Haproxy issue

Good day, gentlemen!
I have several web servers behind one external IP, all incoming traffic to ports 80 and 443 is sent to the reverse proxy server for SNI processing.
For access from the inside, I’m trying to configure the hairpin nat, but I’m at a dead end.

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    1.X.X.X
add action=dst-nat chain=dstnat comment="IN 80,443 to PROXY" dst-address=\
    1.X.X.X dst-port=80,443 log=yes protocol=tcp to-addresses=\
    192.168.110.232
add action=masquerade chain=srcnat comment="HNAT Masquerade" dst-address=\
    192.168.110.232 dst-port=443,80 log=yes protocol=tcp src-address=\
    192.168.110.0/24

It works fine from the outside, but the connection is refused from the inside.

There’s nothing wrong with the config you posted. Does the last rule have any hits? If not, check forward chain in firewall filter and make sure that it’s not blocked by something in there.

Can I just say, Haproxy sounds like a pharmaceutical name for a new diabetes or high pressure drug.
Sob is a master at torturing rules so if he says your rules are okay, then they are.

Taking a page from Sob, (making a wild assed guess), I would say that your forward chain rule for allow destination nat is still in the stupid default format with the offending bit highlighted.
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Much better is the simpler:
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat

Thanks for answer, for experiment I disable all firewall filtres and iptables rules (on proxy machine), without success
2anav
without changes(
log

TCP (SYN), 1.1.1.1(local PC ip):52625->192.168.110.232:443, NAT 1.1.1.1(local PC ip):52625->(1.X.X.X:443->192.168.110.232:443), len 52
TCP (SYN), 1.1.1.1(local PC ip):52626->1.X.X.X:443, len 52

I do use HAProxy with Hairpin NAT end it works fine. So its doable.
My dream is that MT adds a reverse proxy like HAProxy.

Try this:

/ip firewall mangle
add chain=prerouting connection-mark=debug-pf action=log log-prefix=port-forward
add chain=prerouting connection-state=new src-address=<local PC address> dst-address=<public address> protocol=tcp dst-port=443 action=mark-connection new-connection-mark=debug-pf log=yes log-prefix=port-forward-NEW passthrough=yes
add chain=forward connection-mark=debug-pf action=log log-prefix=port-forward
add chain=postrouting connection-mark=debug-pf action=log log-prefix=port-forward

And see explanation here: http://forum.mikrotik.com/t/port-forwarding-so-simple-so-difficult/161719/19

port-forward-NEW prerouting: in:ether3 out:(unknown 0), src-mac aa:bb:cc, proto TCP (SYN), LOCAL IP:54902->PUBLIC IP:443, len 52
dstnat: in:ether3 out:(unknown 0), src-mac aa:bb:cc, proto TCP (SYN), LOCAL IP:54902->PUBLIC IP:443, len 52
port-forward forward: in:ether3 out:ether3, src-mac aa:bb:cc, proto TCP (SYN), LOCAL IP:54902->PROXY IP:443, NAT LOCAL IP:54902->(PUBLIC IP:443->PROXY IP:443), len 52
port-forward postrouting: in:(unknown 0) out:ether3, src-mac aa:bb:cc, proto TCP (SYN), LOCAL IP:54902->PROXY IP:443, NAT LOCAL IP:54902->(PUBLIC IP:443->PROXY IP:443), len 52
srcnat: in:(unknown 0) out:ether3, src-mac aa:bb:cc, proto TCP (SYN), LOCAL IP:54902->PROXY IP:443, NAT LOCAL IP:54902->(PUBLIC IP:443->PROXY IP:443), len 52
port-forward prerouting: in:ether3 out:(unknown 0), src-mac aa:bb:cc, proto TCP (ACK,RST), PROXY IP:443->LOCAL IP:54902, NAT (PROXY IP:443->PUBLIC IP:443)->GATEWAY IP:54902->LOCAL IP:54902), len 40

The last line shows that haproxy doesn’t like the request, for some reason. Maybe it has some ACL preventing access from private subnets? You could either change that, or your hairpin NAT rule. If you have static public address, you can do action=src-nat to-addresses=1.X.X.X instead of action=masquerade, and all requests from LAN will look as if they come from 1.X.X.X.

Thank you very much, Sob! It works.