Re: TPROXY - any functionality lost?
On Tue, Jan 20, 2015 at 6:13 PM, Shawn Heisey hapr...@elyograg.org wrote: On 1/20/2015 6:12 AM, Thomas Heil wrote: On 20.01.2015 03:26, Shawn Heisey wrote: When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have the ability to make decisions based on HTTP headers and manipulate those headers. No you are not loosing any functionality when running in http mode. This is not very clear. It seems to be saying that I can still do ACLs and header mangling, but you mention http mode, when I was asking about tproxy. To be clear: I'd like to try tproxy so that my servers will see the true source IP, but still be able to use ACLs and change the HTTP headers. If enabling iptables is necessary for tproxy (which it seems to be), how to I additionally tell iptables that I do not want to block any traffic? My haproxy server currently is not running a firewall, because it just gets in the way. Thanks, Shawn Hi Shawn, Everything is explained here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ If you can't do it, maybe you should ask the HAProxy experts to help you: http://haproxy.com/services/haproxy-professional-services/ Baptiste
Re: TPROXY - any functionality lost?
On 1/21/2015 2:52 AM, Baptiste wrote: Everything is explained here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ If you can't do it, maybe you should ask the HAProxy experts to help you: http://haproxy.com/services/haproxy-professional-services/ I had already seen the blog post you linked ... that blog post does not answer my initial question about whether I keep all haproxy functionality when going transparent. My worry is that it will function just like ipvs and offer none of haproxy's advanced capability. Most of our current load balancing is using ipvs, I am in the process of migrating to haproxy. I can do it without spending a lot of money on help, I just need a little guidance with iptables. I always turn off iptables because I have a very large Cisco external firewall handling access control. Therefore I am a little fuzzy on how to make iptables accept everything while also doing what haproxy needs. If I do set up iptables to accept all traffic, then add the rules on that blog post, will everything work? I realize that iptables is outside the scope of this mailing list, so I am hoping someone can point me to a HOWTO, article, or blog post that covers it. The old load balancer system (which I still need to configure) is CentOS 5. Can I successfully run transparent mode on a 2.6.18 kernel? I have a new one running Ubuntu 14, but when I tried to switch everything to that, ldirectord crashed and took out all the ipvs config ... so my new plan is to reduce the ldirectord config to FTP only, which requires that I migrate everything else to haproxy first. I did find something about tproxy and different kernel versions that has me a little worried. Specifically the caveats for specific kernel versions here: http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 One of the caveats mentioned is that 3.x kernels require a different config than 2.6 kernels for tproxy4. Which kernel versions are targeted by the iptables info on that blog post? One final question, which is very important. Can I mix transparent bindings and normal bindings on one haproxy config? I need to migrate one frontend at a time, I can't do them all at once. Thanks, Shawn
Re: TPROXY - any functionality lost?
Hi, On 20.01.2015 03:26, Shawn Heisey wrote: When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have the ability to make decisions based on HTTP headers and manipulate those headers. No you are not loosing any functionality when running in http mode. Thanks, Shawn cheers thomas
Re: TPROXY - any functionality lost?
On 1/20/2015 6:12 AM, Thomas Heil wrote: On 20.01.2015 03:26, Shawn Heisey wrote: When haproxy is run in TPROXY mode, does it lose any functionality, or can I do all the same things as I can when it's acting in normal proxy mode? I'd like to have my servers see the real source ip but still have the ability to make decisions based on HTTP headers and manipulate those headers. No you are not loosing any functionality when running in http mode. This is not very clear. It seems to be saying that I can still do ACLs and header mangling, but you mention http mode, when I was asking about tproxy. To be clear: I'd like to try tproxy so that my servers will see the true source IP, but still be able to use ACLs and change the HTTP headers. If enabling iptables is necessary for tproxy (which it seems to be), how to I additionally tell iptables that I do not want to block any traffic? My haproxy server currently is not running a firewall, because it just gets in the way. Thanks, Shawn