Re: Transparent proxy issue on FreeBSD

[Rainer Duffner]

> Am 07.03.2023 um 18:26 schrieb Marc West :
> 
> On 2023-03-07 08:09:04, Rainer Duffner wrote:
>> I admit I only toyed with TP, so I really don???t know what I???m doing 
>> there, but:
>> 
>> Have you tried to just use pfSense for this? The developer of the package 
>> (https://github.com/PiBa-NL) seemed to be active here, but I haven???t seen 
>> anything from him since 2020, so I wonder if he has moved on.
>> 
>> My co-workers use OPNSense for this purpose - and on VMWare, they insist 
>> that only em(4) NICs work.
>> 
>> 
>> If you don???t find his email-address, I can mail it to you.
> 
> Thanks for the suggestion. I haven't tried HAProxy on pfSense but the
> working transparent config and related ipfw fwd rules we have did come
> from PiBa-NL [1].


Ah, ok.

Either ask on the freebsd-forum or the mailing-list - or try with 
OPNSense/pfSense and if the problem persists, you might get more response on 
the forums there.

pf and ipfw are very specialized parts of the kernel and very few developers 
want to touch it, AFAIK.


> Everything does function perfectly until a brief
> period with production traffic and something happens to cause the tproxy
> bind errors and request failures to start. I'm just not sure what is
> going wrong or how to debug further.
> 
> [1] https://www.mail-archive.com/haproxy@formilux.org/msg09923.html
> 

Re: Transparent proxy issue on FreeBSD

[Marc West]

On 2023-03-07 08:09:04, Rainer Duffner wrote:
> I admit I only toyed with TP, so I really don???t know what I???m doing 
> there, but:
> 
> Have you tried to just use pfSense for this? The developer of the package 
> (https://github.com/PiBa-NL) seemed to be active here, but I haven???t seen 
> anything from him since 2020, so I wonder if he has moved on.
> 
> My co-workers use OPNSense for this purpose - and on VMWare, they insist that 
> only em(4) NICs work.
> 
> 
> If you don???t find his email-address, I can mail it to you.

Thanks for the suggestion. I haven't tried HAProxy on pfSense but the
working transparent config and related ipfw fwd rules we have did come
from PiBa-NL [1]. Everything does function perfectly until a brief
period with production traffic and something happens to cause the tproxy
bind errors and request failures to start. I'm just not sure what is
going wrong or how to debug further.

[1] https://www.mail-archive.com/haproxy@formilux.org/msg09923.html

Re: Transparent proxy issue on FreeBSD

[Rainer Duffner]

> Am 07.03.2023 um 08:46 schrieb Marc West :
> 
> 
> 
> Any other thoughts to look at or data that would be helpful to collect?
> 


I admit I only toyed with TP, so I really don’t know what I’m doing there, but:

Have you tried to just use pfSense for this? The developer of the package 
(https://github.com/PiBa-NL) seemed to be active here, but I haven’t seen 
anything from him since 2020, so I wonder if he has moved on.

My co-workers use OPNSense for this purpose - and on VMWare, they insist that 
only em(4) NICs work.


If you don’t find his email-address, I can mail it to you.

Re: Transparent proxy issue on FreeBSD

[Marc West]

Hi Stefan and thanks for your replies. 

(Sorry for the late reply and replying to my own mail, I don't seem to
be receiving messages from the list after confirming the subscription
twice and noticed your replies when checking the archives.)

> when I understand you correct then you have forwarding enabled to that
> ports on pf.
> 
> I had a similar issue on pfsense. The solution was to disable the
> forwarding to that port.

PF isn't doing anything special with the public IPs/ports that HAProxy
binds to, only allowing that traffic. PF does do outbound NAT for
internal servers to reach the Internet like so:

table  const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
nat pass on $pub_vlan from 10.10.15.0/24 to ! -> 1.2.3.4

Would a firewall be able to cause the HAProxy tproxy bind errors for
some (but not all) transparent connections? I believe firewalls could
block connections but shouldn't prevent the actual haproxy bind from
succeeding (?). I read through the code and see where the tproxy bind
error is being hit but unsure what is causing it to succeed sometimes
and fail others.

It doesn't seem like it would be an issue allocating or exhausting ports
since the original client IP+port is being reused with "usesrc client"
and there shouldn't be conflicts there. On FreeBSD there are no similar
sysctls to Linux's net.ipv4.ip_nonlocal_bind, and transparent does work
some of the time with my existing config until it starts failing.

> one another:
> 
> source ipv4@ usesrc clientip

I have separate backends/frontends for IPv4 and IPv6 with "source
0.0.0.0 usesrc client" in defaults (also tried "clientip"), which in my
understanding should do the right thing for both v4 and v6 respectively.
Would there be something different about using ipv4@ here?

Any other thoughts to look at or data that would be helpful to collect?

Re: Transparent proxy issue on FreeBSD

[Stefan Fuhrmann]

2 TLSv1.3
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.12
Running on zlib version : 1.2.12
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE2 version : 10.40 2022-04-14
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 13.0.0 (g...@github.com:llvm/llvm-project.git 
 llvmorg-13.0.0-0-gd7b669b3a303)

Available polling systems :
  kqueue : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
  h2 : mode=HTTP  side=FE|BE  mux=H2flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP  side=BE mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  h1 : mode=HTTP  side=FE|BE  mux=H1flags=HTX|NO_UPG
: mode=HTTP  side=FE|BE  mux=H1flags=HTX
none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
: mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : prometheus-exporter
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
$

Re: Transparent proxy issue on FreeBSD

[Stefan Fuhrmann]

y 2022
Running on OpenSSL version : OpenSSL 1.1.1o-freebsd  3 May 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.12
Running on zlib version : 1.2.12
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE2 version : 10.40 2022-04-14
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 13.0.0 (g...@github.com:llvm/llvm-project.git 
llvmorg-13.0.0-0-gd7b669b3a303)

Available polling systems :
  kqueue : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
  h2 : mode=HTTP  side=FE|BE  mux=H2flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP  side=BE mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  h1 : mode=HTTP  side=FE|BE  mux=H1flags=HTX|NO_UPG
: mode=HTTP  side=FE|BE  mux=H1flags=HTX
none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
: mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : prometheus-exporter
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
$

Transparent proxy issue on FreeBSD

[Marc West]

.
Built with zlib version : 1.2.12
Running on zlib version : 1.2.12
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE2 version : 10.40 2022-04-14
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 13.0.0 (g...@github.com:llvm/llvm-project.git 
llvmorg-13.0.0-0-gd7b669b3a303)

Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
 h2 : mode=HTTP  side=FE|BE  mux=H2flags=HTX|HOL_RISK|NO_UPG
   fcgi : mode=HTTP  side=BE mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
 h1 : mode=HTTP  side=FE|BE  mux=H1flags=HTX|NO_UPG
   : mode=HTTP  side=FE|BE  mux=H1flags=HTX
   none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
   : mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : prometheus-exporter
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
$

Re: HAproxy transparent proxy and IPv6

[Philipp Kolmann]

Hi,

I did some more testing and found the reason why it didn't work:


I have added the required ip cmds:

    post-up ip rule add fwmark 1 lookup 100
    post-up ip route add local 0.0.0.0/0 dev lo table 100
    post-up ip route add local ::/0 dev lo table 100 



ip rule add fwmark 1 lookup 100 only adds the fwmark for IPv4 rule table...

ip -6 rule add fwmark 1 lookup 100 did the trick.

Maybe that helps somebody else in the future.

The whole ip-up/down looks like this now:

    post-up ip rule add fwmark 1 lookup 100
    post-up ip -6 rule add fwmark 1 lookup 100
    post-up ip route add local 0.0.0.0/0 dev lo table 100
    post-up ip -6 route add local ::/0 dev lo table 100
    pre-down ip -6 route del local ::/0 dev lo table 100
    pre-down ip route del local 0.0.0.0/0 dev lo table 100
    pre-down ip -6 route del from all fwmark 1 lookup 100
    pre-down ip route del from all fwmark 1 lookup 100


Thanks
Philipp


smime.p7s
Description: S/MIME Cryptographic Signature

HAproxy transparent proxy and IPv6

[Philipp Kolmann]

Hi,

I have setup my test-HAproxy-env according to

https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

I have setup the Firewall Rules for ipv4 and v6.

TEST testha1:~/svnconfig/etc/iptables# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 163K packets, 291M bytes)
 pkts bytes target prot opt in out source destination
 374K   68M DIVERT tcp  --  any    any anywhere 
anywhere socket


Chain DIVERT (1 references)
 pkts bytes target prot opt in out source destination
 374K   68M MARK   all  --  any    any anywhere 
anywhere MARK set 0x1

 374K   68M ACCEPT all  --  any    any anywhere anywhere


TEST testha1:~/svnconfig/etc/iptables# ip6tables -t mangle -vL
Chain PREROUTING (policy ACCEPT 409K packets, 788M bytes)
 pkts bytes target prot opt in out source destination
 373K   75M DIVERT tcp  any    any anywhere 
anywhere socket


Chain DIVERT (1 references)
 pkts bytes target prot opt in out source destination
 373K   75M MARK   all  any    any anywhere 
anywhere MARK set 0x1

 373K   75M ACCEPT all  any    any anywhere anywhere


I have added the required ip cmds:

    post-up ip rule add fwmark 1 lookup 100
    post-up ip route add local 0.0.0.0/0 dev lo table 100
    post-up ip route add local ::/0 dev lo table 100

listen mail-test-submission
    bind 128.130.xx.yy:587 transparent name submission
    mode tcp
    source 0.0.0.0 usesrc clientip
    log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ 
%ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq

    balance leastconn


That works like a charm.

In IPv6 I set it up accordingly:

listen mail-test-v6-submission
    bind 2001:629:xx:yy::zz:587 transparent name submission
    mode tcp
    source [::] usesrc clientip
    log-format %ci:%cp\ [%t]\ %ft\ %s\ %si:%sp\ %Tw/%Tc/%Tt\ %B\ 
%ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq

    balance leastconn


There with the source line it fails to connect.

