Haproxy problem - HTTP POST file uploads to webserver behind fw fail



  • I'm running PF 2.1 with the only extra package installed being haproxy-devel 1.5-dev19 pkg v 0.6

    EVERYTHING works great but one single thing:

    When doing a HTTP file upload with a FORM multipart/form-data POST to any server behind the firewall it only works with very small files, aprox max 60kbyte. With slightly larger files I get a timeout page after a while and with even larger files I get nothing at all.

    With no haproxy installed all this works as it should. I'm not doing any SSL, just simple HTTP.

    I've really really searched for answers but haven't been able to find anything. Would deeply appreciate any help!



  • I've done some more testing and it seems that when "Transparent ClientIP" is enabled and set to DMZ the large file uploads fail. With "Transparent ClientIP" disabled all seems okay. But I need the transparent to be on to have the real source ipnumbers available to functions on the webserver  :-[ :P



  • (This solution was confirmed by magnust on the haproxy mailinglist. I want to document it here for others that might find this post with the same issue)
    Hi magnust,

    To get 'transparent' traffic working it was needed to in the background also load and configure part of "ipfw".. (this is also done for captive portal..) This so HAProxy gets to see the tcp reply traffic, and prevent replies from being routed out the wan interface.. This makes pf break the connection after a few packets as it doesn't see/process all the traffic.

    The solution is to configure a "floating rule" like this:
    Action: Pass
    Quick: YES
    Interface: DMZ (the one pointing to your server..)
    Direction: Out
    Protocol: TCP
    Source: ANY
    Destination: Server-IP
    Destination: Server-PORT
    State Type: sloppy state

    I'm currently in the process of automating the creation this rule. Needs a little more testing and together with some other new features i think it will be ready in a week or so it will be part of the package version "1.5-dev21 pkg v 0.7".

    Greets PiBa-NL



  • Million thanks for the awesome help PiBa!

    /Magnus



  • i use squid proxy and i face the same problem

    can i use this way

    Action: Pass
    Quick: YES
    Interface:LAN
    Direction: Out
    Protocol: TCP
    Source: ANY
    Destination: squid server ip
    Destination: 3128
    State Type: sloppy state



  • Hi finalcut,
    If the problem and cause really is the same the same solution could be applicable..
    The pfSense firewall log does currently show blocked packets.?

    Also i'm not fully understanding your setup, your running squid on a server different from pfSense?. Are you reverse-proxying incoming webrequests to a website you host? Or proxying outbound requests from workstations on the lan.?

    Would probably be best to start a new thread with squid in the subject for this issue if adding a rule didn't resolve it.
    Greets PiBa-NL



  • Thank you for you response

    i use pfsense and squid3-dev on the same server

    actually i came from juniper to pfsense an im not that good in identifying the problem

    i need a way to track the problem
    from system log there is almost nothing wrong

    from >>> chrome://net-internals/#events

    tt=26735 [st=25497]  SOCKET_READ_ERROR
                        –> net_error = -101 (ERR_CONNECTION_RESET)
                        --> os_error = 10054
    t=26737 [st=25499] -SOCKET_IN_USE
    t=26738 [st=25500] -SOCKET_IN_USE
    t=26738 [st=25500] -SOCKET_IN_USE
    t=26738 [st=25500] -SOCKET_ALIVE



  • I've found you did start another thread a while before.. https://forum.pfsense.org/index.php?topic=74085
    That you never got a reply is likely due to the very small amount of fragmented information you have given. "uploading file failed" is not a very descriptive title for someone to look at.

    As it has nothing to do with HAProxy, and unlikely to be related to floating rules i'm not going to continue the discussion here.