We have the following (working) setup:
Haproxy and our Proxy app are running on the same server. Haproxy sends requests to the Proxy app via the proxy prototcol:
listen web_proxy_app
bind *:443 ssl crt /etc/ssl/our-certs no-sslv3
server proxy-app /tmp/proxy.sock send-proxy-v2
As soon as we exclude port 443 from the conntrack table via nft like this:
chain PREROUTING_NOTRACK {
type filter hook prerouting priority -300 policy accept
iif VLAN1012 tcp dport { 80, 443 } notrack
the proxy app doesn’t receive the correct IP values:
- Proxy 2 123.123.129.3 57893 234.236.46.5 443 <--- before, good
- Proxy 2 123.123.129.3 58217 123.123.129.3 58217 <--- after, bad
We’d like to keep our conntrack table as small as possible. Is there a way to achieve this?
1 post - 1 participant