HAproxy TLS passthough

Help!
1

Hi
I was wondering if someone could shed some light on the issue im having,
Currently have 2 sites on my backend a wordpress and zimbra email server,
they both have the SSL on each server, the idea is to passthough to those servers

but on the log i keep seeing

SharedFrontend-merged Backend1_ipv4/ -1/-1/6 0 SC 1/1/0/0/0 0/0

Thank you

root@bunker:/var/log# cat /etc/haproxy/haproxy.cfg
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
#	user haproxy
#	group haproxy
	daemon

	# Default SSL material locations
	#ca-base /etc/ssl/certs
	#crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        #ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        #ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        #ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend SharedFrontend-merged
        bind			*:443
	mode			tcp
	log			global
      timeout client		30000
      tcp-request inspect-delay	 5s
	acl			wordpress	req.ssl_sni -i wordpress.domain.co
	acl			zimbra	       req.ssl_sni -i mail.domain.co
        tcp-request content accept if { req.ssl_hello_type 1 }
       tcp-request connection set-src str(192.168.7.123) if { src 192.168.7.0/24 }
	use_backend Backend2_ipv4  if  zimbra
	use_backend Backend1_ipv4  if  wordpress



frontend HTTPTOHTTPS
	bind			*:80
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
         tcp-request connection set-src str(192.168.7.123) if { src 192.168.7.0/24 }
       acl			wordpress     var(txn.txnhost) -m str -i wordpress.domain.co
	acl			zimbra	      var(txn.txnhost) -m str -i mail.domain.co
        http-request set-var(txn.txnhost) hdr(host)
	http-request redirect scheme https  if  wordpress
	http-request redirect scheme https  if  zimbra


backend Backend2_ipv4
	mode			tcp
	id			10103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			zimbra 192.168.7.245:443 id 10104 check inter 1000

backend Backend1_ipv4
	mode			tcp
	id			10101
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			wordpress 192.168.7.35:443 id 10102 check inter 1000
2

Unless the haproxy box is properly configured and the default gateway of those backend servers, this is probably wrong.

Try removing it.

3

Thank you for the reply,
Forgot to mention this config comes from my pfSense, which i wanted to migrate the HAproxy to a Ubuntu VM rather to have on pfSense, which was working with no issue
now it seems to work, but i thought that part would send the real IP to the backend?

4

Correct, you can only spoof source IPs if you are the default gateway.