0

I have problems with transparent HAProxy. I use Centos 7 with ius-repo, so compiled with tproxy support. No fancy things here, just the basics. Flat IP space, no routing involved (yet). Have other options set as well (ipforward, non local bind).

I have a web server with some content (apache on srv1 with IP 192.168.1.10), have a haproxy box (v1.8.9) with one interface IP 192.168.1.11 one rule with frontend and backend, binding to 192.168.1.11:80. Traffic should be redirected to 192.168.1.10 tcp/80. Running in tcp mode (this is a demo for a tcp service, so http won't fit in the end).

From the HAProxy box I can do a wget to its own IP 192.168..11 and this results in a correct call and answer to/from the apache box. But when I try to do the same from another client (192.168.1.12), the wget hangs on HTTP request sent, awaiting response... ^C If I remove the option 'source 0.0.0.0 usesrc clientip' from the backend, stuff works, but then the client IP is the IP from the HAProxy box, what I don't want. i also did the iptables magic that is theer on the net.

So simple: client -> HaProxy -> Webserver but need the client IP.

Any ideas?

user474614
  • 1
  • 1

2 Answers2

1

Are you sure that you have configured TPROXY in the Kernel, and set the correct firewall marks?

https://www.loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/

Malcolm turnbull
  • 827
  • 6
  • 6
  • Yep, as said I am using the ius-repo, where HAProxy is built with TPROXY support compiled within. Do I need to also enable things in the Centos kernel? And if so how? – user474614 Jun 26 '18 at 12:03
  • OK so have you also got two subnets and the HAProxy unit as the default gateway for the servers? AND you need to activate TPROXY in your firewall on the HAProxy unit as follows: ```#!/bin/bash iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 111 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 111 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 ``` – Malcolm turnbull Jun 27 '18 at 17:12
  • I have one single subnet. Could that be a problem? – user474614 Jun 28 '18 at 19:07
  • In short - YES. Its way easier to do it with two different subnets - So that the Kernel can define what gets the TPROXY treatment. It's a pretty magical trick at the end of the day - As it effectively puts the wrong IP address as the source which makes it hard not to break the network in the process. – Malcolm turnbull Jun 29 '18 at 20:38
0

I have same problem . but in pfsense haproxy . ordering pass tarafic in my network is client internet ---> firwall(haproxy) ---> waf ----> server. of course gateway server is lan interface firewall.

when set transparent client ip on backend haproxy as well as x-forward in frontend for show source ip client the server itself can not recieve response . I solved the problem with set vip waf by dns name site in /etc/hosts as well as in container for example . 192.168.1.10(vip waf) mydomain.ir

mojtaba tavakolzade
  • 1
  • 1