	acl			test1	var(txn.txnhost) -m beg -i test
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend test_ipv4  if  test1 src_is_ipv4
    	use_backend test_ipv6  if  test1 !src_is_ipv4
    
    backend test_ipv4
    	mode			http
    	id			10100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			server 172.16.0.100:443 id 10101 ssl check inter 1000  verify none 
    
    backend test_ipv6
    	mode			http
    	id			20100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv6@ usesrc clientip
    	option			httpchk OPTIONS /
    


  • I've uninstalled haproxy-devel, manually removed any haproxy config from config.xml and set things up again: same problem. I'm getting an additional server line added with the IPv6 address of the pfSense box (not the server) being added. I think I'll report a bug – something's not doing the right thing here.



  • Jti I also never had such bug while I had many pfsense with haproxy in various setups


Log in to reply