* Haproxy's "send-proxy-v2" doesn’t work when conntrack is disabled
@ 2021-09-14 13:40 InterNetX - Marc Reymann
2021-09-14 14:30 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: InterNetX - Marc Reymann @ 2021-09-14 13:40 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1486 bytes --]
Hello netfilter team,
We have the following (working) setup:
Haproxy and our Proxy app are running on the same server. Haproxy sends
requests to the Proxy app via the proxy prototcol:
listen web_proxy_app
bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
server proxy-app /tmp/proxy.sock send-proxy-v2
As soon as we exclude port 443 from the conntrack table via nft like this:
chain PREROUTING_NOTRACK {
type filter hook prerouting priority -300 policy accept
iif VLAN1012 tcp dport { 80, 443 } notrack
the proxy app doesn’t receive the correct IP values:
- Proxy 2 123.123.129.3 57893 234.236.46.5 443 <--- before,
good
- Proxy 2 123.123.129.3 58217 123.123.129.3 58217 <---
after, bad
Somehow the destination IP and port information gets lost.
I've asked the Haproxy community if their software uses information from
the conntrack table in any way which is apparently not the case:
https://discourse.haproxy.org/t/send-proxy-v2-doesnt-work-when-conntrack-is-disabled/6891
Could this have something to do with netfilter?
Marc Reymann
System Engineer
Team Technical Projects & Solutions
--
InterNetX GmbH
Johanna-Dachs-Str. 55
93055 Regensburg
Germany
Tel. +49 941 59559-489
Fax +49 941 59579-55
www.internetx.com
www.facebook.com/InterNetX
www.twitter.com/InterNetX
Geschäftsführer:
Thomas Mörz (CEO), Hakan Ali
Amtsgericht Regensburg, HRB 7142
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4016 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Haproxy's "send-proxy-v2" doesn’t work when conntrack is disabled
2021-09-14 13:40 Haproxy's "send-proxy-v2" doesn’t work when conntrack is disabled InterNetX - Marc Reymann
@ 2021-09-14 14:30 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2021-09-14 14:30 UTC (permalink / raw)
To: InterNetX - Marc Reymann; +Cc: netfilter
InterNetX - Marc Reymann <marc.reymann@internetx.com> wrote:
> Haproxy and our Proxy app are running on the same server. Haproxy sends
> requests to the Proxy app via the proxy prototcol:
>
> listen web_proxy_app
> bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
> server proxy-app /tmp/proxy.sock send-proxy-v2
>
> As soon as we exclude port 443 from the conntrack table via nft like this:
>
> chain PREROUTING_NOTRACK {
> type filter hook prerouting priority -300 policy accept
> iif VLAN1012 tcp dport { 80, 443 } notrack
>
> the proxy app doesn’t receive the correct IP values:
>
> - Proxy 2 123.123.129.3 57893 234.236.46.5 443 <--- before,
> good
> - Proxy 2 123.123.129.3 58217 123.123.129.3 58217 <--- after,
> bad
>
> Somehow the destination IP and port information gets lost.
<wild guess> "app" uses getsockopt SO_ORIGINAL_DST to fetch the
destination address and has no error handling for this.
Really, no idea. How does the application obtain those addresses?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-14 14:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-14 13:40 Haproxy's "send-proxy-v2" doesn’t work when conntrack is disabled InterNetX - Marc Reymann
2021-09-14 14:30 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox