Properly/Selectively Blocking PROXY PROTOCOL connections

Hello,

I am using haproxy behind a load balancer to bridge a public and a private (k8) network. The load balancer runs the PROXY protocol. I have included the configuration I wrote below. I have confirmed that everything is speaking, and that the LB is using the proxy protocol correctly. The whitelisting of the underlying client is working fine (tested that it both blocks incorrect traffic, and allows correct traffic). However the commented out line is not working. The intention of the commented out line (which uses connection rather than content) is to FIRST filter out anything that does not come from a valid load balancer, since I would assume that without this impersonation would be possible. I have confirmed that the IP’s line up, but still no connection is being made when that line is in place. I can turn OFF accept-proxy and block on it, but then I cannot firewall the client traffic which is the original intent. I am trying to block first on valid proxy, and second on valid proxied client.

frontend ingress
        bind *:9977 accept-proxy
        mode tcp
        acl is_valid_proxy src -f /usr/local/etc/haproxy/proxies.acl
        # tcp-request connection reject if !is_valid_proxy
        acl is_whitelisted src -f /usr/local/etc/haproxy/whitelist.acl
        tcp-request content reject if !is_whitelisted
        use_backend egress

Hi,
From the documentation, it looks like you are missing the “expect-proxy layer4” option.

tcp-request connection expect-proxy layer4 if { src -f proxies.lst }

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#tcp-request%20connection

Right, you need to remove the accept-proxy configuration and use expect-proxy layer4 instead, which is here for this exact use-case.

Thanks for the help guys. A variation of that got it working. Weirdly, I could NOT get it to work without accept proxy though (everything was unreachable). Here is what I have, and its working, but if I remove the accept-proxy as suggested, Should I be using expect proxy on the content aswell instead?

frontend ingress
        bind *:9977 accept-proxy
        mode tcp
        tcp-request connection expect-proxy layer4 if { src -f /usr/local/etc/haproxy/proxies.acl }
        acl is_whitelisted src -f /usr/local/etc/haproxy/whitelist.acl
        tcp-request content reject if !is_whitelisted
        use_backend egress

Either it’s a bug or a documentation error.

No, most likely this keyword isn’t even recognized with tcp-request content.