HAProxy community

Netscaler CIP magic number in tcp-request


#1

I am struggling with setting up HAProxy with Netscaler CIP support.
Netscaler is configured with CIP and magicnumber 1234.
As I would like to only require CIP from requests arriving through Netscaler LB, I tried implementing acl and a tcp-request connection rule - unfortunately it does not work (HAProxy closes/FIN connection immediately on receiving SSL Client Hello).
See specific configuration snippet below.
Configuring HAProxy to require Netscaler CIP on all requests (using bind setting of “accept-netscaler-cip 1234” works fine - but is not usable as all requests arriving from other clients but Netscaler is rejected).
I seem to be missing an option to add the magic number (1234) when using the tcp-request connection rule - not sure if this is the problem?!
Anyone tried this or can help… I would appreciate it!

HAProxy version 1.8.14-52e4d43

HAProxy accepts requests from Netscaler and works with this configuration:
frontend public_ssl
bind :443 accept-netscaler-cip 1234
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

HAProxy rejects requests from Netscaler with this configuration: (NS source address 1.1.1.1)
frontend public_ssl
bind :443
tcp-request inspect-delay 5s
acl netscaler_with_cip src 1.1.1.1
tcp-request connection expect-netscaler-cip layer4 if netscaler_with_cip
tcp-request content accept if { req_ssl_hello_type 1 }

Brgds, Lars