I see on the outside interface a Syn, Syn->Ack, Ack TCP flow, but on the 
inside (HAproxy to application Server) I see only Syn, Syn-Ack, Syn, 
Syn-Ack traffic.


HAproxy (1.8.19-1, Debian Buster) is running as root.

Anyone has such a setup running and may be able to help. I haven't found 
any hints on this problem...


Thanks
Philipp

--
---
DI Mag. Philipp Kolmann  mail: philipp.kolm...@tuwien.ac.at
Technische Universitaet Wien   web: www.it.tuwien.ac.at
IT Solutions - Applications  tel: +43(1)58801-42011
Operngasse 11, A-1040 Wien DVR: 0005886
---



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Transparent proxy that doesn't destroy your default gateway

[Igor Cicimov]

On Wed, Apr 6, 2016 at 11:34 PM, Lukas Erlacher  wrote:

> Addendum:
>
> On the load balancer,
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> will match *all* packets (for example the packets of your SSH connection,
> since there is undoubtedly a socket for those SSH packets), at least it
> does on my system; this is much nicer IMO:
>
> iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j DIVERT
>
> The addition of --transparent restricts the matching to packets going to
> transparent sockets, which are the packets sent back to the load balancer
> from the backend.
>
> The end result may be pretty much the same (lots of packets end up being
> delivered locally, some of which would have been dropped because they
> aren't carrying a destination IP address that is actually on the load
> balancer), but it's much less invasive.
>
> Again, if you don't have a dedicated IP for the load balancer (you
> probably should have, because you probably want a virtual IP for failover),
> you can just match the port instead.
>
> Best,
> Luke
>
>
Thanks Lukas, I find this very useful and think the details provided in
both your emails are worth updating the blog post or coming up with new one
if update is not possible.

Cheers,
Igor

Re: Transparent proxy that doesn't destroy your default gateway

[Lukas Erlacher]

Addendum:

On the load balancer,

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

will match *all* packets (for example the packets of your SSH connection, since 
there is undoubtedly a socket for those SSH packets), at least it does on my 
system; this is much nicer IMO:

iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j DIVERT

The addition of --transparent restricts the matching to packets going to 
transparent sockets, which are the packets sent back to the load balancer from 
the backend.

The end result may be pretty much the same (lots of packets end up being 
delivered locally, some of which would have been dropped because they aren't 
carrying a destination IP address that is actually on the load balancer), but 
it's much less invasive.

Again, if you don't have a dedicated IP for the load balancer (you probably 
should have, because you probably want a virtual IP for failover), you can just 
match the port instead.

Best,
Luke



smime.p7s
Description: S/MIME Cryptographic Signature

Re: getting transparent proxy to work.

[Baptiste]

Hi Rich,

That's why I wanted to fix your issue step by step.
I didn't want to add too much complexity from first step.

The question you're asking correpond to the last step. And as Igor
mentionned, you should use keepalived to create a VIP which will be used as
the default gateway by your web servers. You can simply use any of the VIP
handling the web traffic.

Baptiste



On Thu, Aug 27, 2015 at 4:25 AM, Igor Cicimov 
ig...@encompasscorporation.com wrote:

 Obviously you need to have a separate VIP for the 10.10.130.30 and
 10.10.130.31 and use that as a DGW on the backend servers.

 On Thu, Aug 27, 2015 at 9:24 AM, Rich Vigorito ri...@ocp.org wrote:

 ​In regards to setting up the default gateway on the webservers. im
 confused on how that would work with having a load balanced haproxy
 environment w/ keepalive.


 Attached is our diagram of haproxy/webserver architecture.  When it says
 have the default gateway point back to haproyx, is it saying the VIP or the
 haproxy box ip? in the case default gateway being that of the vip how would
 that work because there are multiple VIP? in the the case of changing
 default gateway to haproxy box would would that work in a failover?


 I wouldnt assume that our setup is unique because im sure most people use
 haproxy for more than one website and most have haproxy load balanced w/
 keepalive or pacemaker or something along those lines.


 Thanks in advance,

 --Rich
 --
 *From:* Bryan Talbot bryan.tal...@ijji.com
 *Sent:* Thursday, August 20, 2015 4:27 PM
 *To:* Rich Vigorito
 *Cc:* Bryan Talbot; Baptiste; HAProxy
 *Subject:* Re: getting transparent proxy to work.

 On Thu, Aug 20, 2015 at 4:05 PM, Rich Vigorito ri...@ocp.org wrote:

 Reading this:
 http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/​
 about PROXY protocol, what needs to happen for PROXY protocol to be
 recognized by the web server?

 The webserver needs to support it. There is a (probably incomplete) list
 here: http://blog.haproxy.com/haproxy/proxy-protocol/



 Im assuming the haproxy server already does?


 Yes, of course.

 -Bryan




 --
 Igor Cicimov | DevOps


 p. +61 (0) 433 078 728
 e. ig...@encompasscorporation.com http://encompasscorporation.com/
 w*.* encompasscorporation.com
 a. Level 4, 65 York Street, Sydney 2000

Re: getting transparent proxy to work.

[Bryan Talbot]

On Thu, Aug 20, 2015 at 4:05 PM, Rich Vigorito ri...@ocp.org wrote:

 Reading this:
 http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/​
 about PROXY protocol, what needs to happen for PROXY protocol to be
 recognized by the web server?

The webserver needs to support it. There is a (probably incomplete) list
here: http://blog.haproxy.com/haproxy/proxy-protocol/



 Im assuming the haproxy server already does?


 Yes, of course.

-Bryan

Re: getting transparent proxy to work.

[Rich Vigorito]

Reading this: 
http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/?
 about PROXY protocol, what needs to happen for PROXY protocol to be recognized 
by the web server? Im assuming the haproxy server already does?


Thanks in advance!


From: Bryan Talbot bryan.tal...@ijji.com
Sent: Thursday, August 20, 2015 2:16 PM
To: Rich Vigorito
Cc: Baptiste; HAProxy
Subject: Re: getting transparent proxy to work.

On Wed, Aug 19, 2015 at 3:26 PM, Rich Vigorito 
ri...@ocp.orgmailto:ri...@ocp.org wrote:
I should also clarify the goal of using this approach was to do TLS from router 
to haproxy and onto webservers but to preserve the client IP. The other thought 
I had was to SSL terminate on haproxy box and initiate new TLS handshake from 
haproxy to webservers. Though Im assuming transparent proxy will mean less work 
for haproxy server. Is this second approach even possible? to accomplish the 
goal of TLS all the way through the call all ive seen is the transparent proxy 
solution which Ive been struggling with.

Transparent proxying might be one way to get the client IP onto the backend 
servers but there are others too as you've mentioned and those might be much 
easier.

Yes, you can terminate SSL on haproxy and make a new SSL connection to the 
backend. With that, you'd probably need to add the X-Forwarded-For http header 
(use 'mode http') and configure your webserver to use XFF too.

If your webserver or app can support the haproxy PROXY protocol, that might 
also be an option for you and allows you to pass-through the SSL (not 
terminated at haproxy) to the backend if you need that.

-Bryan

Re: getting transparent proxy to work.

[Bryan Talbot]

On Wed, Aug 19, 2015 at 3:26 PM, Rich Vigorito ri...@ocp.org wrote:

 I should also clarify the goal of using this approach was to do TLS from
 router to haproxy and onto webservers but to preserve the client IP. The
 other thought I had was to SSL terminate on haproxy box and initiate new
 TLS handshake from haproxy to webservers. Though Im assuming transparent
 proxy will mean less work for haproxy server. Is this second approach even
 possible? to accomplish the goal of TLS all the way through the call all
 ive seen is the transparent proxy solution which Ive been struggling with.


Transparent proxying might be one way to get the client IP onto the backend
servers but there are others too as you've mentioned and those might be
much easier.

Yes, you can terminate SSL on haproxy and make a new SSL connection to the
backend. With that, you'd probably need to add the X-Forwarded-For http
header (use 'mode http') and configure your webserver to use XFF too.

If your webserver or app can support the haproxy PROXY protocol, that
might also be an option for you and allows you to pass-through the SSL (not
terminated at haproxy) to the backend if you need that.

-Bryan

Re: getting transparent proxy to work.

[Baptiste]

On Tue, Aug 18, 2015 at 6:19 PM, Rich Vigorito ri...@ocp.org wrote:
 After changing the default gateway of the web servers to 10.10.130.79 this 
 didnt fix it. The site we were testing on, and then all the other sites as 
 well were unresponsive. So what I was unclear on is if we changed the default 
 gateway to the vip of the test site we were using on the web server, how 
 would the other web sites served from the box work. We have 4 sites on that 
 box all w/ different VIPs for each. So we expected the other sites to fail 
 and perhaps the test site to succeed but this wasnt the case. In the case of 
 the test site traffic was getting to the web server to haproxy but not 
 returning to either haproxy or the workstation making the request.

 Id just like to clarify I few of my assumptions about this doc: 
 http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

 Linux Kernel requirements
 You have to ensure your kernel has been compiled with the following options:
   – CONFIG_NETFILTER_TPROXY
   – CONFIG_NETFILTER_XT_TARGET_TPROXY

  this to be done on haproxy boxes (not the webservers), ie:
  [richv@haproxy2 ~]$  lsmod | grep -i tproxy
  xt_TPROXY  17327  0
  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

 and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
 /boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

 ** note, im using centos 7. in boot file i see 
 CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
 correct, I should see both  CONFIG_NETFILTER_TPROXY  
 CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file?
 

 sysctl settings
 The following sysctls must be enabled:
   – net.ipv4.ip_forward
   – net.ipv4.ip_nonlocal_bind

  this to be done on haproxy boxes (not the webservers), ie:
 [richv@haproxy2 ~]$ sudo sysctl -p
  vm.swappiness = 0
  net.ipv4.ip_nonlocal_bind = 1
  net.ipv4.ip_forward = 1
 ---

 iptables rules
 You must setup the following iptables rules:
 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 iptables -t mangle -A DIVERT -j MARK --set-mark 1
 iptables -t mangle -A DIVERT -j ACCEPT

  this to be done on haproxy boxes (not the webservers), ie:
 haproxy2 sudo iptables -L -n -t mangle
  Chain PREROUTING (policy ACCEPT)
  target prot opt source   destination
  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
  [...]
  Chain DIVERT (1 references)
  target prot opt source   destination
  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
  ACCEPT all  --  0.0.0.0/00.0.0.0/0

 
 IP route rules
 Then, tell the Operating System to forward packets marked by iptables to the 
 loopback where HAProxy can catch them:
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
  this to be done on haproxy boxes (not the webservers), ie:

 haproxy2  ip rule show
  0: from all lookup local
  32762: from all fwmark 0x1 lookup 100
  32766: from all lookup main
  32767: from all lookup default

 haproxy ip route show table 100
  local default dev lo  scope host

 

 In summary for my setup, everything in that tutorial is to be performed on 
 the haproxy box, not the web servers?


