Re: HAProxy and backend on the same box
Hello All, After having a look in iptables, I am able to solve this issue. added following line in iptables iptables -t mangle -A OUTPUT -s 192.168.20.10 -p tcp -j DIVERT thanks much, Regards, -Abdul Jaleel On Mon, Nov 16, 2015 at 3:31 PM, jaleel <abduljal...@gmail.com> wrote: > Hello All, > > Need help regarding the iptables > > For the packet coming from network, I set the iptables as following > > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > For the packet generated locally, I think I need to set the mangle table > in OUTPUT chain so that HAProxy will capture locally generated packet as > well. > > how do I create the OUPUT chain mangle table? > > Regards, > -Abdul jaleel K > > On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at> > wrote: > >> Hi. >> >> But do you really think this is a haproxy Problem? >> >> Am 13-11-2015 08:38, schrieb Aleksandar Lazic: >> >>> Am 13-11-2015 06:14, schrieb jaleel: >>> >>>> It works if HAProxy and backend are in different box, but when both are >>>> in same box it didn't work >>>> >>> >>> Maybe because the iptables rule is a different from 'localhost' then >>> from external. >>> >>> Please take a look at the picture >>> >>> >>> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english=1=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif=5ac7f7d4aa8327c04f456b9db2362108 >>> >> >> or this one >> >> http://inai.de/images/nf-packet-flow.png >> >> from this site >> >> >> http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface >> >> >> and the document for this Picture. >>> >>> >>> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html >>> >>> I think you should add some lines into the postrouting table >>> >>> BR Aleks >>> >>> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov >>>> <ig...@encompasscorporation.com> wrote: >>>> >>>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote: >>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> I am trying to setup the following for deployment >>>>>> >>>>>> I have 2 servers. >>>>>> server1: eth0:10.200.2.211 (255.255.252.0) >>>>>> eth1: 192.168.10.10 (255.255.255.0) >>>>>> server2: eth0: 10.200.2.242 (255.255.252.0) >>>>>> eth1: 192.168.20.10 (255.255.255.0) >>>>>> >>>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84 >>>>>> >>>>>> >>>>>> my haproxy config: >>>>>> -- >>>>>> listen ingress_traffic 10.200.3.84:7000 [1] >>>>>> mode tcp >>>>>> source 0.0.0.0 usesrc clientip >>>>>> balance roundrobin >>>>>> server server1 192.168.10.10:9001 [2] >>>>>> server server2 192.168.20.10:9001 [3] >>>>>> >>>>>> Iptables: >>>>>> --- >>>>>> iptables -t mangle -N DIVERT >>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>>>> iptables -t mangle -A DIVERT -j ACCEPT >>>>>> >>>>>> ip rule add fwmark 1 lookup 100 >>>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100 >>>>>> >>>>>> >>>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84 >>>>>> >>>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2 >>>>>> >>>>> is successful and end-to-end communication is fine. But the response >>>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy. >>>>> >>>>>> >>>>>> I cannot have 3rd box for HAProxy alone. >>>>>> >>>>>> Any suggestions >>>>>> >>>>>> Thank you >>>>>> -Abdul Jaleel >>>>>> >>>>>> >>>>>> The backends need to have haproxy set as gateway. >>>>> >>>> >>>> >>>> >>>> Links: >>>> -- >>>> [1] http://10.200.3.84:7000 >>>> [2] http://192.168.10.10:9001 >>>> [3] http://192.168.20.10:9001 >>>> [4] http://0.0.0.0/0 >>>> >>> >
Re: HAProxy and backend on the same box
