HaProxy ProxyProtocol and Varnish not respond

Question

I have an HaProxy that accept-proxy connection

frontend f1
    bind *:443 accept-proxy
    default_backend http_varnish

and, in the same instance, I have varnish

backend http_varnish
   mode http
   balance roundrobin
   server varnish *:6081 check

The problem is that varnish is unresponsive and times out. I try to open another port in varnish

#varnish
..... -a :6088,PROXY -T .......

I can't understand why, if as a backend I send requests directly to apache it works correctly, while varnish is not responding.

Obviously if I remove the accept-proxy, and don't use the proxy protocol, varnish works fine.

Answer 1

The way you configured your HAProxy allows incoming connections to use the PROXY protocol.

What you need to do is configure HAProxy to connect to the backend over the PROXY protocol.

It's just a matter of adding send-proxy-v2 to your server definition as illustrated below:

backend http_varnish
   mode http
   balance roundrobin
   server varnish 192.168.1.100:6088 check send-proxy-v2

You also have to update the endpoint where your Varnish is located. In this case I turned it into 192.168.1.100:6088. Please fix this accordingly and make sure the right hostname and port is used.

Once you've successfully done that, you can start benefiting from PROXY awareness in Varnish. The vmod_proxy module in Varnish allows you to get information about the client connection. See http://varnish-cache.org/docs/6.0/reference/vmod_generated.html#vmod-proxy

In the end you can check whether or not a connection was made over TLS, as illustrated below:

sub vcl_recv {
    if(proxy.is_ssl()) {
        //Do stuff
    } else {
        //Do other stuff
    }
}

The X-Forwarded-For header will also contain the IP of the original client.

Long story short: many benefits.