Hi Rich,

This has to be performed on the HAProxy box only.
On your web server, you must change the default gateway to your HAProxy box.

I you did all of this and this is still not working, then it deserves
a deeper analysis of your whole platform with hands on the servers.

Baptiste

Re: getting transparent proxy to work.

[Rich Vigorito]

I should also clarify the goal of using this approach was to do TLS from router 
to haproxy and onto webservers but to preserve the client IP. The other thought 
I had was to SSL terminate on haproxy box and initiate new TLS handshake from 
haproxy to webservers. Though Im assuming transparent proxy will mean less work 
for haproxy server. Is this second approach even possible? to accomplish the 
goal of TLS all the way through the call all ive seen is the transparent proxy 
solution which Ive been struggling with. 

From: Rich Vigorito
Sent: Tuesday, August 18, 2015 9:19 AM
To: Baptiste
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

After changing the default gateway of the web servers to 10.10.130.79 this 
didnt fix it. The site we were testing on, and then all the other sites as well 
were unresponsive. So what I was unclear on is if we changed the default 
gateway to the vip of the test site we were using on the web server, how would 
the other web sites served from the box work. We have 4 sites on that box all 
w/ different VIPs for each. So we expected the other sites to fail and perhaps 
the test site to succeed but this wasnt the case. In the case of the test site 
traffic was getting to the web server to haproxy but not returning to either 
haproxy or the workstation making the request.

Id just like to clarify I few of my assumptions about this doc: 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

Linux Kernel requirements
You have to ensure your kernel has been compiled with the following options:
  – CONFIG_NETFILTER_TPROXY
  – CONFIG_NETFILTER_XT_TARGET_TPROXY

 this to be done on haproxy boxes (not the webservers), ie:
 [richv@haproxy2 ~]$  lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
/boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

** note, im using centos 7. in boot file i see 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
correct, I should see both  CONFIG_NETFILTER_TPROXY  
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file?


sysctl settings
The following sysctls must be enabled:
  – net.ipv4.ip_forward
  – net.ipv4.ip_nonlocal_bind

 this to be done on haproxy boxes (not the webservers), ie:
[richv@haproxy2 ~]$ sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1
---

iptables rules
You must setup the following iptables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

 this to be done on haproxy boxes (not the webservers), ie:
haproxy2 sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0


IP route rules
Then, tell the Operating System to forward packets marked by iptables to the 
loopback where HAProxy can catch them:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
 this to be done on haproxy boxes (not the webservers), ie:

haproxy2  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100
 32766: from all lookup main
 32767: from all lookup default

haproxy ip route show table 100
 local default dev lo  scope host



In summary for my setup, everything in that tutorial is to be performed on the 
haproxy box, not the web servers?




From: Baptiste bed...@gmail.com
Sent: Friday, August 14, 2015 1:07 AM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

temporary just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm it works after this.

Baptiste



On Thu, Aug 13, 2015 at 10:28 PM

Re: getting transparent proxy to work.

[Rich Vigorito]

After changing the default gateway of the web servers to 10.10.130.79 this 
didnt fix it. The site we were testing on, and then all the other sites as well 
were unresponsive. So what I was unclear on is if we changed the default 
gateway to the vip of the test site we were using on the web server, how would 
the other web sites served from the box work. We have 4 sites on that box all 
w/ different VIPs for each. So we expected the other sites to fail and perhaps 
the test site to succeed but this wasnt the case. In the case of the test site 
traffic was getting to the web server to haproxy but not returning to either 
haproxy or the workstation making the request. 

Id just like to clarify I few of my assumptions about this doc: 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

Linux Kernel requirements
You have to ensure your kernel has been compiled with the following options:
  – CONFIG_NETFILTER_TPROXY
  – CONFIG_NETFILTER_XT_TARGET_TPROXY

 this to be done on haproxy boxes (not the webservers), ie:
 [richv@haproxy2 ~]$  lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
/boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

** note, im using centos 7. in boot file i see 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
correct, I should see both  CONFIG_NETFILTER_TPROXY  
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file? 


sysctl settings
The following sysctls must be enabled:
  – net.ipv4.ip_forward
  – net.ipv4.ip_nonlocal_bind

 this to be done on haproxy boxes (not the webservers), ie:
[richv@haproxy2 ~]$ sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1
---

iptables rules
You must setup the following iptables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

 this to be done on haproxy boxes (not the webservers), ie:
haproxy2 sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0


IP route rules
Then, tell the Operating System to forward packets marked by iptables to the 
loopback where HAProxy can catch them:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
 this to be done on haproxy boxes (not the webservers), ie:

haproxy2  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100 
 32766: from all lookup main
 32767: from all lookup default

haproxy ip route show table 100
 local default dev lo  scope host



In summary for my setup, everything in that tutorial is to be performed on the 
haproxy box, not the web servers?




From: Baptiste bed...@gmail.com
Sent: Friday, August 14, 2015 1:07 AM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

temporary just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm it works after this.

Baptiste



On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito ri...@ocp.org wrote:
 A couple clarifications. What do you mean by temporary? ... this wouldnt be 
 needed indefinitely? What ive articulated is only one site served through the 
 2 web servers. Our web servers serve multiple sites, how to accommodate this? 
 Ie couldnt have 5 different IPs in the loopback?
 
 From: Baptiste bed...@gmail.com
 Sent: Wednesday, August 12, 2015 11:41 PM
 To: Rich Vigorito
 Cc: HAProxy
 Subject: Re: getting transparent proxy to work.

 Hi Rich,

 so here is your problem.
 Please temporarily change this default gateway of the web servers to
 the active VIP: 10.10.130.79.
 What happens, and what you

Re: getting transparent proxy to work.

[Baptiste]

temporary just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm it works after this.

Baptiste



On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito ri...@ocp.org wrote:
 A couple clarifications. What do you mean by temporary? ... this wouldnt be 
 needed indefinitely? What ive articulated is only one site served through the 
 2 web servers. Our web servers serve multiple sites, how to accommodate this? 
 Ie couldnt have 5 different IPs in the loopback?
 
 From: Baptiste bed...@gmail.com
 Sent: Wednesday, August 12, 2015 11:41 PM
 To: Rich Vigorito
 Cc: HAProxy
 Subject: Re: getting transparent proxy to work.

 Hi Rich,

 so here is your problem.
 Please temporarily change this default gateway of the web servers to
 the active VIP: 10.10.130.79.
 What happens, and what you highlithed in your diagrams is that HAProxy
 creates the TCP connection with the client IP.
 by default, the server tries to talk to the client directly, but the
 client is not aware of HAProxy's connection and it refuses it.
 If you route back your traffic to HAProxy, then HAProxy will handle
 this connection and perform the relation with the real client.

 More information here:
 http://blog.haproxy.com/2011/08/03/layer-7-load-balancing-transparent-proxy-mode/

 Baptiste


 On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito ri...@ocp.org wrote:
 No inside the firewall one default gateway. 10.10.130.1

 The web servers and haproxy servers have one interface I believe

 Sent from my Verizon Wireless 4G LTE DROID


 Baptiste bed...@gmail.com wrote:

 Do you mean your web servers have 2 interfaces, each one with its own
 default gateway?

 Baptiste

 Le 12 août 2015 23:10, Rich Vigorito ri...@ocp.org a écrit :

 Good to hear. Into the firewall 192.168.0.1 and out of the firewall
 10.10.130.1
 Thanks!

 Sent from my Verizon Wireless 4G LTE DROID


 Baptiste bed...@gmail.com wrote:

 Hi Rich,

 Thanks a lot for this info, this is clearer now.
 In my first mail, I asked you to provide us the default gateway of the
 web servers.
 could you please let us know this information ?

 Baptiste


 On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
  Also for clarification, the config listed in here is the config i used.
  The only difference between the 2 tests is removing:
 
  source 0.0.0.0 usesrc clientip
 
  Removing it loadbalancing works, keeping it in the config, load
  balancing doesnt work
 
  -Rich
  
  From: Rich Vigorito ri...@ocp.org
  Sent: Monday, August 10, 2015 5:22 PM
  To: Baptiste
  Cc: haproxy@formilux.org
  Subject: RE: getting transparent proxy to work.
 
  Thanks you very much for all the help, and yes,  you were correct about
  the capture i reported being the health check. attached are 2 pngs. one w/
  our simple diagram of network topology and the other being what me and the
  network admin though was happening in our TCP handshake. This was 
  determined
  by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which 
  was
  on haproxy box) and web1_dump.pcap which was taking on the web server).
  What is happening is I dont think web server knows how to communicate to
  back to the haproxy box. the iptables rules and the ip rule and ip route
  commands from the blog post, in my set up would that be done on the 
  haproxy
  boxes or the web servers?
  
  From: Baptiste bed...@gmail.com
  Sent: Saturday, August 8, 2015 8:38 AM
  To: Rich Vigorito
  Cc: haproxy@formilux.org
  Subject: Re: getting transparent proxy to work.
 
