FreeBSD with options transparent not working.
Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
100% cpu load....
Hi list... I've noticed that the HAProxy processes occasionally jump to 100% cpu load, while the load before and after these peaks is only 3-5%, and the traffic is also the same as outside of these cpu-peaks. I saw a thread about this earlier (april/may), which concluded that there was a bug, which was fixed in 1.5-dev19. Since we were running dev18 and also experiencing this issue, we upgraded to dev19. However, on dev19 I'm also seeing these cpu-load peaks surface a few times per day. As a precaution, we have configured nbproc to 7 currently, (8-cores in these boxes). I've been able to get some straces on the processes eating 100%, but usually they drop back to 4% after I start the strace. I did see large amounts of sequential epoll_wait calls in the processes with 100% cpu load, and not with the other processes. epoll_wait(0, {}, 200, 0) = 0 (repeated 10-15 times) Haproxy config (edited) # Defaults Section defaults mode http timeout connect 5000ms timeout client 50ms timeout server 50ms option splice-auto option forwardfor option log-health-checks # Global Options global daemon maxconn 5 log 192.168.99.10:514 local1 info stats socket /var/run/haproxy.sock uid 0 gid 0 mode 0600 level admin chroot /var/empty/haproxy user haproxy group haproxy nbproc 7 node HOSTNAME spread-checks 5 listen stats deleted frontend in-10 bind IPIPIPIP:80 defer-accept bind IPIPIPIP:443 ssl crt /etc/haproxy/ssl/CERT.pem defer-accept ciphers RC4:HIGH:!aNULL:!MD5 maxconn 10 default_backend backend-10 log global mode http option httplog option dontlog-normal acl SITE-DEAD nbsrv(backend-10) lt 1 redirect location http://we-are-down.site.tld code 303 if SITE-DEAD backend backend-10 balance roundrobin option http-server-close option httpchk GET /test HTTP/1.0\nHost: site.tld\nConnection: close\n\n cookie JSESSIONID prefix server server1 IPIPIPIP:80 check inter 2 fall 5 downinter 3 maxconn 2000 cookie 4 weight 1 server server2 IPIPIPIP:80 check inter 2 fall 5 downinter 3 maxconn 2000 cookie 5 weight 1 server server3 IPIPIPIP:80 check inter 2 fall 5 downinter 3 maxconn 2000 cookie 6 weight 1 server server4 IPIPIPIP:80 check inter 2 fall 5 downinter 3 maxconn 2000 cookie 0 weight 1 appsession JSESSIONID len 64 timeout 3h request-learn mode path-parameters option redispatch option persist contimeout 2000 log global -- Mark Janssen -- maniac(at)maniac.nl Unix / Linux Open-Source and Internet Consultant Maniac.nl Sig-IO.nl Vps.Stoned-IT.com
Re: Combine http and https backend
Hi Mark, I would do: defaults HTTP mode http option http-server-close option httplog timeout client 10s timeout server 20s timeout connect 4s frontend ft_myproxyB-http bind 212.12.12.12:80 bind 212.24.24.24:80 default_backend bk_myproxyB-http backend bk_myproxyB-http balance roundrobin optionhttpchk server app07_backup 10.0.0.6:80 check port 80 inter 5000 backup server app08_master 10.0.0.7:80 check port 80 inter 5000 defaults TCP mode tcp option tcplog timeout client 60s timeout server 60s timeout connect 4s frontend myproxyB-https bind 212.12.12.12:443 bind 212.24.24.24:443 default_backend bk_myproxyB-https backend bk_myproxyB-https balance roundrobin optionhttpchk server app07_backup 10.0.0.6:443 check port 80 inter 5000 backup server app08_master 10.0.0.7:443 check port 80 inter 5000 Baptiste On Wed, Jul 10, 2013 at 10:04 PM, Mark Ruys mark.r...@peercode.nl wrote: Hi, Just recently I discovered HAProxy and I'm really impressed. I've got a cluster setup together with Keepalived. Now I have newby question which someone might want to address. Which configuration is preferred: listen myproxyA bind 212.12.12.12:80 bind 212.12.12.12:443 bind 212.24.24.24:80 bind 212.24.24.24:443 optionhttpchk optiontcplog mode tcp balance roundrobin server app01_master 10.0.0.6 check port 80 inter 5000 server app02_backup 10.0.0.7 check port 80 inter 5000 backup or: listen myproxyB-http bind 212.12.12.12:80 bind 212.24.24.24:80 balance roundrobin mode http optionhttpchk optionhttplog server app07_backup 10.0.0.6:80 check port 80 inter 5000 backup server app08_master 10.0.0.7:80 check port 80 inter 5000 listen myproxyB-https bind 212.12.12.12:443 bind 212.24.24.24:443 balance roundrobin mode tcp optionhttpchk optiontcplog server app07_backup 10.0.0.6:443 check port 80 inter 5000 backup server app08_master 10.0.0.7:443 check port 80 inter 5000 Thank you, Mark Ruys
Re: HAproxy Server large number of connections
