Connection reset, but connection to frontend is logged

Help!
1

I am trying to create an IPv4 to IPv6 proxy of sorts.

I have a VPS that has both IPv4 and IPv6 connectivity, and a backend that has IPv6 only.

Hosts replaced with example.org because I don’t feel like adding more background noise to my VPS or my other hosts.

docker compose on VPS:

services:
  haproxy:
    image: haproxytech/haproxy-alpine:latest
    volumes:
      - ./config:/usr/local/etc/haproxy/
    network_mode: host
    restart: unless-stopped

haproxy config:

global

defaults
  log global
  option  redispatch
  timeout client 30s
  timeout connect 4s
  timeout server 30s

frontend listener
  bind 10.0.0.156:443 #Internal VPS v4 address, maps to public v4 address
  mode tcp
  log stdout format raw daemon debug
  tcp-request inspect-delay 1s
  use_backend my_v6_host if { req_ssl_sni -i v6.example.org }

backend my_v6_host
  mode tcp
  server my_v6 v6.example.org:443 #/etc/hosts entry so I get the correct IP
  option ssl-hello-chk
  log stdout format raw daemon debug

Testing from another machine - I had this working, I am wondering if it’s an issue of ordering in the config

curl.exe  --resolve example.org:443:<public ipv4 of VPS> -k -vv -H "Host: example.org" https://example.org

18:20:18.236000 [0-0] * [HTTPS-CONNECT] connect, init
18:20:18.236000 [0-0] *   Trying <v4 address of VPS>:443...
18:20:18.236000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:20:18.236000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
18:20:18.268000 [0-0] * ALPN: curl offers http/1.1
18:20:18.268000 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
18:20:18.268000 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
18:20:18.274000 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
18:20:18.280000 [0-0] * TLS connect error: error:00000000:lib(0):func(0):reason(0)
18:20:18.282000 [0-0] * LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to home.baxter.works:443
18:20:18.284000 [0-0] * [HTTPS-CONNECT] connect, all failed
18:20:18.286000 [0-0] * [HTTPS-CONNECT] connect -> 35, done=0
18:20:18.286000 [0-0] * closing connection #0
18:20:18.286000 [0-0] * [HTTPS-CONNECT] close
18:20:18.286000 [0-0] * [SETUP] close
18:20:18.286000 [0-0] * [SETUP] destroy
18:20:18.286000 [0-0] * [HTTPS-CONNECT] destroy
curl: (35) TLS connect error: error:00000000:lib(0):func(0):reason(0)
2

What’s the haproxy log output? Also put option tcplog in your defaults section.

3

Now we’re getting somehere

haproxy-1  | <my v4 address>:65313 [19/Feb/2026:09:29:38.567] listener listener/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0
4

A few suggestions:

In the curl command you are using example.org while haproxy expects v6.example.org, confirm that this is actually matching (and only due to redaction), or use a default_backend rule instead of SNI matching.

Remove the option ssl-hello-chk, this will only create problems if check is enabled (but you should enable healthchecks in this configuration anyway).

Make sure you can actually reach port 443 of the destination IPv6 server.