haproxy-devel (2.0.14) bug: automagic additional server entries for each backend

ndrew · Sep 30, 2020, 9:44 PM

I think this is a bug, but I'd like to discuss it here first.

Running 2.4.5-RELEASE-p1 on an XCP-ng virtual machine. haproxy-devel (2.0.14) has been working well in my IPv4 environment for some time without fault.

I've recently gone dual-stack and added a listener to my frontend on the WAN IPv6 address. At this point, pfSense seems to have added an additional server entry to each backend:

backend grafana_ipvANY
	mode			http
	id			124
	log			global
	timeout connect		60000
	timeout server		60000
	retries			3
	option			httpchk GET /api/health 
	server			grafana_0 172.16.4.7:8087 check inter 1000  
	server			grafana_1 2403:5800:5000:db:561:3810:3941:1c03:8087 check inter 1000

In this example, the server grafana_1 was not specified by me in the GUI. The address is the pfSense machine's address.

Obviously, this creates a server that is constantly down for haproxy.

I can't see an obvious GUI configuration option that would cause this.

Interestingly, if I disable IPv6 entirely on the pfSense box (remove it from the interfaces, remove the listeners in haproxy) so that it doesn't show up at all in the GUI, the haproxy.cfg still has the "loopback" server pointing at it's no longer used IPv6 address.

Am I missing something, or does this need a bug report?

kiokoman · Oct 1, 2020, 9:12 AM

tested it on my pfsense but i don't have this behavior
i'm using he.net tunnel and on mine the ipv6 wan interface does not show up so i can only test with custom address or localhost ipv6
in any case i don't have any automagic addition

frontend any-merged
	bind			151.3.xxx.xxx:443 name 151.3.xxx.xxx:443   ssl crt-list /var/etc/haproxy/any.crt_list  
	bind			2001:470:xx:xxx::x:443 name 2001:470:xx:xx::x:443   ssl crt-list /var/etc/haproxy/any.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			src_is_ipv4	src 0.0.0.0/0
	acl			aclcrt_any	var(txn.txnhost) -m reg -i ^pfSense-5bf30ab89ffdf(:([0-9]){1,5})?$
	acl			test1	var(txn.txnhost) -m beg -i test
	http-request set-var(txn.txnhost) hdr(host)
	use_backend test_ipv4  if  test1 src_is_ipv4
	use_backend test_ipv6  if  test1 !src_is_ipv4

backend test_ipv4
	mode			http
	id			10100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			server 172.16.0.100:443 id 10101 ssl check inter 1000  verify none 

backend test_ipv6
	mode			http
	id			20100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv6@ usesrc clientip
	option			httpchk OPTIONS /

ndrew · Oct 2, 2020, 1:44 AM

I've uninstalled haproxy-devel, manually removed any haproxy config from config.xml and set things up again: same problem. I'm getting an additional server line added with the IPv6 address of the pfSense box (not the server) being added. I think I'll report a bug – something's not doing the right thing here.

dragoangel · Oct 26, 2020, 12:09 AM

Jti I also never had such bug while I had many pfsense with haproxy in various setups