Hello All, Need help regarding the iptables For the packet coming from network, I set the iptables as following iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 For the packet generated locally, I think I need to set the mangle table in OUTPUT chain so that HAProxy will capture locally generated packet as well. how do I create the OUPUT chain mangle table? Regards, -Abdul jaleel K On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi. > > But do you really think this is a haproxy Problem? > > Am 13-11-2015 08:38, schrieb Aleksandar Lazic: > >> Am 13-11-2015 06:14, schrieb jaleel: >> >>> It works if HAProxy and backend are in different box, but when both are >>> in same box it didn't work >>> >> >> Maybe because the iptables rule is a different from 'localhost' then >> from external. >> >> Please take a look at the picture >> >> >> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english=1=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif=5ac7f7d4aa8327c04f456b9db2362108 >> > > or this one > > http://inai.de/images/nf-packet-flow.png > > from this site > > > http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface > > > and the document for this Picture. >> >> >> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html >> >> I think you should add some lines into the postrouting table >> >> BR Aleks >> >> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov >>> <ig...@encompasscorporation.com> wrote: >>> >>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote: >>>> >>>>> >>>>> Hello, >>>>> >>>>> I am trying to setup the following for deployment >>>>> >>>>> I have 2 servers. >>>>> server1: eth0:10.200.2.211 (255.255.252.0) >>>>> eth1: 192.168.10.10 (255.255.255.0) >>>>> server2: eth0: 10.200.2.242 (255.255.252.0) >>>>> eth1: 192.168.20.10 (255.255.255.0) >>>>> >>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84 >>>>> >>>>> >>>>> my haproxy config: >>>>> -- >>>>> listen ingress_traffic 10.200.3.84:7000 [1] >>>>> mode tcp >>>>> source 0.0.0.0 usesrc clientip >>>>> balance roundrobin >>>>> server server1 192.168.10.10:9001 [2] >>>>> server server2 192.168.20.10:9001 [3] >>>>> >>>>> Iptables: >>>>> --- >>>>> iptables -t mangle -N DIVERT >>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>>> iptables -t mangle -A DIVERT -j ACCEPT >>>>> >>>>> ip rule add fwmark 1 lookup 100 >>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100 >>>>> >>>>> >>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84 >>>>> >>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2 >>>>> >>>> is successful and end-to-end communication is fine. But the response >>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy. >>>> >>>>> >>>>> I cannot have 3rd box for HAProxy alone. >>>>> >>>>> Any suggestions >>>>> >>>>> Thank you >>>>> -Abdul Jaleel >>>>> >>>>> >>>>> The backends need to have haproxy set as gateway. >>>> >>> >>> >>> >>> Links: >>> -- >>> [1] http://10.200.3.84:7000 >>> [2] http://192.168.10.10:9001 >>> [3] http://192.168.20.10:9001 >>> [4] http://0.0.0.0/0 >>> >>
Re: HAProxy and backend on the same box
On Fri, Nov 13, 2015 at 1:12 PM, Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi. > > But do you really think this is a haproxy Problem? > > Am 13-11-2015 08:38, schrieb Aleksandar Lazic: > >> Am 13-11-2015 06:14, schrieb jaleel: >> >>> It works if HAProxy and backend are in different box, but when both are >>> in same box it didn't work >>> >> >> Maybe because the iptables rule is a different from 'localhost' then >> from external. >> > > Abdul Jaleel: Yes,Looks so Let me explore on the iptables >> > > Please take a look at the picture >> >> >> https://ixquick-proxy.com/do/spg/show_picture.pl?l=english=1=http%3A%2F%2Ferlerobotics.gitbooks.io%2Ferle-robotics-introduction-to-linux-networking%2Fcontent%2Fsecurity%2Fimg9%2Fiptables.gif=5ac7f7d4aa8327c04f456b9db2362108 >> > > or this one > > http://inai.de/images/nf-packet-flow.png > > from this site > > > http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface > > > and the document for this Picture. >> >> >> https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/introduction_to_iptables.html >> >> I think you should add some lines into the postrouting table >> >> BR Aleks >> >> On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov >>> <ig...