Re: tproxy bug in haproxy-1.5.10

Thu, 15 Jan 2015 11:22:14 -0800 

Lukas Tribus wrote, On 01/15/2015 07:24 PM:



Portforwarding to a different IP on the same haproxy-box causes haproxy behave
buggy.
This error happens when one uses the TPROXY target for portforwarding,
ie. like this:

Let's say the IP of the main interface is 192.168.100.100,
and traffic from outside to port 1234 shall be forwarded
to a virtual IP 192.168.100.101 and port 5678 on the same host, ie:


I don't understand what you are trying to do and why. Can you elaborate what
you are trying to do (in production, not in a lab) and can you also share the
haproxy configuration?


Ok, let me explain:

Internet clients (let's say using generic tcp protocol) do connect
to a public port on the proxy server. The proxy server forwards the
packets to the (internal) backend server.

Now, suppose you have two IP's on the proxy server (in my case
both in the same /24-subnet),
and you want accept public clients only on the first IP
and from there on route the packets via the 2nd IP to the backend server
(in my case the backend server too is in the same subnet).

The question is: how can one forward to the second IP:port?
One of the possible solutions is to use the iptables TPROXY target
for that (it works). But if done so, then haproxy has a problem.
And that's the whole point of this bug report.

As said in the inital posting, the IP of the proxy server is 192.168.100.100
and public port 1234; it needs to be forwarded to the 2nd IP 192.168.100.101
port 5678, and from there to the backend server 192.168.100.102:9999.
Of course the backend server needs the originating IP of the client,
hence the transparent proxy requirement.

Here's my minimal haproxy cfg:

global
   maxconn 512

defaults
   timeout connect 1m
   timeout client  2m
   timeout server  2m
   #option redispatch

frontend MyFrontend
   bind    192.168.100.101:5678
   default_backend  Transparent_tcp

backend Transparent_tcp
   mode tcp
   source 0.0.0.0 usesrc client
   server MyServer 192.168.100.102:9999



TPROXY is used to intercept TCP connections of non-local IPs. Using TPROXY
IPs that configured on your local machine makes no sense.



Yes of course true; I'm using TPROXY to pass the original IP of the client to 
the backend server.



Regards,
Uenal

























					Reply via email to