jinge altman87120@... writes: Thanks Amyas! But why just connect to the Direct (transparent) connection so high. Which number is too high for direct? Maybe I misunderstood the question there. If I have maxconn 20 and I am getting 20 connections/sec then I will quickly end up with a huge number of sockets in various closing states - do you know what the tcp time_wait fin_wait2 timeouts are on your system? There are problems with setting the connection closing timeouts too low. The issues related to tuning tcp timeouts are complex and not universal: http://serverfault.com/questions/329845/how-to-forcibly-close-a-socket-in-time-wait I would do one thing until you have a working system - don't have any stuff in the defaults section, just put every option that you want to use in the frontend or backend so it is easier to see what options that part of your system is using explicitly. Others might disagree. Another thing I would do is not not log normal, how do you know how long nginx is taking to service requests from an haproxy point of view, how do you know the final connection state of a connection for a request going through haproxy? Turning off log normal is probably ok after you are sure everything is running fine.
Re: FreeBSD with options transparent not working.
Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Re: Best practice : Sticky-Counter tracking or many backends ?
Thx Baptiste, I will go this way so. Thx for the tip with health check tracking. Regards, On Thu, Jul 11, 2013 at 11:33 AM, Baptiste bed...@gmail.com wrote: Hi Steven, Interesting case. I would say you could set gpc0 value, but unfortunately, there is currently no way to set its value. You can only increase it using sc0_inc_gpc0. My purpose would to use gpc0 as a flag. So the best way for you for now is to use multiple backends. (You already might know, but you can track health checking from one backend to an other one, to avoid sending too many health checks to a single server). By the way, rspadd will be deprecated in favor of http-response. Baptiste On Wed, Jul 10, 2013 at 6:44 PM, Steven Le Roux ste...@le-roux.info wrote: Hi all (first message on list :) ), In the process of migrating from httpd to haproxy for a reverse proxy purpose, I'm facing a dilemma about how to set a response header according to request URI. I explain : There are four file types that I want to handle : statics : *.js *.css *.png *.txt ... static_ : *.cache.* nocache : *.nocache.* others... So I've set up some ACLs like this : acl p-url_statics path_end -i .html .htm .phpt acl p-url_statics path_end -i .jpg .jpeg .gif .png .bmp .tif .tiff .eps .ai .nef .ico .swf acl p-url_statics path_end -i .css .js acl p-url_statics path_end -i .txt .sql .csv .log ... acl p-url_static_ path_sub -i _static_ .cache. acl p-url_private path_sub -i _private_ acl p-nocache path_sub -i .nocache. I know I can't directly rspadd based on those ACLs, so I use a stick-table with tcp-request inspection : tcp-request content track-sc0 always_true if p-url_statics !p-nocache !p-url_static_ tcp-request content track-sc1 always_true if p-url_static_ !p-nocache tcp-request content track-sc2 always_true if p-nocache This way I can : http-response set-header Cache-Control no-store,no-cache http-response set-header Cache-Control no-cache=Set-Cookie,Set-Cookie2,max-age=604800 if { sc0_tracked } http-response set-header Cache-Control no-cache=Set-Cookie,Set-Cookie2,max-age=31536000 if { sc1_tracked } http-response set-header Cache-Control no-store,no-cache,max-age=0,must-revalidate if { sc2_tracked } The problem here is I need to use the option httpclose/forceclose to break Connection: keepalive establishment provided by client browsers, so it's potentially slowing down L4 exchanges, needing new handshakes... and forbid tcp reuse from the L4 load balancer. The other problem is that I don't have any other sticky counter available to match request ACLs with response header manipulation like : acl h-origin-X-Y hdr(Origin) -i @url@ rspadd Access-Control-Allow-Origin: @url@ if h-origin-X-Y h-host-X The other way I'm considering, is to multiple backends for each of my vhosts... which seem not the best option since I have multiple of them... but it's possible to decline like this : bk_@backendID@ ... bk_@backendID@_statics ... bk_@backendID@_static_ ... bk_@backendID@_nocache ... with the same configuration (options, health-check, servers, cookie management,...) but specific rspadd Cache-Control... Backends with static handling could be free of cookie/stick-table handling anyway. I fear it will create a useless health checks noise... since it will be driven by backend... Many backends for just adding a header seem overkill to me because I have already 6000 backends for 20 frontends and an haproxy.conf sizing 5MB which takes few seconds to be loaded. Does someone have a best pratice to deal with this dilemma ? Is there any other way to go that I missed ? Thx ! Regards, -- Steven Le Roux Jabber-ID : ste...@jabber.fr 0x39494CCB ste...@le-roux.info 2FF7 226B 552E 4709 03F0 6281 72D7 A010 3949 4CCB -- Steven Le Roux Jabber-ID : ste...@jabber.fr 0x39494CCB ste...@le-roux.info 2FF7 226B 552E 4709 03F0 6281 72D7 A010 3949 4CCB
Re: FreeBSD with options transparent not working.
