getting transparent proxy to work.

Fri, 07 Aug 2015 14:06:37 -0700 

Hello, this is my first time using the mailing list. I have the following issue.


Followed steps to enable transparent proxy outlined here:

Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer | 
HAProxy Technologies - Aloha Load 
Balancer<http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/>


It will not load balance however w/ the following line added:


source 0.0.0.0 usesrc clientip

Here is all the configuration and setup relevent:


bash> lsmod | grep -i tproxy
 xt_TPROXY              17327  0
 nf_defrag_ipv6         34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4         12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

bash>sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1

bash> sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination
 DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket
 [...]
 Chain DIVERT (1 references)
 target     prot opt source               destination
 MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

bash>  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100
 32766: from all lookup main
 32767: from all lookup default

bash> ip route show table 100
 local default dev lo  scope host

#haproxy.cfg
frontend layer4-listener
 bind *:80  transparent
 bind *:443 transparent
 bind *:3306
 bind *:8080
 mode tcp
 option      tcplog
 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 acl is_esp dst 10.10.130.79
 acl is_tls dst_port 443
 use_backend site_http if is_esp !is_tls
 use_backend site_https if is_esp is_tls
backend site_https
 mode tcp
 option tcpka
 option tcp-check
 #source 0.0.0.0 usesrc clientip ## load balancing only works when commented out
 server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
 server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

bash> haproxy -vv
 HA-Proxy version 1.5.4 2014/09/02
 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
 Build options :
 TARGET  = linux2628
 CPU     = generic
 CC      = gcc
 CFLAGS  = -O2 -g -fno-strict-aliasing
 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

bash> uname -r
 3.10.0-229.4.2.el7.x86_64

Our network admin was indicated the following:


  1.  A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
  2.  A SYN-ACK packet from web1 back to haproxy2
  3.  A RST packet from haproxy2 to web1.?


Anyone able/willing to help and/or give insight into this issue?


Thanks

Reply via email to