I verify default gw and it seems correct.
I also add rules suggested, but nothing change.
The error "503 Service Unavailable" persist.
So, now I try to do this test.
1) Without transparent proxy
on HAPROXY_SERVER:
> netstat -ctnup | grep 192.168.1.20:80 (ok, connection established showed)
on WEB_SERVER:
> netstat -ctnup | grep 192.168.1.21:80 (ok, connection established showed)
2) With transparent proxy activated
on HAPROXY_SERVER:
> netstat -ctnup | grep 192.168.1.20:80 (ok, connection established showed)
on WEB_SERVER:
> netstat -ctnup | grep 192.168.1.21:80 (nothing showed)
So, probably there is a problem forwarding.. I'm right?
Anyone maybe have an idea to resolve this issue?
Thanks, Daniele
James Little ha scritto:
Also for some reason if you are using the new kernel and the new
iptables (as you seem to be)
you need to specify the firewall mark on EVERY interface:
ip rule add dev eth0 fwmark 111 lookup 100
ip rule add dev eth1 fwmark 111 lookup 100
ip rule add dev eth2 fwmark 111 lookup 100
ip rule add dev eth3 fwmark 111 lookup 100
Not sure why......
On 19 March 2010 18:55, Willy Tarreau <w...@1wt.eu> wrote:
Hi,
On Fri, Mar 19, 2010 at 07:03:47PM +0100, Daniele Genetti wrote:
Hello,
I have one big problem with HAproxy compiled with tproxy support.
This is the situation...
HAPROXY_SERVER
os: ubuntu server
kernel: 2.6.31 (so with tproxy support)
iptables: 1.4.4 (so with tproxy support)
ip: 192.168.1.20
WEB_SERVER
os: debian
kernel: 2.6.26
iptables: 1.4.2
ip: 192.168.1.21
I set up haproxy and with "normal" rules and configuration all works well!
When I try to set the proxy transparent, adding in the configuration the
line:
source 0.0.0.0 usesrc clientip
I have like result all connection "503 Service Unavailable"
In HAPROXY_SERVER I added this rules:
---
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
---
And also I changed HAPROXY_SERVER sysctrls with:
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
Where I'm wrong?
Have you got any ideas?
Thanks! Daniel
I suspect that you forgot to change your servers' default gateway
to point to the haproxy machine, and that they are responding
directly to the client without passing through haproxy.
Regards,
Willy
--
Regards,
Malcolm Turnbull.
Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/
