Proxy protocol causes SSL handshake failure


I have two servers with HAProxy, let’s call them “Passthrough” and “App”.

Passthrough dispatches the requests to our different preproduction servers.
App is a preproduction server.

I need the client address IP in App (for authentication purposes), but with my current configuration it is Passthrough’s IP which is forwarded, so I get a 500 Internal Server Error (which is normal).

When I try to use the PROXY protocol and add the send-proxy and expect-proxy, I get SSL Handshake failures. I have no additional information on this error and I can’t find the Alert packet describing the SSL error.

Could someone help me by at least telling me where to look? I’m confused by not having found anything in my capture.

Thanks for any help you could provide!

Passthrough (simplified) faulty configuration, HAProxy 2.6:

defaults base
  log global
  mode tcp
  timeout connect 5000
  timeout client 120000
  timeout server 110000

frontend lb from base
  tcp-request content accept if { req.ssl_hello_type 1 }

use_backend app if { req_ssl_sni -i }
default_backend deny

backend app from base
  server app send-proxy
backend deny from base
  mode http
  http-request deny

App (simplified) faulty configuration, HAProxy 2.0:

  log global
  mode http
  option httplog
  option donglognull
  option forwardfor
  timeout connect 5000
  timeout client 50000
  timeout server 50000

frontend https
  bind *:443 ssl crt [...]
  tcp-request connection expect-proxy layer4 if { src }
  use_backend interop

backend interop
  http-check expect status 200
  option httpchk GET /isup
  server local localhost:5042 check inter 10000 fastinter 2000
  http-response set-header Content-Security-Policy [...]

Packet capture: