OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: bitgh0st on March 17, 2021, 04:11:22 am

Title: [HAProxy] Unable To Transparently Proxy TCP Application Data
Post by: bitgh0st on March 17, 2021, 04:11:22 am

I've recently migrated from pfSense to OPNsense and thus far I've absolutely loved the changes made and have been really enjoying my time with it. Thus far I've been able to translate everything I used to have over to OPNsense, with the exception of one very important thing...

I have multiple instances of an application which does not support the PROXY protocol nor does it support any HTTP headers. In order to proxy traffic to said application, without losing the original source IP (important), is to do so transparently. I use HAProxy as a means to direct clients to the appropriate server in addition to the usual load-balancing.

In pfSense, I would simply toggle the "Use Client-IP to connect to backend servers" option and it'd load an IPFW rule, a sloppy state pf rule, and it'd add "source ipv4@ usesrc clientip" to the relevant backend block's portion of the HAProxy config file and everything would work as expected. No added fuss.

(https://i.imgur.com/Py7XzMf.png)

With OPNsense, however, there is no such option and I haven't been able to find a usable solution to this problem. I can forward & proxy the traffic normally just fine, but that results in a loss of the client ip. The application requires this information to function properly, so that's not an option.

I've done some digging and I've found a possible workaround, which boils down to manually doing what the HAProxy plugin does in pfSense, and several threads asking if we'd ever see a similar feature added into OPNsense core or even just the plugin (e.g. https://forum.opnsense.org/index.php?topic=2214 & https://github.com/opnsense/core/issues/1883). There seems to be some pushback on this though, and I get the impression that this isn't really the, "OPNsense way" of handling it. So I'm left asking, what would be the preferable way to handle it?

I have tried to use the transparent proxy rules built into OPNsense, but that fails to address my needs. It creates a transparent nat, but, once proxied the application still logs the connection as though it came directly from the gateway instead of from an actual client.

It's totally possible I'm just missing something obvious with all this, so any help/input would be greatly appreciated. I really want to migrate to OPNsense, but sadly this has been a major blocker for me.

Title: Re: [HAProxy] Unable To Transparently Proxy TCP Application Data
Post by: guest28530 on April 06, 2021, 01:22:50 am

I also have this problem, and I'm hoping for a solution as well.

Title: Re: [HAProxy] Unable To Transparently Proxy TCP Application Data
Post by: PetervdS on June 16, 2021, 04:04:32 pm

Count me in too!!

I have been breaking my head over this one for a few days now, without good result. I also found that adding Proxy Protocol verions 1 or 2 on the back-end and 'source 0.0.0.0 usesrc clientip' on the Option pass-through field of the back-end should do it, but no cigar so far.