Re: Stick tables and stunnel

From: Willy Tarreau <w#1wt.eu>
Date: Mon, 9 May 2011 23:40:18 +0200


Hello,

On Mon, May 09, 2011 at 05:40:44PM +0200, bartavelle wrote:
> Hello,
>
> This doesn't seem to work with 1.5-dev6 with accept-proxy bindings :
> http://tehlose.wordpress.com/2010/12/15/fun-stuff-with-latest-haproxy-version/
>
> The stick table only contains a single key - 127.0.0.1 :
>
> # table: distribution, type: ip, size:512000, used:1
> 0x125e114: key=127.0.0.1 use=3 exp=299990 conn_cur=3

If you copied the conf from the link above, I'm not surprized, because the config tracks the IP immediately from the connection :

    tcp-request connection track-sc1 src if ! source_is_abuser

When the connection comes in, the real IP is seen. Once data comes on it and the proxy protocol is parsed, the transported IP is seen and can be used. From that point, internal IPs are changed. BTW this exception is explained in the doc for the accept-proxy keyword. If you want to achieve the same thing at this point, you'll have to use "tcp-request content" instead of "tcp-request connection", so that the filtering happens at the content inspection hook instead of the accept hook. And this makes sense since there's no point filtering on accept() since the connection initiator is known and trusted.

Regards,
Willy Received on 2011/05/09 23:40

This archive was generated by hypermail 2.2.0 : 2011/05/09 23:45 CEST