Hi,
I’ve been trying a couple of things and either I am missing something in the docs or there seems to be a bug.
I downsized my configuration as much as possible:
global
ssl-default-bind-options ssl-min-ver TLSv1.2
log 127.0.0.1 local0 info
log 127.0.0.1 local0
daemon
nbthread 2
stats timeout 30
log-send-hostname
chroot /var/empty
#############
defaults
timeout connect 10s
timeout http-request 10s
timeout client 900s
timeout server 900s
mode http
log global
option httplog
#############
###############################
backend backend1
mode http
no log
http-reuse always
# source 0.0.0.0 usesrc clientip
balance source
server server1 192.168.2.10:80 enabled
frontend frontend1
no log
mode http
bind 192.168.1.10:80 interface eth1 transparent
default_backend backend1
This seems to be working absolutely fine as long as I don’t enable usesrc clientip in the backend:
user@testclient:~$ for a in {1..90}; do curl --interface 12.12.12.12 http://192.168.1.10 -m2 -H "Connection: keep-alive"; done
root@haproxy:/opt/haproxy# tcpdump -i any 'host 192.168.2.10 or host 12.12.12.12' and tcp[13]=2 -nnn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:06:41.636383 eth1 In IP 12.12.12.12.55549 > 192.168.1.10.80: Flags [S]
12:06:41.637004 eth2 Out IP 192.168.2.1.51544 > 192.168.2.10.80: Flags [S]
12:06:41.645423 eth1 In IP 12.12.12.12.59131 > 192.168.1.10.80: Flags [S]
12:06:41.653970 eth1 In IP 12.12.12.12.49811 > 192.168.1.10.80: Flags [S]
12:06:41.662192 eth1 In IP 12.12.12.12.41853 > 192.168.1.10.80: Flags [S]
12:06:41.670344 eth1 In IP 12.12.12.12.37247 > 192.168.1.10.80: Flags [S]
12:06:41.678518 eth1 In IP 12.12.12.12.36007 > 192.168.1.10.80: Flags [S]
12:06:41.686688 eth1 In IP 12.12.12.12.55457 > 192.168.1.10.80: Flags [S]
12:06:41.694942 eth1 In IP 12.12.12.12.44871 > 192.168.1.10.80: Flags [S]
12:06:41.703217 eth1 In IP 12.12.12.12.57151 > 192.168.1.10.80: Flags [S]
12:06:41.711506 eth1 In IP 12.12.12.12.37281 > 192.168.1.10.80: Flags [S]
[...]
91 packets captured
91 packets received by filter
0 packets dropped by kernel
root@haproxy:/opt/haproxy#
I can see exactly one SYN sent out towards the server and that’s it. Exactly as per the expectation.
As soon as I change the backend configuration to use the original client IP for the serverside connection, when I start the loop on the client again, the tcpdump looks like this:
root@haproxy:/opt/haproxy# tcpdump -i any 'host 192.168.2.10 or host 12.12.12.12' and tcp[13]=2 -nnn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:12:09.627302 eth1 In IP 12.12.12.12.54739 > 192.168.1.10.80: Flags [S]
12:12:09.628353 eth2 Out IP 12.12.12.12.53362 > 192.168.2.10.80: Flags [S]
12:12:09.636901 eth1 In IP 12.12.12.12.42743 > 192.168.1.10.80: Flags [S]
12:12:09.637324 eth2 Out IP 12.12.12.12.53368 > 192.168.2.10.80: Flags [S]
12:12:09.645450 eth1 In IP 12.12.12.12.58641 > 192.168.1.10.80: Flags [S]
12:12:09.645687 eth2 Out IP 12.12.12.12.53370 > 192.168.2.10.80: Flags [S]
12:12:09.653742 eth1 In IP 12.12.12.12.37701 > 192.168.1.10.80: Flags [S]
12:12:09.654009 eth2 Out IP 12.12.12.12.53372 > 192.168.2.10.80: Flags [S]
12:12:09.662045 eth1 In IP 12.12.12.12.43733 > 192.168.1.10.80: Flags [S]
12:12:09.662410 eth2 Out IP 12.12.12.12.53374 > 192.168.2.10.80: Flags [S]
12:12:09.670386 eth1 In IP 12.12.12.12.57391 > 192.168.1.10.80: Flags [S]
12:12:09.670668 eth2 Out IP 12.12.12.12.53386 > 192.168.2.10.80: Flags [S]
12:12:09.678750 eth1 In IP 12.12.12.12.38029 > 192.168.1.10.80: Flags [S]
12:12:09.679158 eth2 Out IP 12.12.12.12.53388 > 192.168.2.10.80: Flags [S]
12:12:09.687070 eth1 In IP 12.12.12.12.40609 > 192.168.1.10.80: Flags [S]
12:12:09.687529 eth2 Out IP 12.12.12.12.53390 > 192.168.2.10.80: Flags [S]
12:12:09.695557 eth1 In IP 12.12.12.12.60707 > 192.168.1.10.80: Flags [S]
12:12:09.695865 eth2 Out IP 12.12.12.12.53392 > 192.168.2.10.80: Flags [S]
12:12:09.703892 eth1 In IP 12.12.12.12.41257 > 192.168.1.10.80: Flags [S]
12:12:09.704217 eth2 Out IP 12.12.12.12.53394 > 192.168.2.10.80: Flags [S]
12:12:09.712266 eth1 In IP 12.12.12.12.44583 > 192.168.1.10.80: Flags [S]
12:12:09.712590 eth2 Out IP 12.12.12.12.53396 > 192.168.2.10.80: Flags [S]
12:12:09.720537 eth1 In IP 12.12.12.12.54489 > 192.168.1.10.80: Flags [S]
12:12:09.720809 eth2 Out IP 12.12.12.12.53398 > 192.168.2.10.80: Flags [S]
12:12:09.728792 eth1 In IP 12.12.12.12.45777 > 192.168.1.10.80: Flags [S]
12:12:09.729108 eth2 Out IP 12.12.12.12.53400 > 192.168.2.10.80: Flags [S]
12:12:09.737403 eth1 In IP 12.12.12.12.41671 > 192.168.1.10.80: Flags [S]
[...]
180 packets captured
180 packets received by filter
0 packets dropped by kernel
root@haproxy:/opt/haproxy#
The client gets correct responses, but there is one serverside connection per clientside connection, which was what I wanted to avoid using http-reuse always.
Can anybody else reproduce this? Am I misreading the documentation? Or is there some other parameter I have to add in order to make this work also for transparent mode?
EDIT:
sorry, forgot to mention the haproxy version used:
root@haproxy:/opt/haproxy# /opt/haproxy/haproxy.bin -v
HAProxy version 2.6.0-a1efc04 2022/05/31 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.0.html
Running on: Linux 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
I also reproduced with other versions, but to be sure, I eventually tried 2.6.
Many thanks in advance,
Matt