question about transparancy
Hi, I am running 2 mailservers with ASSP as a spam proxy. I use haproxy to load balance between the 2 mailservers. The problem is that the spam filter is seeing every connection coming from the load balancer and not the originating ip. Do you know how I make the connections from my HAproxy load balancer to my 2 mailservers transparent? Kind regards, Michiel
Re: question about transparancy
I read this archive from 2008: http://www.formilux.org/archives/haproxy/0801/0507.html But the problem is that I can not recompile the kernel :( Isn't there any other way like the x-forward-for header to make this work? Kind regards, Michiel On 4/22/10 5:55 PM, Michiel van Es wrote: Hi, I am running 2 mailservers with ASSP as a spam proxy. I use haproxy to load balance between the 2 mailservers. The problem is that the spam filter is seeing every connection coming from the load balancer and not the originating ip. Do you know how I make the connections from my HAproxy load balancer to my 2 mailservers transparent? Kind regards, Michiel
Re: question about transparancy
Michiel van Es wrote: I read this archive from 2008: http://www.formilux.org/archives/haproxy/0801/0507.html But the problem is that I can not recompile the kernel :( Isn't there any other way like the x-forward-for header to make this work? As this runs on layer 4 headers can not be inserted. If you wish to be able to see the originating IP addresses you will probably want to use LVS loadbalancing. Chris
Re: question about transparancy
On 4/22/10 6:03 PM, Chris Sarginson wrote: Michiel van Es wrote: I read this archive from 2008: http://www.formilux.org/archives/haproxy/0801/0507.html But the problem is that I can not recompile the kernel :( Isn't there any other way like the x-forward-for header to make this work? As this runs on layer 4 headers can not be inserted. If you wish to be able to see the originating IP addresses you will probably want to use LVS loadbalancing. Hmmm..that is too bad..then I have to work out a new LVS setup after I finally got HAproxy up running :( Why isn't it possible with smtp but it is working with http? Chris Michiel
RE: question about transparancy
-Message d'origine- De : Michiel van Es [mailto:m...@pcintelligence.nl] Envoyé : jeudi 22 avril 2010 18:11 À : Chris Sarginson Cc : haproxy@formilux.org Objet : Re: question about transparancy On 4/22/10 6:03 PM, Chris Sarginson wrote: Michiel van Es wrote: I read this archive from 2008: http://www.formilux.org/archives/haproxy/0801/0507.html But the problem is that I can not recompile the kernel :( Isn't there any other way like the x-forward-for header to make this work? As this runs on layer 4 headers can not be inserted. If you wish to be able to see the originating IP addresses you will probably want to use LVS loadbalancing. Hmmm..that is too bad..then I have to work out a new LVS setup after I finally got HAproxy up running :( Why isn't it possible with smtp but it is working with http? Chris Michiel Hello, I think what you are looking for is XCLIENT support, which is described here : http://www.postfix.org/XCLIENT_README.html The support for this in haproxy has already been discussed on this ml (see for ex. : http://www.mail-archive.com/haproxy@formilux.org/msg00482.html) but I can't confirm if this has finally been implemented or not (I doubt it as there does not seem to be anything about it in the latest documentation). Emmanuel
Re: question about transparancy
Hi, Why dont you use 2 MX record with the same weight All email will come in to youre 2 servers. Just my 2¢ Bye Michiel van Es a écrit : Hi, I am running 2 mailservers with ASSP as a spam proxy. I use haproxy to load balance between the 2 mailservers. The problem is that the spam filter is seeing every connection coming from the load balancer and not the originating ip. Do you know how I make the connections from my HAproxy load balancer to my 2 mailservers transparent? Kind regards, Michiel -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: question about transparancy