  On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
  Hello, this is my first time using the mailing list. I have the
  following
  issue.
 
 
  Followed steps to enable transparent proxy outlined here:
 
  Howto transparent proxying and binding with HAProxy and ALOHA
  Load-Balancer
  | HAProxy Technologies – Aloha Load Balancer
 
 
  It will not load balance however w/ the following line added:
 
 
  source 0.0.0.0 usesrc clientip
 
  Here is all the configuration and setup relevent:
 
 
  bash lsmod | grep -i tproxy
   xt_TPROXY  17327  0
   nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
   nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
 
  bashsudo sysctl -p
   vm.swappiness = 0
   net.ipv4.ip_nonlocal_bind = 1
   net.ipv4.ip_forward = 1
 
  bash sudo iptables -L -n -t mangle
   Chain PREROUTING (policy ACCEPT)
   target prot opt source   destination
   DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
   [...]
   Chain DIVERT (1 references)
   target prot opt source   destination
   MARK   all

Re: getting transparent proxy to work.

[Baptiste]

Hi Rich,

so here is your problem.
Please temporarily change this default gateway of the web servers to
the active VIP: 10.10.130.79.
What happens, and what you highlithed in your diagrams is that HAProxy
creates the TCP connection with the client IP.
by default, the server tries to talk to the client directly, but the
client is not aware of HAProxy's connection and it refuses it.
If you route back your traffic to HAProxy, then HAProxy will handle
this connection and perform the relation with the real client.

More information here:
http://blog.haproxy.com/2011/08/03/layer-7-load-balancing-transparent-proxy-mode/

Baptiste


On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito ri...@ocp.org wrote:
 No inside the firewall one default gateway. 10.10.130.1

 The web servers and haproxy servers have one interface I believe

 Sent from my Verizon Wireless 4G LTE DROID


 Baptiste bed...@gmail.com wrote:

 Do you mean your web servers have 2 interfaces, each one with its own
 default gateway?

 Baptiste

 Le 12 août 2015 23:10, Rich Vigorito ri...@ocp.org a écrit :

 Good to hear. Into the firewall 192.168.0.1 and out of the firewall
 10.10.130.1
 Thanks!

 Sent from my Verizon Wireless 4G LTE DROID


 Baptiste bed...@gmail.com wrote:

 Hi Rich,

 Thanks a lot for this info, this is clearer now.
 In my first mail, I asked you to provide us the default gateway of the
 web servers.
 could you please let us know this information ?

 Baptiste


 On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
  Also for clarification, the config listed in here is the config i used.
  The only difference between the 2 tests is removing:
 
  source 0.0.0.0 usesrc clientip
 
  Removing it loadbalancing works, keeping it in the config, load
  balancing doesnt work
 
  -Rich
  
  From: Rich Vigorito ri...@ocp.org
  Sent: Monday, August 10, 2015 5:22 PM
  To: Baptiste
  Cc: haproxy@formilux.org
  Subject: RE: getting transparent proxy to work.
 
  Thanks you very much for all the help, and yes,  you were correct about
  the capture i reported being the health check. attached are 2 pngs. one w/
  our simple diagram of network topology and the other being what me and the
  network admin though was happening in our TCP handshake. This was 
  determined
  by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was
  on haproxy box) and web1_dump.pcap which was taking on the web server).
  What is happening is I dont think web server knows how to communicate to
  back to the haproxy box. the iptables rules and the ip rule and ip route
  commands from the blog post, in my set up would that be done on the haproxy
  boxes or the web servers?
  
  From: Baptiste bed...@gmail.com
  Sent: Saturday, August 8, 2015 8:38 AM
  To: Rich Vigorito
  Cc: haproxy@formilux.org
  Subject: Re: getting transparent proxy to work.
 
  On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
  Hello, this is my first time using the mailing list. I have the
  following
  issue.
 
 
  Followed steps to enable transparent proxy outlined here:
 
  Howto transparent proxying and binding with HAProxy and ALOHA
  Load-Balancer
  | HAProxy Technologies – Aloha Load Balancer
 
 
  It will not load balance however w/ the following line added:
 
 
  source 0.0.0.0 usesrc clientip
 
  Here is all the configuration and setup relevent:
 
 
  bash lsmod | grep -i tproxy
   xt_TPROXY  17327  0
   nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
   nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
 
  bashsudo sysctl -p
   vm.swappiness = 0
   net.ipv4.ip_nonlocal_bind = 1
   net.ipv4.ip_forward = 1
 
  bash sudo iptables -L -n -t mangle
   Chain PREROUTING (policy ACCEPT)
   target prot opt source   destination
   DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
   [...]
   Chain DIVERT (1 references)
   target prot opt source   destination
   MARK   all  --  0.0.0.0/00.0.0.0/0MARK set
  0x1
   ACCEPT all  --  0.0.0.0/00.0.0.0/0
 
  bash  ip rule show
   0: from all lookup local
   32762: from all fwmark 0x1 lookup 100
   32766: from all lookup main
   32767: from all lookup default
 
  bash ip route show table 100
   local default dev lo  scope host
 
  #haproxy.cfg
  frontend layer4-listener
   bind *:80  transparent
   bind *:443 transparent
   bind *:3306
   bind *:8080
   mode tcp
   option  tcplog
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
   http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
   acl is_esp dst 10.10.130.79
   acl is_tls dst_port 443
   use_backend site_http if is_esp !is_tls
   use_backend site_https if is_esp is_tls
  backend site_https
   mode tcp
   option tcpka
   option tcp-check
   #source 0.0.0.0 usesrc clientip ## load balancing only works when
  commented
  out

RE: getting transparent proxy to work.

[Rich Vigorito]

A couple clarifications. What do you mean by temporary? ... this wouldnt be 
needed indefinitely? What ive articulated is only one site served through the 2 
web servers. Our web servers serve multiple sites, how to accommodate this? Ie 
couldnt have 5 different IPs in the loopback? 

From: Baptiste bed...@gmail.com
Sent: Wednesday, August 12, 2015 11:41 PM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

Hi Rich,

so here is your problem.
Please temporarily change this default gateway of the web servers to
the active VIP: 10.10.130.79.
What happens, and what you highlithed in your diagrams is that HAProxy
creates the TCP connection with the client IP.
by default, the server tries to talk to the client directly, but the
client is not aware of HAProxy's connection and it refuses it.
If you route back your traffic to HAProxy, then HAProxy will handle
this connection and perform the relation with the real client.

More information here:
http://blog.haproxy.com/2011/08/03/layer-7-load-balancing-transparent-proxy-mode/

Baptiste


On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito ri...@ocp.org wrote:
 No inside the firewall one default gateway. 10.10.130.1

 The web servers and haproxy servers have one interface I believe

 Sent from my Verizon Wireless 4G LTE DROID


 Baptiste bed...@gmail.com wrote:

 Do you mean your web servers have 2 interfaces, each one with its own
 default gateway?

 Baptiste

 Le 12 août 2015 23:10, Rich Vigorito ri...@ocp.org a écrit :

 Good to hear. Into the firewall 192.168.0.1 and out of the firewall
 10.10.130.1
 Thanks!

 Sent from my Verizon Wireless 4G LTE DROID


 Baptiste bed...@gmail.com wrote:

 Hi Rich,

 Thanks a lot for this info, this is clearer now.
 In my first mail, I asked you to provide us the default gateway of the
 web servers.
 could you please let us know this information ?

 Baptiste


 On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
  Also for clarification, the config listed in here is the config i used.
  The only difference between the 2 tests is removing:
 
  source 0.0.0.0 usesrc clientip
 
  Removing it loadbalancing works, keeping it in the config, load
  balancing doesnt work
 
  -Rich
  
  From: Rich Vigorito ri...@ocp.org
  Sent: Monday, August 10, 2015 5:22 PM
  To: Baptiste
  Cc: haproxy@formilux.org
  Subject: RE: getting transparent proxy to work.
 
  Thanks you very much for all the help, and yes,  you were correct about
  the capture i reported being the health check. attached are 2 pngs. one w/
  our simple diagram of network topology and the other being what me and the
  network admin though was happening in our TCP handshake. This was 
  determined
  by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was
  on haproxy box) and web1_dump.pcap which was taking on the web server).
  What is happening is I dont think web server knows how to communicate to
  back to the haproxy box. the iptables rules and the ip rule and ip route
  commands from the blog post, in my set up would that be done on the haproxy
  boxes or the web servers?
  
  From: Baptiste bed...@gmail.com
  Sent: Saturday, August 8, 2015 8:38 AM
  To: Rich Vigorito
  Cc: haproxy@formilux.org
  Subject: Re: getting transparent proxy to work.
 
  On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
  Hello, this is my first time using the mailing list. I have the
  following
  issue.
 
 
  Followed steps to enable transparent proxy outlined here:
 
  Howto transparent proxying and binding with HAProxy and ALOHA
  Load-Balancer
  | HAProxy Technologies – Aloha Load Balancer
 
 
  It will not load balance however w/ the following line added:
 
 
  source 0.0.0.0 usesrc clientip
 
  Here is all the configuration and setup relevent:
 
 
  bash lsmod | grep -i tproxy
   xt_TPROXY  17327  0
   nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
   nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
 
  bashsudo sysctl -p
   vm.swappiness = 0
   net.ipv4.ip_nonlocal_bind = 1
   net.ipv4.ip_forward = 1
 
  bash sudo iptables -L -n -t mangle
   Chain PREROUTING (policy ACCEPT)
   target prot opt source   destination
   DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
   [...]
   Chain DIVERT (1 references)
   target prot opt source   destination
   MARK   all  --  0.0.0.0/00.0.0.0/0MARK set
  0x1
   ACCEPT all  --  0.0.0.0/00.0.0.0/0
 
  bash  ip rule show
   0: from all lookup local
   32762: from all fwmark 0x1 lookup 100
   32766: from all lookup main
   32767: from all lookup default
 
  bash ip route show table 100
   local default dev lo  scope host
 
  #haproxy.cfg
  frontend layer4-listener
   bind *:80  transparent
   bind *:443 transparent
   bind *:3306

RE: getting transparent proxy to work.