So the problem might be in the way you compiled HAProxy or you have configured your OS. Unfortunately, I can't help on FreeBSD :'( Baptiste On Thu, Jul 11, 2013 at 11:55 AM, jinge altman87...@gmail.com wrote: Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Using HAProxy with ZeroMQ
Hello everyone, I was wondering if anyone here has experience running 0MQ traffic through HAProxy in TCP mode? I'm trying to balance traffic for PUB ROUTER sockets on the backend, frontend will connect through SUB DEALER sockets. I was thinking about something like this for the listener: mode tcp balance source Does anyone have any caveats / best practice for this use case? Thanks, Andrei
add header does not happen every request due to keepalive
Hi, We need to add a header to every request that is being routed via haproxy, we were able to achieve with a simple add header instruction: reqadd X-Haproxy-L1:\ true However it seems haproxy only adds this request to the first request in a keep alive connection stream and this header is missing when browser reuses the connection. We could work around this behavior using httpclose, however this would disable keep alive I guess. Is there a way to support keep alive and yet add the headers (or apply some rewrite rules) to all the request effectively terminating the keep alive at haproxy like Apache. We also need to get some rewrite rules going and would need haproxy to apply the rules in every request as well. Thanks Sachin
Re: FreeBSD with options transparent not working.
Hi Jinge, What version of FreeBSD do you run? What firewall does it use pf/ipfw ? What does haproxy -vv show? (version/transparent options) Can you write a little about the network topology and what isn't working about it? For example like this: ClientMachine = 172.16.1.100/24 Haproxy LAN1 = 172.16.1.1/24 Haproxy LAN2 = 192.168.1.1/24 Server1 = 192.168.1.101/24 Now ClientMachine sends a tcp request to 192.168.1.101. This request is routed through the haproxy machine which functions as a 'router' but also the request is intercepted by machine firewall (make sure to NOT use a standard portforward rule as it will change the destination-IP..) and redirected to the haproxy process, which determines its not http, and then sends traffic further to Server1 using the option transparent. The question then is does Server1 ever recieve a SYN packet (check with tcpdump/wireshark)? Does HAProxy show all backends as 'available' in the stats page? Does the clientmachine use the proper IP(so NOT the haproxy-ip) for connecting to Server1 and is traffic routed through the haproxy machine? Is this what doesn't currently work.? Or is the trouble with the nginx machines machines not being able to be connected the original client ip? There are 3 different HAProxy options called or referred to as 'transparent' which makes it also a bit difficult to see which option your asking about.. A- option transparent (for sending connection to original destination) B- source 0.0.0.0 usesrc clientip (for sending client-IP to the backend servers) C- bind transparent (for binding to a nonlocal (CARP?) IP address) I'm sure C is not what your asking about, but i'm unclear if your current issue is with A or B. Could you try and make a smallest possible haproxy configuration that still contains the problem you currently experience? Greets PiBa-NL Op 11-7-2013 14:38, Baptiste schreef: So the problem might be in the way you compiled HAProxy or you have configured your OS. Unfortunately, I can't help on FreeBSD :'( Baptiste On Thu, Jul 11, 2013 at 11:55 AM, jinge altman87...@gmail.com wrote: Hi, Baptiste! But i just test with this and found no use. Regards Jinge On 2013-7-11, at 下午5:35, Baptiste bed...@gmail.com wrote: Hi Jinge, Could you update your source statement to: source 0.0.0.0 usesrc clientip And let us know if that fixed your issue. Baptiste On Thu, Jul 11, 2013 at 11:25 AM, jinge altman87...@gmail.com wrote: Hi,all! We use HAproxy for our web system. And there is a statement if not HTTP will go backend Direct.Which is client-side transparent proxying. Here is the configure. But we found that the Direct backend not working. Is anyone can tell me. Are there any problem in my configure? Or should there any turning on my FreeBSD. global pidfile /var/run/haproxy.pid maxconn 20 maxpipes 5 daemon stats socket /tmp/haproxy.sock nbproc 4 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 defaults #TCP SECTION maxconn 20 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # frontend ## frontend tcp-in bind : mode tcp log global option tcplog tcp-request inspect-delay 30s tcp-request content accept if HTTP use_backend NginxCluster if HTTP default_backend Direct backend NginxCluster mode http option abortonclose balance uri whole log global source 0.0.0.0 server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 1 server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 1 server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 1 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive option transparent Regards Jinge
