Hello HAProxy developers/users,
I would like to be able to run HAProxy transparently on FreeBSD 8.3.
This would be both for my own usage and also to make it available to a
larger public by including it in a 'haproxy-devel' package for pfSense.
However when trying to use it i get the error:
/[ALERT] 104/235847 (72477) : parsing [/var/etc/haproxy.cfg:34] :
'usesrc' not allowed here because support for TPROXY was not compiled in./
From what i read it seams it should be possible.
For example the Makefile contains the following:
/ifeq ($(TARGET),freebsd)//
////USE_TPROXY = implicit/
Which seams like it is supposed to be 'supported'.
Ive also tried the USE_LINUX_TPROXY=yes compile flag, but this returns 2
undeclared variables *SOL_IP* and *SOL_IPV6*. Ive tried declaring them
with substitute values like 'IP_BINDANY', or the value 6 which could
stand for the TCP protocol type, or 0. , but though the source did then
compile the end result still was that either an error was returned to
the browser that no backend was available, together with the following
debug error:
*[ALERT] 104/235129 (17380) : Cannot bind to tproxy source address
before connect() for backend pb3TEST_http. Aborting.**
*Or i dont get a response at all and HAproxy seems to be waiting for
'something' to happen..
Could it be that something is not fully supported in HAProxy toghether
with FreeBSD to allow transparent proxying? Or am i looking at the wrong
side of the problem and would i need to compile the FreeBSD kernel with
tproxy support.? Which I believe would be natively supported in version
8, but i might be wrong on that..
I i add after "/*setsockopt(fd, SOL_IP, IP_TRANSPARENT, &one,
sizeof(one)*/" this line:
*/setsockopt(fd, SOL_IP, IP_FREEBIND, &one, sizeof(one));/*
It removes the error about 'Cannot bind to tproxy source address...' and
packets do seam to be send to the proper destination. Except the
connection never establishes..
The browser running on 192.168.1.50 contacts haproxy on its IP:port
http://192.168.1.22:81/
Haproxy then forwards the traffic to the server 192.168.0.40.81 which is
according to status page "L7OK/200 in 0ms".
Also the reply packets gets routed back to the original client pc
(wireshark confirmed that..), and seam not to get intercepted by HAproxy
which i think is supposed to happen.?.. when passing through the
'FreeBSD router'.
But when performing a tcpdump on the interface in the 192.168.0.117
network only SYN and SYN-ack packets seem to be 'exchanged'.. Bet never
any actual 'data'
21:02:04.915310 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1556876 ecr 0], length 0
21:02:04.915464 IP 192.168.0.40.81 > 192.168.1.50.51194: Flags [S.], seq
4102632929, ack 352103920, win 8192, options [mss 1260,nop,wscale
8,sackOK,TS val 1281557 ecr 1556876], length 0
21:02:04.915546 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1556876 ecr 0], length 0
21:02:07.910690 IP 192.168.0.40.81 > 192.168.1.50.51194: Flags [S.], seq
4102632929, ack 352103920, win 8192, options [mss 1260,nop,wscale
8,sackOK,TS val 1281857 ecr 1556876], length 0
21:02:07.911073 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1557176 ecr 0], length 0
21:02:07.911079 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1557176 ecr 0], length 0
21:02:11.110673 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1557496 ecr 0], length 0
21:02:11.110685 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val
1557496 ecr 0], length 0
21:02:13.913959 IP 192.168.0.40.81 > 192.168.1.50.51194: Flags [S.], seq
4102632929, ack 352103920, win 8192, options [mss 1260,sackOK,TS val
1282457 ecr 1556876], length 0
While when the pc contacts the webserver directly it works 'normally'..
20:45:12.746359 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [S], seq
24635592, win 64240, options [mss 1460,nop,nop,sackOK], length 0
20:45:12.746473 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [S.], seq
3353931105, ack 24635593, win 8192, options [mss 1260,nop,nop,sackOK],
length 0
20:45:12.746937 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [.], ack
1, win 64260, length 0
20:45:12.747071 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [P.], ack
1, win 64260, length 282
20:45:12.750878 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [.], ack
283, win 65520, length 1260
20:45:12.751005 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [P.], ack
283, win 65520, length 1142
20:45:12.751463 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [.], ack
2403, win 64260, length 0
20:45:12.800179 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [P.], ack
2403, win 64260, length 297
20:45:12.800753 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [.], ack
580, win 65223, length 1260
20:45:12.800871 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [P.], ack
580, win 65223, length 151
20:45:12.801488 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [.], ack
3814, win 64260, length 0
See below my configuration of HAproxy:/
//global//
// maxconn 300//
// log /var/run/log local6 debug//
// stats socket /tmp/haproxy.socket level admin//
// nbproc 1//
// chroot /var/empty//
// daemon//
//frontend test_pb3//
// bind 192.168.1.22:81 //
// mode http//
// log global//
// option dontlognull//
// maxconn 444//
// timeout client 30000//
// default_backend pb3TEST_http//
//backend pb3TEST_http//
// mode http//
// timeout connect 30000//
// timeout server 30000//
// retries 3//
// option httpchk OPTIONS / //
// source 192.168.0.117 usesrc clientip//
// server pb3_srv 192.168.0.40:81 check inter 10000
weight 1 //
/
Could someone give me advice on what might need to change, what to test
or how i could proceed further with making it work ?
Thanks in advance,
PiBa-NL