[Rich Vigorito]

Also for clarification, the config listed in here is the config i used. The 
only difference between the 2 tests is removing:

source 0.0.0.0 usesrc clientip 

Removing it loadbalancing works, keeping it in the config, load balancing 
doesnt work 

-Rich

From: Rich Vigorito ri...@ocp.org
Sent: Monday, August 10, 2015 5:22 PM
To: Baptiste
Cc: haproxy@formilux.org
Subject: RE: getting transparent proxy to work.

Thanks you very much for all the help, and yes,  you were correct about the 
capture i reported being the health check. attached are 2 pngs. one w/ our 
simple diagram of network topology and the other being what me and the network 
admin though was happening in our TCP handshake. This was determined by loading 
a tcpdump into wireshark. Those 2 files are dump.pcap (Which was on haproxy 
box) and web1_dump.pcap which was taking on the web server).  What is happening 
is I dont think web server knows how to communicate to back to the haproxy box. 
the iptables rules and the ip rule and ip route commands from the blog post, in 
my set up would that be done on the haproxy boxes or the web servers?

From: Baptiste bed...@gmail.com
Sent: Saturday, August 8, 2015 8:38 AM
To: Rich Vigorito
Cc: haproxy@formilux.org
Subject: Re: getting transparent proxy to work.

On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
 Hello, this is my first time using the mailing list. I have the following
 issue.


 Followed steps to enable transparent proxy outlined here:

 Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
 | HAProxy Technologies – Aloha Load Balancer


 It will not load balance however w/ the following line added:


 source 0.0.0.0 usesrc clientip

 Here is all the configuration and setup relevent:


 bash lsmod | grep -i tproxy
  xt_TPROXY  17327  0
  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

 bashsudo sysctl -p
  vm.swappiness = 0
  net.ipv4.ip_nonlocal_bind = 1
  net.ipv4.ip_forward = 1

 bash sudo iptables -L -n -t mangle
  Chain PREROUTING (policy ACCEPT)
  target prot opt source   destination
  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
  [...]
  Chain DIVERT (1 references)
  target prot opt source   destination
  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
  ACCEPT all  --  0.0.0.0/00.0.0.0/0

 bash  ip rule show
  0: from all lookup local
  32762: from all fwmark 0x1 lookup 100
  32766: from all lookup main
  32767: from all lookup default

 bash ip route show table 100
  local default dev lo  scope host

 #haproxy.cfg
 frontend layer4-listener
  bind *:80  transparent
  bind *:443 transparent
  bind *:3306
  bind *:8080
  mode tcp
  option  tcplog
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  acl is_esp dst 10.10.130.79
  acl is_tls dst_port 443
  use_backend site_http if is_esp !is_tls
  use_backend site_https if is_esp is_tls
 backend site_https
  mode tcp
  option tcpka
  option tcp-check
  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
 out
  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

 bash haproxy -vv
  HA-Proxy version 1.5.4 2014/09/02
  Copyright 2000-2014 Willy Tarreau w...@1wt.eu
  Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
 USE_PCRE=1

 bash uname -r
  3.10.0-229.4.2.el7.x86_64


 Our network admin was indicated the following:


 A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
 A SYN-ACK packet from web1 back to haproxy2
 A RST packet from haproxy2 to web1.


 Anyone able/willing to help and/or give insight into this issue?


 Thanks


Hi Rich,

the information you provide are quite inaccurate.
I've already reported this on stackoverflow where you first posted
your question.

Here, for example, you ran multiple tests, with different
configurations but you don't tell us during which one did your network
admin saw the network he described.

First point, the network packets reported by your network admin seems
to be a health check...
Second, it is hard to help troubleshooting transparent proxy without a
network diagram. So please draw and share the simplest one showing a
client, haproxy and a server, with their respective interfaces, IPs
and default gateway.

Last, a TCPdump on HAProxy box showing the traffic on the interface
between haproxy and the server for the IP address of the client.

Baptiste

Re: getting transparent proxy to work.

[Baptiste]

Do you mean your web servers have 2 interfaces, each one with its own
default gateway?

Baptiste
Le 12 août 2015 23:10, Rich Vigorito ri...@ocp.org a écrit :

 Good to hear. Into the firewall 192.168.0.1 and out of the firewall
 10.10.130.1
 Thanks!

 *Sent from my Verizon Wireless 4G LTE DROID*


 Baptiste bed...@gmail.com wrote:

 Hi Rich,

 Thanks a lot for this info, this is clearer now.
 In my first mail, I asked you to provide us the default gateway of the
 web servers.
 could you please let us know this information ?

 Baptiste


 On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
  Also for clarification, the config listed in here is the config i used.
 The only difference between the 2 tests is removing:
 
  source 0.0.0.0 usesrc clientip
 
  Removing it loadbalancing works, keeping it in the config, load
 balancing doesnt work
 
  -Rich
  
  From: Rich Vigorito ri...@ocp.org
  Sent: Monday, August 10, 2015 5:22 PM
  To: Baptiste
  Cc: haproxy@formilux.org
  Subject: RE: getting transparent proxy to work.
 
  Thanks you very much for all the help, and yes,  you were correct about
 the capture i reported being the health check. attached are 2 pngs. one w/
 our simple diagram of network topology and the other being what me and the
 network admin though was happening in our TCP handshake. This was
 determined by loading a tcpdump into wireshark. Those 2 files are dump.pcap
 (Which was on haproxy box) and web1_dump.pcap which was taking on the web
 server).  What is happening is I dont think web server knows how to
 communicate to back to the haproxy box. the iptables rules and the ip rule
 and ip route commands from the blog post, in my set up would that be done
 on the haproxy boxes or the web servers?
  
  From: Baptiste bed...@gmail.com
  Sent: Saturday, August 8, 2015 8:38 AM
  To: Rich Vigorito
  Cc: haproxy@formilux.org
  Subject: Re: getting transparent proxy to work.
 
  On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
  Hello, this is my first time using the mailing list. I have the
 following
  issue.
 
 
  Followed steps to enable transparent proxy outlined here:
 
  Howto transparent proxying and binding with HAProxy and ALOHA
 Load-Balancer
  | HAProxy Technologies – Aloha Load Balancer
 
 
  It will not load balance however w/ the following line added:
 
 
  source 0.0.0.0 usesrc clientip
 
  Here is all the configuration and setup relevent:
 
 
  bash lsmod | grep -i tproxy
   xt_TPROXY  17327  0
   nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
   nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
 
  bashsudo sysctl -p
   vm.swappiness = 0
   net.ipv4.ip_nonlocal_bind = 1
   net.ipv4.ip_forward = 1
 
  bash sudo iptables -L -n -t mangle
   Chain PREROUTING (policy ACCEPT)
   target prot opt source   destination
   DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
   [...]
   Chain DIVERT (1 references)
   target prot opt source   destination
   MARK   all  --  0.0.0.0/00.0.0.0/0MARK
 set 0x1
   ACCEPT all  --  0.0.0.0/00.0.0.0/0
 
  bash  ip rule show
   0: from all lookup local
   32762: from all fwmark 0x1 lookup 100
   32766: from all lookup main
   32767: from all lookup default
 
  bash ip route show table 100
   local default dev lo  scope host
 
  #haproxy.cfg
  frontend layer4-listener
   bind *:80  transparent
   bind *:443 transparent
   bind *:3306
   bind *:8080
   mode tcp
   option  tcplog
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
   http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
   acl is_esp dst 10.10.130.79
   acl is_tls dst_port 443
   use_backend site_http if is_esp !is_tls
   use_backend site_https if is_esp is_tls
  backend site_https
   mode tcp
   option tcpka
   option tcp-check
   #source 0.0.0.0 usesrc clientip ## load balancing only works when
 commented
  out
   server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2
 fall 3
   server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2
 fall 3
 
  bash haproxy -vv
   HA-Proxy version 1.5.4 2014/09/02
   Copyright 2000-2014 Willy Tarreau w...@1wt.eu
   Build options :
   TARGET  = linux2628
   CPU = generic
   CC  = gcc
   CFLAGS  = -O2 -g -fno-strict-aliasing
   OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
  USE_PCRE=1
 
  bash uname -r
   3.10.0-229.4.2.el7.x86_64
 
 
  Our network admin was indicated the following:
 
 
  A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on
 web1)
  A SYN-ACK packet from web1 back to haproxy2
  A RST packet from haproxy2 to web1.
 
 
  Anyone able/willing to help and/or give insight into this issue?
 
 
  Thanks
 
 
  Hi Rich,
 
  the information you provide are quite inaccurate.
  I've already reported

Re: getting transparent proxy to work.

[Baptiste]

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
 Also for clarification, the config listed in here is the config i used. The 
 only difference between the 2 tests is removing:

 source 0.0.0.0 usesrc clientip

 Removing it loadbalancing works, keeping it in the config, load balancing 
 doesnt work

 -Rich
 
 From: Rich Vigorito ri...@ocp.org
 Sent: Monday, August 10, 2015 5:22 PM
 To: Baptiste
 Cc: haproxy@formilux.org
 Subject: RE: getting transparent proxy to work.

 Thanks you very much for all the help, and yes,  you were correct about the 
 capture i reported being the health check. attached are 2 pngs. one w/ our 
 simple diagram of network topology and the other being what me and the 
 network admin though was happening in our TCP handshake. This was determined 
 by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
 on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
 is happening is I dont think web server knows how to communicate to back to 
 the haproxy box. the iptables rules and the ip rule and ip route commands 
 from the blog post, in my set up would that be done on the haproxy boxes or 
 the web servers?
 
 From: Baptiste bed...@gmail.com
 Sent: Saturday, August 8, 2015 8:38 AM
 To: Rich Vigorito
 Cc: haproxy@formilux.org
 Subject: Re: getting transparent proxy to work.

 On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
 Hello, this is my first time using the mailing list. I have the following
 issue.


