Haproxy using backend tcp

Help!
1

Hi community! \o/

After upgrading from HAProxy 2.3.7 to 3.1.7, I’ve encountered an issue that did not occur with the previous version. Here’s our setup:

  • A VPN client connects to an AWS NLB listening on port 10443.
  • The NLB forwards traffic to a HAProxy server (target group) on port 10443, using a specific IP 192.168.1.1
  • HAProxy is configured as follows:
  global
    log         127.0.0.1:514 local0
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     10000
    daemon
    quiet
    tune.ssl.default-dh-param 2048
    tune.lua.bool-sample-conversion normal
    lua-load /etc/haproxy/mailers.lua

  defaults main
    mode         http
    log             global
    option        httplog
    option        http-server-close
    option        forwardfor    except 127.0.0.0/8
    option        redispatch
    option        contstats
    retries       3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          5m
    timeout server          5m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 10000

frontend vpn
  mode tcp
  bind 192.168.1.1:10443
  default_backend vpn_backend

backend vpn_backend
  mode tcp
  server vpnserver 192.168.1.10:443

The HAProxy server has two IP addresses:

  • 192.168.1.1
  • 192.168.1.2 (used for another frontend)

The issue:

After the upgrade, the VPN backend server started detecting a potential DoS attack. It logs messages like:

A DoS attack on the TCP Listener (port 443) has been detected. The connecting source IP address is 192.168.1.2, port number is 52442. This connection will be forcefully disconnected now.

This is likely because HAProxy was sending backend traffic using the 192.168.1.2 IP, which caused the VPN server to start blocking those connections.

Workaround so far:

I updated the backend line to explicitly set the source IP:

server vpnserver 192.168.1.10:443 source 192.168.1.1

That partially fixed the issue — after restarting HAProxy, VPN connections started working again. But eventually, I noticed that some health checks also started coming from 192.168.1.1, which the VPN server still interprets as a threat and closes the connection.

In the HAProxy statistics page, the backend for the VPN (vpn_backend) shows "no check" — so health checks are disabled.
I wouldn’t expect HAProxy to perform any checks, yet the VPN server continues receiving connections that look like health checks, coming from the NLB to HAProxy’s IP (192.168.1.1).
It feels as if something is bypassing HAProxy and hitting the VPN server directly, but using HAProxy’s IP.

Any idea how can I ensure that HAProxy uses only the correct source IP (192.168.1.1) for prevent these unwanted checks or connections from reaching the VPN server?

Any help or clarification would be greatly appreciated!

Thanks in advance,