Hello, this is my first time using the mailing list. I have the following issue.
Followed steps to enable transparent proxy outlined here: Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer | HAProxy Technologies - Aloha Load Balancer<http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/> It will not load balance however w/ the following line added: source 0.0.0.0 usesrc clientip Here is all the configuration and setup relevent: bash> lsmod | grep -i tproxy xt_TPROXY 17327 0 nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4 bash>sudo sysctl -p vm.swappiness = 0 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 bash> sudo iptables -L -n -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket [...] Chain DIVERT (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 bash> ip rule show 0: from all lookup local 32762: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default bash> ip route show table 100 local default dev lo scope host #haproxy.cfg frontend layer4-listener bind *:80 transparent bind *:443 transparent bind *:3306 bind *:8080 mode tcp option tcplog http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } acl is_esp dst 10.10.130.79 acl is_tls dst_port 443 use_backend site_http if is_esp !is_tls use_backend site_https if is_esp is_tls backend site_https mode tcp option tcpka option tcp-check #source 0.0.0.0 usesrc clientip ## load balancing only works when commented out server site_www1 www1.site.org:443 weight 1 check inter 2000 rise 2 fall 3 server site_www2 www2.site.org:443 weight 1 check inter 2000 rise 2 fall 3 bash> haproxy -vv HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 bash> uname -r 3.10.0-229.4.2.el7.x86_64 Our network admin was indicated the following: 1. A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1) 2. A SYN-ACK packet from web1 back to haproxy2 3. A RST packet from haproxy2 to web1.? Anyone able/willing to help and/or give insight into this issue? Thanks