 Followed steps to enable transparent proxy outlined here:

 Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
 | HAProxy Technologies – Aloha Load Balancer


 It will not load balance however w/ the following line added:


 source 0.0.0.0 usesrc clientip

 Here is all the configuration and setup relevent:


 bash lsmod | grep -i tproxy
  xt_TPROXY  17327  0
  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

 bashsudo sysctl -p
  vm.swappiness = 0
  net.ipv4.ip_nonlocal_bind = 1
  net.ipv4.ip_forward = 1

 bash sudo iptables -L -n -t mangle
  Chain PREROUTING (policy ACCEPT)
  target prot opt source   destination
  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
  [...]
  Chain DIVERT (1 references)
  target prot opt source   destination
  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
  ACCEPT all  --  0.0.0.0/00.0.0.0/0

 bash  ip rule show
  0: from all lookup local
  32762: from all fwmark 0x1 lookup 100
  32766: from all lookup main
  32767: from all lookup default

 bash ip route show table 100
  local default dev lo  scope host

 #haproxy.cfg
 frontend layer4-listener
  bind *:80  transparent
  bind *:443 transparent
  bind *:3306
  bind *:8080
  mode tcp
  option  tcplog
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  acl is_esp dst 10.10.130.79
  acl is_tls dst_port 443
  use_backend site_http if is_esp !is_tls
  use_backend site_https if is_esp is_tls
 backend site_https
  mode tcp
  option tcpka
  option tcp-check
  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
 out
  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

 bash haproxy -vv
  HA-Proxy version 1.5.4 2014/09/02
  Copyright 2000-2014 Willy Tarreau w...@1wt.eu
  Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
 USE_PCRE=1

 bash uname -r
  3.10.0-229.4.2.el7.x86_64


 Our network admin was indicated the following:


 A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
 A SYN-ACK packet from web1 back to haproxy2
 A RST packet from haproxy2 to web1.


 Anyone able/willing to help and/or give insight into this issue?


 Thanks


 Hi Rich,

 the information you provide are quite inaccurate.
 I've already reported this on stackoverflow where you first posted
 your question.

 Here, for example, you ran multiple tests, with different
 configurations but you don't tell us during which one did your network
 admin saw the network he described.

 First point, the network packets reported by your network admin seems
 to be a health check...
 Second, it is hard to help troubleshooting transparent proxy without a
 network diagram. So please draw and share the simplest one showing a
 client

Re: getting transparent proxy to work.

[Rich Vigorito]

Good to hear. Into the firewall 192.168.0.1http://192.168.0.1 and out of the 
firewall 10.10.130.1http://10.10.130.1
Thanks!

Sent from my Verizon Wireless 4G LTE DROID


Baptiste bed...@gmail.com wrote:

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito ri...@ocp.org wrote:
 Also for clarification, the config listed in here is the config i used. The 
 only difference between the 2 tests is removing:

 source 0.0.0.0 usesrc clientip

 Removing it loadbalancing works, keeping it in the config, load balancing 
 doesnt work

 -Rich
 
 From: Rich Vigorito ri...@ocp.org
 Sent: Monday, August 10, 2015 5:22 PM
 To: Baptiste
 Cc: haproxy@formilux.org
 Subject: RE: getting transparent proxy to work.

 Thanks you very much for all the help, and yes,  you were correct about the 
 capture i reported being the health check. attached are 2 pngs. one w/ our 
 simple diagram of network topology and the other being what me and the 
 network admin though was happening in our TCP handshake. This was determined 
 by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
 on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
 is happening is I dont think web server knows how to communicate to back to 
 the haproxy box. the iptables rules and the ip rule and ip route commands 
 from the blog post, in my set up would that be done on the haproxy boxes or 
 the web servers?
 
 From: Baptiste bed...@gmail.com
 Sent: Saturday, August 8, 2015 8:38 AM
 To: Rich Vigorito
 Cc: haproxy@formilux.org
 Subject: Re: getting transparent proxy to work.

 On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
 Hello, this is my first time using the mailing list. I have the following
 issue.


 Followed steps to enable transparent proxy outlined here:

 Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
 | HAProxy Technologies – Aloha Load Balancer


 It will not load balance however w/ the following line added:


 source 0.0.0.0 usesrc clientip

 Here is all the configuration and setup relevent:


 bash lsmod | grep -i tproxy
  xt_TPROXY  17327  0
  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

 bashsudo sysctl -p
  vm.swappiness = 0
  net.ipv4.ip_nonlocal_bind = 1
  net.ipv4.ip_forward = 1

 bash sudo iptables -L -n -t mangle
  Chain PREROUTING (policy ACCEPT)
  target prot opt source   destination
  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
  [...]
  Chain DIVERT (1 references)
  target prot opt source   destination
  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
  ACCEPT all  --  0.0.0.0/00.0.0.0/0

 bash  ip rule show
  0: from all lookup local
  32762: from all fwmark 0x1 lookup 100
  32766: from all lookup main
  32767: from all lookup default

 bash ip route show table 100
  local default dev lo  scope host

 #haproxy.cfg
 frontend layer4-listener
  bind *:80  transparent
  bind *:443 transparent
  bind *:3306
  bind *:8080
  mode tcp
  option  tcplog
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  acl is_esp dst 10.10.130.79
  acl is_tls dst_port 443
  use_backend site_http if is_esp !is_tls
  use_backend site_https if is_esp is_tls
 backend site_https
  mode tcp
  option tcpka
  option tcp-check
  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
 out
  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

 bash haproxy -vv
  HA-Proxy version 1.5.4 2014/09/02
  Copyright 2000-2014 Willy Tarreau w...@1wt.eu
  Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
 USE_PCRE=1

 bash uname -r
  3.10.0-229.4.2.el7.x86_64


 Our network admin was indicated the following:


 A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
 A SYN-ACK packet from web1 back to haproxy2
 A RST packet from haproxy2 to web1.


 Anyone able/willing to help and/or give insight into this issue?


 Thanks


 Hi Rich,

 the information you provide are quite inaccurate.
 I've already reported this on stackoverflow where you first posted
 your question.

 Here, for example, you ran multiple tests, with different
 configurations but you don't tell us during which one did your network
 admin saw the network he described.

 First point, the network packets reported

Re: getting transparent proxy to work.

[Rich Vigorito]

No inside the firewall one default gateway. 10.10.130.1http://10.10.130.1

The web servers and haproxy servers have one interface I believe

Sent from my Verizon Wireless 4G LTE DROID


Baptiste bed...@gmail.com wrote:


Do you mean your web servers have 2 interfaces, each one with its own default 
gateway?

Baptiste

Le 12 août 2015 23:10, Rich Vigorito ri...@ocp.orgmailto:ri...@ocp.org a 
écrit :
Good to hear. Into the firewall 192.168.0.1http://192.168.0.1 and out of the 
firewall 10.10.130.1http://10.10.130.1
Thanks!

Sent from my Verizon Wireless 4G LTE DROID


Baptiste bed...@gmail.commailto:bed...@gmail.com wrote:

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito 
ri...@ocp.orgmailto:ri...@ocp.org wrote:
 Also for clarification, the config listed in here is the config i used. The 
 only difference between the 2 tests is removing:

 source 0.0.0.0 usesrc clientip

 Removing it loadbalancing works, keeping it in the config, load balancing 
 doesnt work

 -Rich
 
 From: Rich Vigorito ri...@ocp.orgmailto:ri...@ocp.org
 Sent: Monday, August 10, 2015 5:22 PM
 To: Baptiste
 Cc: haproxy@formilux.orgmailto:haproxy@formilux.org
 Subject: RE: getting transparent proxy to work.

 Thanks you very much for all the help, and yes,  you were correct about the 
 capture i reported being the health check. attached are 2 pngs. one w/ our 
 simple diagram of network topology and the other being what me and the 
 network admin though was happening in our TCP handshake. This was determined 
 by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
 on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
 is happening is I dont think web server knows how to communicate to back to 
 the haproxy box. the iptables rules and the ip rule and ip route commands 
 from the blog post, in my set up would that be done on the haproxy boxes or 
 the web servers?
 
 From: Baptiste bed...@gmail.commailto:bed...@gmail.com
 Sent: Saturday, August 8, 2015 8:38 AM
 To: Rich Vigorito
 Cc: haproxy@formilux.orgmailto:haproxy@formilux.org
 Subject: Re: getting transparent proxy to work.

 On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito 
 ri...@ocp.orgmailto:ri...@ocp.org wrote:
 Hello, this is my first time using the mailing list. I have the following
 issue.


 Followed steps to enable transparent proxy outlined here:

 Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
 | HAProxy Technologies – Aloha Load Balancer


 It will not load balance however w/ the following line added:


 source 0.0.0.0 usesrc clientip

 Here is all the configuration and setup relevent:


 bash lsmod | grep -i tproxy
  xt_TPROXY  17327  0
  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

 bashsudo sysctl -p
  vm.swappiness = 0
  net.ipv4.ip_nonlocal_bind = 1
  net.ipv4.ip_forward = 1

 bash sudo iptables -L -n -t mangle
  Chain PREROUTING (policy ACCEPT)
  target prot opt source   destination
  DIVERT tcp  --  0.0.0.0/0http://0.0.0.0/0
 0.0.0.0/0http://0.0.0.0/0socket
  [...]
  Chain DIVERT (1 references)
  target prot opt source   destination
  MARK   all  --  0.0.0.0/0http://0.0.0.0/0
 0.0.0.0/0http://0.0.0.0/0MARK set 0x1
  ACCEPT all  --  0.0.0.0/0http://0.0.0.0/0
 0.0.0.0/0http://0.0.0.0/0

 bash  ip rule show
  0: from all lookup local
  32762: from all fwmark 0x1 lookup 100
  32766: from all lookup main
  32767: from all lookup default

 bash ip route show table 100
  local default dev lo  scope host

 #haproxy.cfg
 frontend layer4-listener
  bind *:80  transparent
  bind *:443 transparent
  bind *:3306
  bind *:8080
  mode tcp
  option  tcplog
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  acl is_esp dst 10.10.130.79
  acl is_tls dst_port 443
  use_backend site_http if is_esp !is_tls
  use_backend site_https if is_esp is_tls
 backend site_https
  mode tcp
  option tcpka
  option tcp-check
  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
 out
  server site_www1 www1.site.org:443http://www1.site.org:443  weight 1 
 check inter 2000 rise 2 fall 3
  server site_www2 www2.site.org:443http://www2.site.org:443  weight 1 
 check inter 2000 rise 2 fall 3

 bash haproxy -vv
  HA-Proxy version 1.5.4 2014/09/02
  Copyright 2000-2014 Willy Tarreau w...@1wt.eumailto:w...@1wt.eu
  Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1

Re: getting transparent proxy to work.

