We have the following (working) setup:
Haproxy and our Proxy app are running on the same server. Haproxy sends requests to the Proxy app via the proxy prototcol:
listen web_proxy_app
bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
server proxy-app /tmp/proxy.sock send-proxy-v2
As soon as we exclude port 443 from the conntrack table via nft like this:
chain PREROUTING_NOTRACK {
type filter hook prerouting priority -300 policy accept
iif VLAN1012 tcp dport { 80, 443 } notrack
the proxy app doesn’t receive the correct IP values:
- Proxy 2 123.123.129.3 57893 234.236.46.5 443 <--- before, good
- Proxy 2 123.123.129.3 58217 123.123.129.3 58217 <--- after, bad
We’d like to keep our conntrack table as small as possible. Is there a way to achieve this?
This has nothing to do with haproxy at all.
When you disable conntrack and applications stop working, you’ll have to look at the firewall configuration altogether, not at the application.
Ok, are you are 100 % sure that the conntrack table is not used by haproxy in any way? If so, I’ll direct my question to the netfilter folks.
For anyone running into the same problem: You also need to add a notrack rule for outgoing connections like this:
chain OUTPUT_NOTRACK {
type filter hook output priority raw; policy accept;
oif "VLAN1012" tcp sport { 80, 443 } counter notrack
}
Afterwards, everything works as desired.
Strangely enough, this issue was only present for port 443. Port 80 seems to be handled differently by haproxy and didn’t need this rule to work.
Haproxy works with sockets in a straightforward way, there is no special handling for specific ports or anything like that.
iptables/nftables can be complex beasts, but this has nothing to do with haproxy.