Send-proxy-v2 doesn't work when conntrack is disabled

We have the following (working) setup:

Haproxy and our Proxy app are running on the same server. Haproxy sends requests to the Proxy app via the proxy prototcol:

listen web_proxy_app
        bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
        server proxy-app /tmp/proxy.sock send-proxy-v2

As soon as we exclude port 443 from the conntrack table via nft like this:

chain PREROUTING_NOTRACK {
        type filter hook prerouting priority -300 policy accept
        iif VLAN1012 tcp dport { 80, 443 } notrack

the proxy app doesn’t receive the correct IP values:

-   Proxy          2 123.123.129.3 57893 234.236.46.5 443   <--- before, good
-   Proxy          2 123.123.129.3 58217 123.123.129.3  58217  <--- after, bad

We’d like to keep our conntrack table as small as possible. Is there a way to achieve this?

This has nothing to do with haproxy at all.

When you disable conntrack and applications stop working, you’ll have to look at the firewall configuration altogether, not at the application.

Ok, are you are 100 % sure that the conntrack table is not used by haproxy in any way? If so, I’ll direct my question to the netfilter folks.

I’m sure, yes.