[Baptiste]

On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito ri...@ocp.org wrote:
 Hello, this is my first time using the mailing list. I have the following
 issue.


 Followed steps to enable transparent proxy outlined here:

 Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
 | HAProxy Technologies – Aloha Load Balancer


 It will not load balance however w/ the following line added:


 source 0.0.0.0 usesrc clientip

 Here is all the configuration and setup relevent:


 bash lsmod | grep -i tproxy
  xt_TPROXY  17327  0
  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

 bashsudo sysctl -p
  vm.swappiness = 0
  net.ipv4.ip_nonlocal_bind = 1
  net.ipv4.ip_forward = 1

 bash sudo iptables -L -n -t mangle
  Chain PREROUTING (policy ACCEPT)
  target prot opt source   destination
  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
  [...]
  Chain DIVERT (1 references)
  target prot opt source   destination
  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
  ACCEPT all  --  0.0.0.0/00.0.0.0/0

 bash  ip rule show
  0: from all lookup local
  32762: from all fwmark 0x1 lookup 100
  32766: from all lookup main
  32767: from all lookup default

 bash ip route show table 100
  local default dev lo  scope host

 #haproxy.cfg
 frontend layer4-listener
  bind *:80  transparent
  bind *:443 transparent
  bind *:3306
  bind *:8080
  mode tcp
  option  tcplog
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  acl is_esp dst 10.10.130.79
  acl is_tls dst_port 443
  use_backend site_http if is_esp !is_tls
  use_backend site_https if is_esp is_tls
 backend site_https
  mode tcp
  option tcpka
  option tcp-check
  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
 out
  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

 bash haproxy -vv
  HA-Proxy version 1.5.4 2014/09/02
  Copyright 2000-2014 Willy Tarreau w...@1wt.eu
  Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
 USE_PCRE=1

 bash uname -r
  3.10.0-229.4.2.el7.x86_64


 Our network admin was indicated the following:


 A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
 A SYN-ACK packet from web1 back to haproxy2
 A RST packet from haproxy2 to web1.


 Anyone able/willing to help and/or give insight into this issue?


 Thanks


Hi Rich,

the information you provide are quite inaccurate.
I've already reported this on stackoverflow where you first posted
your question.

Here, for example, you ran multiple tests, with different
configurations but you don't tell us during which one did your network
admin saw the network he described.

First point, the network packets reported by your network admin seems
to be a health check...
Second, it is hard to help troubleshooting transparent proxy without a
network diagram. So please draw and share the simplest one showing a
client, haproxy and a server, with their respective interfaces, IPs
and default gateway.

Last, a TCPdump on HAProxy box showing the traffic on the interface
between haproxy and the server for the IP address of the client.

Baptiste

getting transparent proxy to work.

[Rich Vigorito]

Hello, this is my first time using the mailing list. I have the following issue.


Followed steps to enable transparent proxy outlined here:

Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer | 
HAProxy Technologies - Aloha Load 
Balancerhttp://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/


It will not load balance however w/ the following line added:


source 0.0.0.0 usesrc clientip

Here is all the configuration and setup relevent:


bash lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

bashsudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1

bash sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0

bash  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100
 32766: from all lookup main
 32767: from all lookup default

bash ip route show table 100
 local default dev lo  scope host

#haproxy.cfg
frontend layer4-listener
 bind *:80  transparent
 bind *:443 transparent
 bind *:3306
 bind *:8080
 mode tcp
 option  tcplog
 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 acl is_esp dst 10.10.130.79
 acl is_tls dst_port 443
 use_backend site_http if is_esp !is_tls
 use_backend site_https if is_esp is_tls
backend site_https
 mode tcp
 option tcpka
 option tcp-check
 #source 0.0.0.0 usesrc clientip ## load balancing only works when commented out
 server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
 server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

bash haproxy -vv
 HA-Proxy version 1.5.4 2014/09/02
 Copyright 2000-2014 Willy Tarreau w...@1wt.eu
 Build options :
 TARGET  = linux2628
 CPU = generic
 CC  = gcc
 CFLAGS  = -O2 -g -fno-strict-aliasing
 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

bash uname -r
 3.10.0-229.4.2.el7.x86_64

Our network admin was indicated the following:


  1.  A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
  2.  A SYN-ACK packet from web1 back to haproxy2
  3.  A RST packet from haproxy2 to web1.?


Anyone able/willing to help and/or give insight into this issue?


Thanks

RE: Transparent proxy mode

[Lionel PASCAL]

Thank you for your help. =)

I'm not sure to understand : According to haproxy website, it seems that
only 2.6.x kernels are supported. Maybe the informations are outdated.
In my case, Haproxy works fine (in nat mode), only transparent mode cause
problems (Cannot bind to tproxy source address before connect()).
Maybe 3.x kernels only provide non transparent support? How should I check
this?

By the way, transparent mode is an essential feature. I'm surprised to find
so few informations in the documentation (i.e. : iptables transparent
settings and additional ip rules are not indicated). Did I miss something?

Thank you! :)

Lionel

My configuration :
-

Lb1 has two interfaces :
Eth0 :192.168.1.1
Eth1: 10.0.0.10

Webserver :
Eth0 : 10.0.0.11
Gw : 10.0.0.10

Here's my configuration files :
root@lb1:~# haproxy -vv
HA-Proxy version 1.4.22 2012/08/09
Copyright 2000-2012 Willy Tarreau w...@1wt.eu
Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1


/etc/sysctl.conf :
net.ipv4.ip_nonlocal_bind = 1 
net.ipv4.ip_forward = 1
fs.file-max = 131070


root@lb1:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
DIVERT tcp  --  anywhere anywhere socket

Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Chain DIVERT (1 references)
target prot opt source   destination
MARK   all  --  anywhere anywhere MARK set 0x6f
ACCEPT all  --  anywhere anywhere

( with this additional rules :
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100)

---



-Message d'origine-
De : Baptiste [mailto:bed...@gmail.com] 
Envoyé : samedi 18 mai 2013 08:21
À : Lionel PASCAL
Cc : haproxy@formilux.org
Objet : Re: Transparent proxy mode

Hi Lionel,

It's up to you to check you have the necessary features compiled in your
kernel.
We don't know which features each distribution enable in their kernel.
I guess it should be OK since it's debian based and in Debian, it works out
of the box.

Have you setup your sysctls?
Have you run configured iptables?

Please share with us your procedure and we may be able to help.

Baptiste



On Fri, May 17, 2013 at 6:12 PM, Lionel PASCAL
lionel.pas...@ac-clermont.fr wrote:
 I ‘m on ubuntu 12.04 LTS

 Kernel  3.2.0-40-generic



 I’m trying to enable transparent proxy mode but it does not work :

 Cannot bind to tproxy source address before connect() for proxy server011.
 Aborting.



 Is this fonctionnality supported on this kernel?

 Should I try on Ubuntu 10?



 Thanks!



 --

 Lionel

Re: Transparent proxy mode

[Baptiste]

Hi Lionel,

It's up to you to check you have the necessary features compiled in your kernel.
We don't know which features each distribution enable in their kernel.
I guess it should be OK since it's debian based and in Debian, it
works out of the box.

Have you setup your sysctls?
Have you run configured iptables?

Please share with us your procedure and we may be able to help.

Baptiste



On Fri, May 17, 2013 at 6:12 PM, Lionel PASCAL
lionel.pas...@ac-clermont.fr wrote:
 I ‘m on ubuntu 12.04 LTS

 Kernel  3.2.0-40-generic



 I’m trying to enable transparent proxy mode but it does not work :

 Cannot bind to tproxy source address before connect() for proxy server011.
 Aborting.



 Is this fonctionnality supported on this kernel?

 Should I try on Ubuntu 10?



 Thanks!



 --

 Lionel

Transparent proxy mode

[Lionel PASCAL]

I 'm on ubuntu 12.04 LTS

Kernel  3.2.0-40-generic

 

I'm trying to enable transparent proxy mode but it does not work :

Cannot bind to tproxy source address before connect() for proxy server011.
Aborting.

 

Is this fonctionnality supported on this kernel?

Should I try on Ubuntu 10?

 

Thanks!

 

--

Lionel 

 

Re: HAproxy tproxy problem when try to make transparent proxy

[haproxy]

Hello,

L. Alberto Giménez ha scritto:
 Please check that:

 * You have the tproxy enabled in your kernel
 * You have haproxy compiled with tproxy support

 Your backend servers *can't* see the clients directly (i.e., they have
 the haproxy box as default gateway and *no other* gateways).

 The same for the clients (not mandatory, but if they can see the
 servers, it may cause trouble).
Like I wrote before, I use ubuntu server 9.10, with kernel 2.6.31 and 
iptables 1.4.4, so with built-in tproxy support (if I'm not wrong).
And I compiled Haproxy by hands with correct parameters I think...

  lsmod
[...]
nf_tproxy_core24281 xt_socket,
[...]

  haproxy -vv
HA-Proxy version 1.4.2 2010/03/17
Copyright 2000-2010 Willy Tarreau 
Build options :
  TARGET  = linux26
  CPU = i686
  CC  = gcc
  CFLAGS  = -O2 -march=i686 -g
  OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1
[...]

