Project

General

Profile

Actions
Copy link

Bug #11937

open

HAproxy "Use Client-IP" option breaks Captive Portal

Added by David Quinn almost 3 years ago. Updated almost 3 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Viktor Gurov
Category:
haproxy
Target version:
-
Start date:
05/19/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

Devices can access https sites without authenticating via Captive portal.
Enabling 'Use Client-IP to connect to backend servers.' in HAproxy appears to add rules in ipfw and prevents 3 of the rules from /etc/inc/captiveportal.inc from being created.

Rules from captive portal which failed to get created in ipfw were:

01000 0 0 skipto tablearg ip from any to any via table(cp_ifaces)
01100 315443004 123076915775 allow ip from any to any
65534 0 0 deny ip from any to any

Without the deny rule all traffic was allowed through except access to port 80 which would still be redirected to the captive portal login page.
Problem not fixed after reboot.
To get it working, I had to remove the option 'Use Client-IP to connect to backend servers.', then delete the rules which haproxy created and add back in the rules from captiveportal.inc file.
Everything works if I do not re-enable the mentioned haproxy option.

Files

Download all files
ipfw captive portal now working.PNG (38.3 KB) ipfw captive portal now working.PNG David Quinn, 05/19/2021 06:28 PM
ipfw captive portal not working.PNG (37.3 KB) ipfw captive portal not working.PNG David Quinn, 05/19/2021 06:28 PM
Actions
Copy link

Also available in: Atom PDF