InterNetX - Marc Reymann <marc.reymann@xxxxxxxxxxxxx> wrote:
> Haproxy and our Proxy app are running on the same server. Haproxy sends
> requests to the Proxy app via the proxy prototcol:
>
> listen web_proxy_app
> bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
> server proxy-app /tmp/proxy.sock send-proxy-v2
>
> As soon as we exclude port 443 from the conntrack table via nft like this:
>
> chain PREROUTING_NOTRACK {
> type filter hook prerouting priority -300 policy accept
> iif VLAN1012 tcp dport { 80, 443 } notrack
>
> the proxy app doesn’t receive the correct IP values:
>
> - Proxy 2 123.123.129.3 57893 234.236.46.5 443 <--- before,
> good
> - Proxy 2 123.123.129.3 58217 123.123.129.3 58217 <--- after,
> bad
>
> Somehow the destination IP and port information gets lost.
<wild guess> "app" uses getsockopt SO_ORIGINAL_DST to fetch the
destination address and has no error handling for this.
Really, no idea. How does the application obtain those addresses?
