Join Log in
Score:1
avatar Server

Haproxy blocking more TCP requests than expected

rs flag
Arnaud F.

In short HAproxy is blocking my TCP requests while I expect not to be and found nothing in logs.

Here the interesting part of my haproxy file :

global
        log /dev/log    local0 debug
        log /dev/log    local1 debug
        chroot /var/lib/haproxy
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        tune.ssl.default-dh-param 2048
256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.1 no-tls-tickets

defaults
        log     global
        option  dontlognull
        timeout connect 50000
        timeout client  500000
        timeout server  500000

listen bck_mssql
        bind *:1433
        acl network_allowed src 10.123.0.0/16 10.8.0.0/16 192.168.0.0/16 172.20.0.0/16
        tcp-request connection reject if !network_allowed
        mode tcp
        option tcplog
        server my-server 192.168.1.2:1433 check

Once OpenVPN activated, here is my ipconfig on Win10

Carte inconnue OpenVPN Data Channel Offload :

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6 de liaison locale. . . . .: <ipv6 here>
   Adresse IPv4. . . . . . . . . . . . . .: 10.8.0.4
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Passerelle par défaut. . . . . . . . . :

Carte réseau sans fil Wi-Fi :

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6. . . . . . . . . . . . . .: <ipv6 here>
   Adresse IPv6 temporaire . . . . . . . .: <ipv6 here>
   Adresse IPv6 de liaison locale. . . . .: <ipv6 here>
   Adresse IPv4. . . . . . . . . . . . . .: 172.20.10.2
   Masque de sous-réseau. . . . . . . . . : 255.255.255.240
   Passerelle par défaut. . . . . . . . . : <ipv6 here>
                                       172.20.10.1

Any advice on how I can configure to pass with my current IP configuration? Of course if I comment the tcp-request connection reject if !network_allowed I pass but that's not the final target.

When I grep "SC " or "mssql" in HAproxy logs I get absolutely nothing while forcing SSMS to use TCP/IP connections (connections are NOT encrypted).

Thanks for helping.

18
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.