• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAproxy issue with Transparent ClientIP

Scheduled Pinned Locked Moved HA/CARP/VIPs
1 Posts 1 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    killmasta93
    last edited by Mar 27, 2022, 5:05 PM

    Hi I was wondering if someone else has had this issue before,

    Currently i have HAproxy using TLS pass-though which is working no issue, to my VLAN network 192.168.3.0/24
    and my LAN is 192.168.7.0/24

    The issue is that when i checkbox the Transparent ClientIP cannot
    access the site when im in my LAN

    I believe its

    source ipv4@ usesrc clientip

    that makes the real IP goes to the backend,

    Thank you

    

# Automaticaly generated, dont edit manually.
# Generated on: 2022-03-27 11:50
global
	maxconn			500
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend SharedFrontend-merged
	bind			186.97.xxx.xxx:443 name 186.97.xxx.xxx:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }
	tcp-request connection set-src str(192.168.7.254) if { src 192.168.7.0/24 }
	tcp-request inspect-delay	5s
	acl			cloud	req.ssl_sni -i cloud.domain.com
	acl			web	req.ssl_sni -i domain.com
	acl			web	src www.domain.com
	acl			chat	req.ssl_sni -i chat.domain.com
	acl			intranet	req.ssl_sni -i intranet.domain.com
	acl			inventory	req.ssl_sni -i inventory.domain.com
	acl			ng	req.ssl_sni -i ng.domain.com
	acl			gitlab	req.ssl_sni -i gitlab.domain.com
	acl			remote	req.ssl_sni -i remote.domain.com
	acl			monitor	req.ssl_sni -i monitor.domain.com
	acl			mail	req.ssl_sni -i mail.domain.com.co
	acl			crm	req.ssl_sni -i crm.domain.com
	acl			office	req.ssl_sni -i office.domain.com
	acl			sistema	req.ssl_sni -i sistema.domain.com
	acl			ids	req.ssl_sni -i ids.domain.com
	acl			capacitaciones	req.ssl_sni -i capacitaciones.domain.com
	acl			wiki	req.ssl_sni -i wiki.domain.com
	acl			deep	req.ssl_sni -i domain2.com.com
	acl			deep	req.ssl_sni -i www.domain2.com.com
	acl			contable	req.ssl_sni -i contable.domain.com
	tcp-request content accept if { req.ssl_hello_type 1 }
	use_backend Backend2_ipv4  if  cloud 
	use_backend Backend1_ipv4  if  web 
	use_backend Backend19_ipv4  if  chat 
	use_backend Backend29_ipv4  if  intranet 
	use_backend Backend9_ipv4  if  inventory 
	use_backend Backend10_ipv4  if  ng 
	use_backend Backend13_ipv4  if  gitlab 
	use_backend Backend14_ipv4  if  remote 
	use_backend Backend17_ipv4  if  monitor 
	use_backend Backend18_ipv4  if  mail 
	use_backend Backend7_ipv4  if  crm 
	use_backend Backend20_ipv4  if  office 
	use_backend Backend22_ipvANY  if  sistema 
	use_backend Backend24_ipv4  if  ids 
	use_backend Backend25_ipv4  if  capacitaciones 
	use_backend Backend26_ipvANY  if  wiki 
	use_backend Backend27_ipv4  if  deep 
	use_backend Backend28_ipv4  if  contable 

