I ignored your question because I believe it would be a mistake to use either “tcp content” or “tcp connection” reject, for the reason mentioned.
I’m not sure I understand … you are trying to block requests based on the IP address information from the PROXY protocol. Is that not true? What’s my assumption that is untrue here?
I assumed you are blocking requests/connections in nginx in a similar matter that you are trying todo it on the intermediate haproxy instance here, which would lead to exactly to the problems explained in this thread.