Hello netfilter team, We have the following (working) setup:Haproxy and our Proxy app are running on the same server. Haproxy sends requests to the Proxy app via the proxy prototcol:
listen web_proxy_app
bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
server proxy-app /tmp/proxy.sock send-proxy-v2
As soon as we exclude port 443 from the conntrack table via nft like this:
chain PREROUTING_NOTRACK {
type filter hook prerouting priority -300 policy accept
iif VLAN1012 tcp dport { 80, 443 } notrack
the proxy app doesn’t receive the correct IP values:
- Proxy 2 123.123.129.3 57893 234.236.46.5 443 <--- before,
good
- Proxy 2 123.123.129.3 58217 123.123.129.3 58217 <---
after, bad
Somehow the destination IP and port information gets lost.I've asked the Haproxy community if their software uses information from the conntrack table in any way which is apparently not the case:
https://discourse.haproxy.org/t/send-proxy-v2-doesnt-work-when-conntrack-is-disabled/6891 Could this have something to do with netfilter? Marc Reymann System Engineer Team Technical Projects & Solutions -- InterNetX GmbH Johanna-Dachs-Str. 55 93055 Regensburg Germany Tel. +49 941 59559-489 Fax +49 941 59579-55 www.internetx.com www.facebook.com/InterNetX www.twitter.com/InterNetX Geschäftsführer: Thomas Mörz (CEO), Hakan Ali Amtsgericht Regensburg, HRB 7142
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