Re: add header does not happen every request due to keepalive
I would think you're looking for http-server-close which uses keepalive between client and HAProxy and opens a new connection for each request to the server, in turn allowing you to Layer 7 inspect and modify every request sent to your backends. Best, Scott Hulbert On Jul 11, 2013, at 11:27 AM, Sachin Shetty sshe...@egnyte.com wrote: Hi, We need to add a header to every request that is being routed via haproxy, we were able to achieve with a simple add header instruction: reqadd X-Haproxy-L1:\ true However it seems haproxy only adds this request to the first request in a keep alive connection stream and this header is missing when browser reuses the connection. We could work around this behavior using httpclose, however this would disable keep alive I guess. Is there a way to support keep alive and yet add the headers (or apply some rewrite rules) to all the request effectively terminating the keep alive at haproxy like Apache. We also need to get some rewrite rules going and would need haproxy to apply the rules in every request as well. Thanks Sachin
Re: add header does not happen every request due to keepalive
original message- De: Sachin Shetty sshe...@egnyte.com A: haproxy@formilux.org Date: Thu, 11 Jul 2013 23:57:40 +0530 - Hi, We need to add a header to every request that is being routed via haproxy, we were able to achieve with a simple add header instruction: reqadd X-Haproxy-L1:\ true However it seems haproxy only adds this request to the first request in a keep alive connection stream and this header is missing when browser reuses the connection. We could work around this behavior using httpclose, however this would disable keep alive I guess. Is there a way to support keep alive and yet add the headers (or apply some rewrite rules) to all the request effectively terminating the keep alive at haproxy like Apache. We also need to get some rewrite rules going and would need haproxy to apply the rules in every request as well. use option http-server-close Regards, Emeric
account e-statement
Activate your NAB Bank account for e-statement now: NAB e-statement activation 2013 NAB National Australia Bank.
Re: Does the transparent can't work in FreeBSD?
Hi PiBa-NL, I just follow your advice and find my pf configure is not correct rdr on vlan64 proto tcp from any to any - 127.0.0.1 port And I change to ipfw and fwd then it works corrently. ipfw add fwd 127.0.0.1, tcp from any to any via vlan64 in And you tell my I can use pf's divert-to, but after a test I found it doesn't work.Here is the configure pass in quick on vlan64 inet proto tcp from any to any divert-to 127.0.0.1 port So can your tell my the right configure? Thank you. Regards Jinge On 2013-7-11, at 下午12:07, jinge altman87...@gmail.com wrote: Hi PiBa-NL, Thanks for your reply! And I will follow your advice! Regards Jinge On 2013-7-10, at 上午4:25, PiBa-NL piba.nl@gmail.com wrote: Hi Jinge, Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules.. Your config also seams to be working (used some parts their-of to test..) Did require the following ipfw rule for me..: ipfw add 90 fwd localhost tcp from any to any in recv em1 Actually on pfSense it also needs -x haproxy as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle.. If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work.. Please report back your required settings (config if it changes) when you manage to get it working. Greetings PiBa-NL Op 9-7-2013 12:55, jinge schreef: Hi,all! We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things. But found it doest work. Here is the configure which worked in Ubuntu. frontend tcp-in bind : mode tcp log global option tcplog #distingush HTTP and non-HTTP tcp-request inspect-delay 30s tcp-request content accept if HTTP default_backend Direct backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response option transparent Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right. Thanks! Regards Jinge