> I need it for my firewall it seems so I'll leave it for now.
In this case you may want to bypass conntrack for TCP port 80 traffic only. Also consider matching your backend traffic with -j NOTRACK. You can read more about bypassing conntrack and the NOTRACK target here: http://permalink.gmane.org/gmane.comp.web.haproxy/1386 Lukas
