1

Having issues following steps to transparent proxy outlined here:

Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer | HAProxy Technologies – Aloha Load Balancer

Believe to successfully done all the steps but having issues layer 4 TLS requests. The goal being in TCP mode load balance http requests on port 80 and port 443 onto webserver, where webserver terminates TLS connections. BUT to have the webserver not see the haproxy box IP but to see the client IP. The link above is the what i continually see referenced everywhere on the internet for accomplishing this. Currently HAProxy will not route requests if have the line: 

source 0.0.0.0 usesrc clientip

included in the backend. Removing that line however, haproxy routes corretly but webserver sees the ip from haproxy box, not client.

Here is the relevant set up and configs:

bash> lsmod | grep -i tproxy
 xt_TPROXY              17327  0
 nf_defrag_ipv6         34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4         12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

bash>sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1

bash> sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination
 DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket
 [...]
 Chain DIVERT (1 references)
 target     prot opt source               destination
 MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

bash>  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100 
 32766: from all lookup main
 32767: from all lookup default

bash> ip route show table 100
 local default dev lo  scope host

#haproxy.cfg
frontend layer4-listener
 bind *:80  transparent
 bind *:443 transparent
 bind *:3306
 bind *:8080
 mode tcp
 option      tcplog
 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 acl is_esp dst 10.10.130.79
 acl is_tls dst_port 443
 use_backend site_http if is_esp !is_tls
 use_backend site_https if is_esp is_tls  
backend site_https
 mode tcp
 option tcpka
 option tcp-check
 #source 0.0.0.0 usesrc clientip ## load balancing only works when commented out
 server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
 server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

bash> haproxy -vv
 HA-Proxy version 1.5.4 2014/09/02
 Copyright 2000-2014 Willy Tarreau <w@1wt.eu>
 Build options :
 TARGET  = linux2628
 CPU     = generic
 CC      = gcc
 CFLAGS  = -O2 -g -fno-strict-aliasing
 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

bash> uname -r
 3.10.0-229.4.2.el7.x86_64

From haproxy log:

Aug  5 13:06:24 localhost haproxy[61996]: 192.168.3.210:52248 [05/Aug/2015:13:05:44.815] layer4-listener site_https/site_www1 30002/-1/40001 0 sC 8/7/3/1/+3 0/0
alexus
  • 13,112
  • 32
  • 117
  • 174
richv
  • 146
  • 2
  • 8
  • The log line shows HAProxy could not establish a TCP connection on the server. It seems the server is not operational. Please add the keyword 'check' on the server lines, then try to understand why the servers aren't up. After this, we'll be able to see where your issue could come from. Baptiste – Baptiste Aug 06 '15 at 12:40
  • 1
    in backend config have both option tcp-check and check on server line. The server is up, ie if i removed the source 0.0.0.0 usesrc clientip it load balances, if i include that line it will not load balance. – richv Aug 06 '15 at 16:14
  • 1
    is there a way to determine if the loopback and/or firewall mark is happening? or a way to use tcpdump or netstat to see if the request is even leaving haproxy box or getting to backend server? – richv Aug 06 '15 at 22:51
  • more info: 1) A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1) 2) A SYN-ACK packet from web1 back to haproxy2 3) A RST packet from haproxy2 to web1. – richv Aug 07 '15 at 21:06
  • This looks like a health check :) – Baptiste Aug 08 '15 at 15:34
  • I failed to see how this was a health check issue as i have both check option on the server line as well as option tcp-check. That said, I removed both as just a test. This had no affect on the outcome. ie, with source 0.0.0.0 usersrc clientip requests fail & and w/o that line requests succeed. – richv Aug 10 '15 at 16:23
  • oh I see, what we were seeing was in fact the health check sequence. – richv Aug 10 '15 at 17:48
  • The TCP handshake is going as follows: client sends a SYN. Haproxy server sends the SYN onto the websever. The Webserver sends a SYN/ACK to the client. The client sends a RST. How does the webserver know to send the SYN/ACK back to the haproxy server? – richv Aug 11 '15 at 21:38
  • Hi Rich, As explained on HAProxy's ML, simply change the default gateway of your server to point to your HAProxy box. Baptiste – Baptiste Aug 13 '15 at 09:43

0 Answers0