I am using haproxy behind a load balancer to bridge a public and a private (k8) network. The load balancer runs the PROXY protocol. I have included the configuration I wrote below. I have confirmed that everything is speaking, and that the LB is using the proxy protocol correctly. The whitelisting of the underlying client is working fine (tested that it both blocks incorrect traffic, and allows correct traffic). However the commented out line is not working. The intention of the commented out line (which uses connection rather than content) is to FIRST filter out anything that does not come from a valid load balancer, since I would assume that without this impersonation would be possible. I have confirmed that the IP’s line up, but still no connection is being made when that line is in place. I can turn OFF accept-proxy and block on it, but then I cannot firewall the client traffic which is the original intent. I am trying to block first on valid proxy, and second on valid proxied client.
frontend ingress bind *:9977 accept-proxy mode tcp acl is_valid_proxy src -f /usr/local/etc/haproxy/proxies.acl # tcp-request connection reject if !is_valid_proxy acl is_whitelisted src -f /usr/local/etc/haproxy/whitelist.acl tcp-request content reject if !is_whitelisted use_backend egress