Re: Haproxy's "send-proxy-v2" doesn’t work when conntrack is disabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



InterNetX - Marc Reymann <marc.reymann@xxxxxxxxxxxxx> wrote:
> Haproxy and our Proxy app are running on the same server. Haproxy sends
> requests to the Proxy app via the proxy prototcol:
> 
> listen web_proxy_app
>         bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
>         server proxy-app /tmp/proxy.sock send-proxy-v2
> 
> As soon as we exclude port 443 from the conntrack table via nft like this:
> 
> chain PREROUTING_NOTRACK {
>         type filter hook prerouting priority -300 policy accept
>         iif VLAN1012 tcp dport { 80, 443 } notrack
> 
> the proxy app doesn’t receive the correct IP values:
> 
> -   Proxy          2 123.123.129.3 57893 234.236.46.5 443   <--- before,
> good
> -   Proxy          2 123.123.129.3 58217 123.123.129.3  58217  <--- after,
> bad
> 
> Somehow the destination IP and port information gets lost.

<wild guess> "app" uses getsockopt SO_ORIGINAL_DST to fetch the
destination address and has no error handling for this.

Really, no idea.  How does the application obtain those addresses?



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux