Inconsistent HAProxy packet

Hello,

I have setup an HAProxy service (version 2.8) with OPNSense and I’m struggling to make it work consistently.
I tried to follow a guide that was available on OPNsense forum as base for my setup.

Here is my current configuration for HAProxy

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 60s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend (DISABLED): Frontend_HTTP ()

# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80 
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    default_backend SSL_backend

    # logging options
    option log-separate-errors
    option tcplog

# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
    bind 127.10.10.2:80 name 127.10.10.2:80 accept-proxy 
    mode http
    option http-keep-alive

    # logging options
    option log-separate-errors
    option httplog
    # ACL: no-ssl
    acl acl_606b47270c87a3.09968459 ssl_fc

    # ACTION: HTTPRedirect
    http-request redirect scheme https code 301 if !acl_606b47270c87a3.09968459

# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000"
    bind 127.10.10.2:443 name 127.10.10.2:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66a957c77230c2.86454741.certlist 
    mode http
    option http-keep-alive

    # logging options
    option log-separate-errors
    option httplog
    # ACL: nc-host
    acl acl_606b4708173456.71367641 hdr_sub(host) -i nc.roxblic.xyz

    # ACTION: NC_rule
    use_backend NC_backend if acl_606b4708173456.71367641

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_server 127.10.10.2 send-proxy-v2 check-send-proxy

# Backend: NC_backend ()
backend NC_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    option forwardfor
    server NC_server 10.1.1.2:443 ssl verify none


# statistics are DISABLED

First of all why frontend needs to be prefixed with 0_ / 1_ ? Without these prefixes, I consistently encountered the error below when accessing the HTTP port. After adding the 0_ prefix to SNI_frontend, the error now only occurs approximately once in every four attempts.

$ curl -vv http://domain.tld/
* Host domain.tld:80 was resolved.
* IPv6: (none)
* IPv4: 10.1.1.2
*   Trying 10.1.1.2:80...
* Connected to domain.tld (10.1.1.2) port 80
> GET / HTTP/1.1
> Host: domain.tld
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
* Empty reply from server
* Closing connection
curl: (52) Empty reply from server

Debug log corresponding in HAProxy :

2024-08-02T13:23:47	Informational	10.2.2.1:41028 [02/Aug/2024:13:23:47.399] SNI_frontend SSL_backend/SSL_server 1/0/22 0 -- 1/1/0/0/0 0/0	
2024-08-02T13:23:47	Error	127.10.10.2:19006 [02/Aug/2024:13:23:47.399] 1_HTTP_frontend/127.10.10.2:80: Received something which does not look like a PROXY protocol header

Also, I am getting SSL_ERROR_SYSCALL error (or PR_END_OF_FILE_ERROR with Chrome/Firefox) for HTTPS requests that occurs approximately one time out of every 2/3 attempts.

$ curl -vv https://domain.tld/
* Host domain.tld:443 was resolved.
* IPv6: (none)
* IPv4: 10.1.1.2
*   Trying 10.1.1.2:443...
* Connected to domain.tld (10.1.1.2) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to domain.tld:443
* Closing connection
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to domain.tld:443

Debug log corresponding in HAProxy :

2024-08-02T13:21:24	Informational	10.2.2.1:60118 [02/Aug/2024:13:21:24.339] SNI_frontend SSL_backend/SSL_server 1/0/19 0 -- 1/1/0/0/0 0/0	
2024-08-02T13:21:24	Error	127.10.10.2:15595 [02/Aug/2024:13:21:24.339] 2_HTTPS_frontend/127.10.10.2:443: Received something which does not look like a PROXY protocol header

I have run a TCP dump and it’s seems that sometimes I don’t receive the proxy header the first packet being “Client Hello”.