frontend HTTPTOHTTPS
	bind			186.97.xxx.xxx:80 name 186.97.xxx.xxx:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }
	tcp-request connection set-src str(192.168.7.254) if { src 192.168.7.0/24 }
	acl			cloud	var(txn.txnhost) -m str -i cloud.domain.com
	acl			web	var(txn.txnhost) -m str -i web.domain.com
	acl			inventory	var(txn.txnhost) -m str -i inventory.domain.com
	acl			ng	var(txn.txnhost) -m str -i ng.domain.com
	acl			gitlab	var(txn.txnhost) -m str -i gitlab.domain.com
	acl			remote	var(txn.txnhost) -m str -i remote.domain.com
	acl			contable	var(txn.txnhost) -m str -i contable.domain.com
	acl			monitor	var(txn.txnhost) -m str -i monitor.domain.com
	acl			mail	var(txn.txnhost) -m str -i mail.domain.com
	acl			crm	var(txn.txnhost) -m str -i crm.domain.com
	acl			chat	var(txn.txnhost) -m str -i chat.domain.com
	acl			office	var(txn.txnhost) -m str -i office.domain.com
	acl			sistema	var(txn.txnhost) -m str -i sistema.domain.com
	acl			ids	var(txn.txnhost) -m str -i ids.domain.com
	acl			capacitaciones	var(txn.txnhost) -m str -i capacitaciones.domain.com
	acl			wiki	var(txn.txnhost) -m str -i wiki.domain.com
	acl			deep	var(txn.txnhost) -m str -i domain2.com.com
	acl			deep	var(txn.txnhost) -m str -i www.domain2.com.com
	acl			web	var(txn.txnhost) -m str -i www.domain.com
	acl			intranet	var(txn.txnhost) -m str -i intranet.domain.com
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect scheme https  if  cloud 
	http-request redirect scheme https  if  web 
	http-request redirect prefix https://domain2.com.com  if  deep 
	http-request redirect scheme https  if  mail 
	http-request redirect scheme https  if  inventory 
	http-request redirect scheme https  if  ng 
	http-request redirect scheme https  if  gitlab 
	http-request redirect scheme https  if  remote 
	http-request redirect scheme https  if  contable 
	http-request redirect scheme https  if  monitor 
	http-request redirect scheme https  if  crm 
	http-request redirect scheme https  if  chat 
	http-request redirect scheme https  if  office 
	http-request redirect scheme https  if  sistema 
	http-request redirect scheme https  if  ids 
	http-request redirect scheme https  if  capacitaciones 
	http-request redirect scheme https  if  wiki 
	http-request redirect scheme https  if  deep 
	http-request redirect prefix https://domain.com  if  web 
	http-request redirect scheme https  if  intranet 

backend Backend2_ipv4
	mode			tcp
	id			10102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			cloud 192.168.3.244:443 id 10103 check inter 1000  

backend Backend1_ipv4
	mode			tcp
	id			10100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			website 192.168.3.201:443 id 10101 check inter 1000  

backend Backend19_ipv4
	mode			tcp
	id			10118
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			chat 192.168.3.201:443 id 10119 check inter 1000  

backend Backend29_ipv4
	mode			tcp
	id			10134
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			intranet 192.168.3.189:443 id 10135 check inter 1000  

backend Backend9_ipv4
	mode			tcp
	id			10106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			inventory 192.168.3.223:443 id 10107 check inter 1000  

backend Backend10_ipv4
	mode			tcp
	id			10108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			ng 192.168.3.222:443 id 10109 check inter 1000  

backend Backend13_ipv4
	mode			tcp
	id			10110
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			gitlab 192.168.3.121:443 id 10111 check inter 1000  

backend Backend14_ipv4
	mode			tcp
	id			10112
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			remote 192.168.3.245:443 id 10113 check inter 1000  

backend Backend17_ipv4
	mode			tcp
	id			10114
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			monitor 192.168.3.132:443 id 10115 check inter 1000  

backend Backend18_ipv4
	mode			tcp
	id			10116
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			mail 192.168.3.140:443 id 10117 check inter 1000  

backend Backend7_ipv4
	mode			tcp
	id			10104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			crm 192.168.3.155:443 id 10105 check inter 1000  

backend Backend20_ipv4
	mode			tcp
	id			10120
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			office 192.168.3.253:443 id 10121 check inter 1000  

backend Backend22_ipvANY
	mode			tcp
	id			122
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			sistema 192.168.3.169:443 id 123 check inter 1000  

backend Backend24_ipv4
	mode			tcp
	id			10124
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			ids 192.168.3.157:443 id 10125 check inter 1000  

backend Backend25_ipv4
	mode			tcp
	id			10126
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			capacitaciones 192.168.3.192:443 id 10127 check inter 1000  

backend Backend26_ipvANY
	mode			tcp
	id			128
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			wiki 192.168.3.190:443 id 129 check inter 1000  

backend Backend27_ipv4
	mode			tcp
	id			10130
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			deep 192.168.3.193:443 id 10131 check inter 1000  

backend Backend28_ipv4
	mode			tcp
	id			10132
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			contable 192.168.3.180:443 id 10133 check inter 1000

    Tutorials:

    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received