Yes That is the default smtp failover setup but I want to balance the load via a load balancer setup Mx records can not balance load Regards Michiel van Es Op 22 apr 2010 om 19:06 heeft Guillaume Bourque guillaume.bour...@gmail.com het volgende geschreven:\ Hi, Why dont you use 2 MX record with the same weight All email will come in to youre 2 servers. Just my 2¢ Bye Michiel van Es a écrit : Hi, I am running 2 mailservers with ASSP as a spam proxy. I use haproxy to load balance between the 2 mailservers. The problem is that the spam filter is seeing every connection coming from the load balancer and not the originating ip. Do you know how I make the connections from my HAproxy load balancer to my 2 mailservers transparent? Kind regards, Michiel -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: question about transparancy
Hmm, I found out that it is not supported for mode tcp: Starting HAproxy: [WARNING] 111/213701 (5089) : config : 'option forwardfor' ignored for proxy 'load_balanced_smtp' as it requires HTTP mode. [ OK ] Is this possible for the mode tcp and smtp and Haproxy? Michiel On 4/22/10 9:34 PM, Michiel van Es wrote: I am running ASSP on the mailservers, since 1.6.2 ASSP understands headres like x-forward-for : - Text to Identify Originating IP Header* (OriginatingIP) If ASSP runs behind another server(s), no IP/HELO based filter will work. If a special header with the originating IP is inserted from the frontend serber ASSP will use the originating IP to perform IP and HELO checks. For example: X-Forwarded-For|X-Originating-IP Is it possible to let HAproxy push such an header for smtp without recompiling the kernel on my load balancer with Tproxy support? I hope it works as it works for http out of the box :) Kind regards, Michiel On 4/22/10 8:28 PM, Michiel van Es wrote: Yes That is the default smtp failover setup but I want to balance the load via a load balancer setup Mx records can not balance load Regards Michiel van Es Op 22 apr 2010 om 19:06 heeft Guillaume Bourque guillaume.bour...@gmail.com het volgende geschreven:\ Hi, Why dont you use 2 MX record with the same weight All email will come in to youre 2 servers. Just my 2¢ Bye Michiel van Es a écrit : Hi, I am running 2 mailservers with ASSP as a spam proxy. I use haproxy to load balance between the 2 mailservers. The problem is that the spam filter is seeing every connection coming from the load balancer and not the originating ip. Do you know how I make the connections from my HAproxy load balancer to my 2 mailservers transparent? Kind regards, Michiel -- Guillaume Bourque, B.Sc., consultant, infrastructures technologiques libres ! 514 576-7638
Re: forward proxy ?
On Thu, Apr 22, 2010 at 02:55:43PM +0200, Jan-Frode Myklebust wrote: On 2010-04-21, Willy Tarreau w...@1wt.eu wrote: You can also use haproxy in front of squid to suppress the 502 in the response, because you can make it block this response (which normally also causes a 502 to be sent to the client), but you can define what to send on the 502 error. Basically it would look like this : rspdeny ^HTTP/1.0\ 502 errorfile 502 /dev/null Yes, thanks, this works. And I see I can also block it earlier using reqdeny. reqdeny ^HEAD errorfile 403 /dev/null ah if you only need to block HEAD requests, you'd better use ACLs then, it's cheaper : http-request deny if { METH_HEAD } errorfile 403 /dev/null You may even send those requests to a specific backend with its own error page so that you don't disturb the normal error 403 processing. BTW, I'm recalling that squid also supports custom error responses, but I don't know if you can rewrite the status code or not. Yes, maybe, but the squid cache is shared by lots of other clients, while we only need to block a subset of these and can point them at a separate port. So HAproxy looks like a good solution for this. Although it's a hack I definitely would prefer not to go into production with.. better to fix the clients if we can. yes, and if you go in prod with this, the application's developers will pretend there is no problem because it obviously works... Willy
Re: question about transparancy
On Thu, Apr 22, 2010 at 09:47:51PM +0200, Michiel van Es wrote: Hmm, I found out that it is not supported for mode tcp: Starting HAproxy: [WARNING] 111/213701 (5089) : config : 'option forwardfor' ignored for proxy 'load_balanced_smtp' as it requires HTTP mode. [ OK ] Is this possible for the mode tcp and smtp and Haproxy? No, it is not supported. Maybe we'll support X-client one day, I don't know. It's easier to implement now with version 1.4 than it was in earlier versions. I don't see why you want to remove your LVS. It's perfectly fit for SMTP. Willy