@encompasscorporation.com> wrote: >>> >>> On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote: >>>> >>>>> >>>>> Hello, >>>>> >>>>> I am trying to setup the following for deployment >>>>> >>>>> I have 2 servers. >>>>> server1: eth0:10.200.2.211 (255.255.252.0) >>>>> eth1: 192.168.10.10 (255.255.255.0) >>>>> server2: eth0: 10.200.2.242 (255.255.252.0) >>>>> eth1: 192.168.20.10 (255.255.255.0) >>>>> >>>>> VRRP between server1 and server2 eth0. VRIP is 10.200.3.84 >>>>> >>>>> >>>>> my haproxy config: >>>>> -- >>>>> listen ingress_traffic 10.200.3.84:7000 [1] >>>>> mode tcp >>>>> source 0.0.0.0 usesrc clientip >>>>> balance roundrobin >>>>> server server1 192.168.10.10:9001 [2] >>>>> server server2 192.168.20.10:9001 [3] >>>>> >>>>> Iptables: >>>>> --- >>>>> iptables -t mangle -N DIVERT >>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>>> iptables -t mangle -A DIVERT -j ACCEPT >>>>> >>>>> ip rule add fwmark 1 lookup 100 >>>>> ip route add local 0.0.0.0/0 [4] dev lo table 100 >>>>> >>>>> >>>>> Now 10.200.2.211 is the master and owns VRIP 10.200.3.84 >>>>> >>>>> When traffic comes to 10.200.3.84:7000 [1], the routing to server2 >>>>> >>>> is successful and end-to-end communication is fine. But the response >>>> from server1 (192.168.10.10:9001 [2]) is not reaching HAProxy. >>>> >>>>> >>>>> I cannot have 3rd box for HAProxy alone. >>>>> >>>>> Any suggestions >>>>> >>>>> Thank you >>>>> -Abdul Jaleel >>>>> >>>>> >>>>> The backends need to have haproxy set as gateway. >>>> >>> >>> >>> >>> Links: >>> -- >>> [1] http://10.200.3.84:7000 >>> [2] http://192.168.10.10:9001 >>> [3] http://192.168.20.10:9001 >>> [4] http://0.0.0.0/0 >>> >>
HAProxy and backend on the same box
Hello, I am trying to setup the following for deployment I have 2 servers. server1: eth0:10.200.2.211 (255.255.252.0) eth1: 192.168.10.10 (255.255.255.0) server2: eth0: 10.200.2.242 (255.255.252.0) eth1: 192.168.20.10 (255.255.255.0) VRRP between server1 and server2 eth0. VRIP is 10.200.3.84 my haproxy config: -- listen ingress_traffic 10.200.3.84:7000 mode tcp source 0.0.0.0 usesrc clientip balance roundrobin server server1 192.168.10.10:9001 server server2 192.168.20.10:9001 Iptables: --- iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 Now 10.200.2.211 is the master and owns VRIP 10.200.3.84 When traffic comes to 10.200.3.84:7000, the routing to server2 is successful and end-to-end communication is fine. But the response from server1 (192.168.10.10:9001) is not reaching HAProxy. I cannot have 3rd box for HAProxy alone. Any suggestions Thank you -Abdul Jaleel
Re: HAProxy and backend on the same box
It works if HAProxy and backend are in different box, but when both are in same box it didn't work On Fri, Nov 13, 2015 at 1:56 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > On 13/11/2015 1:04 AM, "jaleel" <abduljal...@gmail.com> wrote: > > > > Hello, > > > > I am trying to setup the following for deployment > > > > I have 2 servers. > > server1: eth0:10.200.2.211 (255.255.252.0) > > eth1: 192.168.10.10 (255.255.255.0) > > server2: eth0: 10.200.2.242 (255.255.252.0) > > eth1: 192.168.20.10 (255.255.255.0) > > > > VRRP between server1 and server2 eth0. VRIP is 10.200.3.84 > > > > > > my haproxy config: > > -- > > listen ingress_traffic 10.200.3.84:7000 > > mode tcp > > source 0.0.0.0 usesrc clientip > > balance roundrobin > > server server1 192.168.10.10:9001 > > server server2 192.168.20.10:9001 > > > > Iptables: > > --- > > iptables -t mangle -N DIVERT > > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > > iptables -t mangle -A DIVERT -j ACCEPT > > > > ip rule add fwmark 1 lookup 100 > > ip route add local 0.0.0.0/0 dev lo table 100 > > > > > > Now 10.200.2.211 is the master and owns VRIP 10.200.3.84 > > > > When traffic comes to 10.200.3.84:7000, the routing to server2 is > successful and end-to-end communication is fine. But the response from > server1 (192.168.10.10:9001) is not reaching HAProxy. > > > > I cannot have 3rd box for HAProxy alone. > > > > Any suggestions > > > > Thank you > > -Abdul Jaleel > > > > > The backends need to have haproxy set as gateway. > >