The client can't see directly the backend server.
  ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
 From 192.168.1.2 icmp_seq=1 Destination Host Unreachable
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

The backend server can't see the clients directly.
  ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
*From 192.168.1.21 icmp_seq=1 Destination Host Unreachable* (not From 
192.168.0.2 like expected)
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

So, incredible.. I find the trick.. Alberto, you save my mind.. :-)
In backend server I have 2nd ethernet card configured with 192.168.1.21.
The cable is out but I forget to disable it (how I'm chicken..)..
So everytime the backend try to access to client from this route.

Many times errors are in the most simple things.

Thanks, thank you very much.. Really!

Daniele

Hi all,

perhaps there is hope for me too ...

I have HAProxy running on 192.168.1.101, with this configuration:

...
backend test
   mode http
   source 0.0.0.0 usesrc clientip
   server serv1 192.168.4.41

frontend test
mode http
bind 192.168.1.101:8090
default_backend test

the HAProxy is from 1.5-dev6, build with TARGET=linux26 USE_LINUX_TPROXY=1, 
kernel is 2.6.26-2-amd64

The server is in my vmware player, debian 6 kernel 2.6.32-5-686). By default, 
player is bridged and dhcp assings it ip 192.168.1.28 (host xp is 
192.168.1.62), and default gateway is 192.168.1.2

So manually change ip address on server (eth0, no other cards) to 192.168.4.41 
255.255.0.0, and set default gateway to be 192.168.1.101 (the HAProxy machine).

On HAProxy I have done routing commands as Daniele did.

And I still get 503.

What have I done wrong? Is there any known issue if SERVER is in virtual 
machine?

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,120994,707061#msg-707061

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[Willy Tarreau]

On Fri, Aug 24, 2012 at 02:58:38PM +0200, Baptiste wrote:
 On Fri, Aug 24, 2012 at 1:15 PM,  hapr...@serverphorums.com wrote:
  I said it very clearly, that i have found how to make it transparent,
 No you didn't... But maybe my english understanding is too bad :)

I can confirm you're not the only one.

Also, I'd say something : the fact that a problem has been explained clearly
or not cannot be judged by the person explaining it but by the persons trying
to understand it.

And e-mails as long as an SMS to describe a vague problem mixing several
concepts is all but clear.

At this point I don't know if the requester wants :
  - to find a way to enable transparent proxy in the pfsense kernel
  - to find a way to enable transparent proxy in haproxy
  - to get some help troubleshooting a config involving transparent proxy
  - anything else ?

  and i said also the exact way to do it. I want help with the set up of the 
  reverse proxy.
 
 this is exactly where you are not clear.
 As soon as you use HAProxy, you own a Reverse-proxy.
 
 So this is still unclear to me.

Same for me.

Please man, take some time to write a *real* e-mail. One in which you
explain what you're trying to achieve, how you expect it to work, what
setup you made, what you're observing and what you've tested to fix the
issue. Otherwise it's pointless to rant like above in two-sentences
messages. You're not on IRC here.

Thanks,
Willy

HAproxy as a reverse+transparent proxy help (pfsense)

[haproxy]

Good morning people, 

since yesterday i have an existing problem that i can't solve without any help..
Topology:
pfsense (Reverse+transparent proxy (haproxy), Load Balancer (of pfsense), SSL 
termination (stunnel))
after pfsense i have 2 web servers that pfsense load balance them.
Here is the picture with the exact topology: 
http://i50.tinypic.com/6tmzcm.png
so i have a pfsense VM with haproxy installed and i want this scenario: 
when a user hits a public IP address or later the domain of a server http or 
https i want to send him to 1 of the 2 servers depends of the load balancer. 
Also i want this reverse proxy make it transparent i think this is the easy 
step and i think that i have found it, its on the haproxy - tab Frontends - 
checkbox Use 'forwardfor' option . But how can i set it up in this topology?

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,552462,552462#msg-552462

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[Baptiste]

Hi,

Are you sure pfsense kernel has been compiled with TPROXY enabled?

cheers

On Fri, Aug 24, 2012 at 9:09 AM,  hapr...@serverphorums.com wrote:
 Good morning people,

 since yesterday i have an existing problem that i can't solve without any 
 help..
 Topology:
 pfsense (Reverse+transparent proxy (haproxy), Load Balancer (of pfsense), SSL 
 termination (stunnel))
 after pfsense i have 2 web servers that pfsense load balance them.
 Here is the picture with the exact topology:
 http://i50.tinypic.com/6tmzcm.png
 so i have a pfsense VM with haproxy installed and i want this scenario:
 when a user hits a public IP address or later the domain of a server http or 
 https i want to send him to 1 of the 2 servers depends of the load balancer. 
 Also i want this reverse proxy make it transparent i think this is the easy 
 step and i think that i have found it, its on the haproxy - tab Frontends - 
 checkbox Use 'forwardfor' option . But how can i set it up in this topology?

 ---
 posted at http://www.serverphorums.com
 http://www.serverphorums.com/read.php?10,552462,552462#msg-552462

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[haproxy]

Hi Baptiste,

It's a VM and generally i don't think that it needs compile with transparent 
proxy enabled in the packages of pfsense there is haproxy and haproxy supports 
transparency.

Regards,

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,552462,552488#msg-552488

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[haproxy]

Yeah, the all thing is not this. The transparent proxy is the last thing i want 
to know.

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,552462,552500#msg-552500

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[Baptiste]

so please clarify your question cause I don't understand anything and
I'm not the only one.

cheers

On Fri, Aug 24, 2012 at 10:27 AM,  hapr...@serverphorums.com wrote:
 Yeah, the all thing is not this. The transparent proxy is the last thing i 
 want to know.

 ---
 posted at http://www.serverphorums.com
 http://www.serverphorums.com/read.php?10,552462,552500#msg-552500

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[haproxy]

I said it very clearly, that i have found how to make it transparent, and i 
said also the exact way to do it. I want help with the set up of the reverse 
proxy. 



This...


Regards,

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,552462,552583#msg-552583

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[Baptiste]

On Fri, Aug 24, 2012 at 1:15 PM,  hapr...@serverphorums.com wrote:
 I said it very clearly, that i have found how to make it transparent,
No you didn't... But maybe my english understanding is too bad :)

 and i said also the exact way to do it. I want help with the set up of the 
 reverse proxy.

this is exactly where you are not clear.
As soon as you use HAProxy, you own a Reverse-proxy.


So this is still unclear to me.

cheers

Re: HAproxy as a reverse+transparent proxy help (pfsense)

[haproxy]

Yes and i am asking how to set up haproxy to works as a reverse proxy. Because 
haproxy can do load balance too.


Regards,

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,552462,552625#msg-552625

haproxy ssh transparent proxy

[jinge]

Sorry for i'm new in haproxy,there is my problem

i wanna haproxy to proxy any non-http traffic.
And there is my config about it

listen tcp-in
bind 192.168.137.18:
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
use_backend SquidClusters if HTTP
default_backend Non-http if !HTTP


##default let any non-http traffic behave like's self,
backend Non-http
mode tcp
log global
timeout server 1h
server directserver 0.0.0.0


but it's doesn't work.
Is there any one help me?

Re: Transparent Proxy

[Baptiste]

On Fri, Sep 23, 2011 at 11:53 PM, Jason J. W. Williams
jasonjwwilli...@gmail.com wrote:
 Hello,

 My understanding has been that HAProxy can be set up in conjunction
 with TPROXY support in the Linux kernel so that the backend servers
 see the original client's source IP address on incoming packets?

 So is the option transparent
 (http://code.google.com/p/haproxy-docs/wiki/transparent) not related
 to that type of transparent proxying or am I mistaken and there's no
 way to make HAProxy preserve the original client IP on the way to the
 backend servers?

 Thank you in advance.

 -J



Hi,

You have to patch your kernel with TProxy and then to use the source keyword:
http://code.google.com/p/haproxy-docs/wiki/source

Note that the default gateway of your servers must be the HAProxy box
in that kind of architecture.

cheers

Re: Transparent Proxy

[Malcolm Turnbull]

Jason,

No that option is not relevant for TPROXY (client source IP transparency)

Its an old blog but take a look at:
http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/

Ignore the kernel re-compile stuff, as its all pretty standard in
modern kernels.
But it should show you how to construct the haproxy.cfg file.





On 23 September 2011 22:53, Jason J. W. Williams
jasonjwwilli...@gmail.com wrote:
 Hello,

 My understanding has been that HAProxy can be set up in conjunction
 with TPROXY support in the Linux kernel so that the backend servers
 see the original client's source IP address on incoming packets?

 So is the option transparent
 (http://code.google.com/p/haproxy-docs/wiki/transparent) not related
 to that type of transparent proxying or am I mistaken and there's no
 way to make HAProxy preserve the original client IP on the way to the
 backend servers?

 Thank you in advance.

 -J





-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

Re: Transparent Proxy

[Jason J. W. Williams]

Thank you. I've been reading that, but wanted to confirm. 

-J

Sent via iPhone

Is your email Premiere?

On Sep 24, 2011, at 0:57, Malcolm Turnbull malc...@loadbalancer.org wrote:

 Jason,
 
 No that option is not relevant for TPROXY (client source IP transparency)
 
 Its an old blog but take a look at:
 http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/
 
 Ignore the kernel re-compile stuff, as its all pretty standard in
 modern kernels.
 But it should show you how to construct the haproxy.cfg file.
 
 
 
 
 
 On 23 September 2011 22:53, Jason J. W. Williams
 jasonjwwilli...@gmail.com wrote:
 Hello,
 
 My understanding has been that HAProxy can be set up in conjunction
 with TPROXY support in the Linux kernel so that the backend servers
 see the original client's source IP address on incoming packets?
 
 So is the option transparent
 (http://code.google.com/p/haproxy-docs/wiki/transparent) not related
 to that type of transparent proxying or am I mistaken and there's no
 way to make HAProxy preserve the original client IP on the way to the
 backend servers?
 
 Thank you in advance.
 
 -J
 
 
 
 
 
 -- 
 Regards,
 
 Malcolm Turnbull.
 
 Loadbalancer.org Ltd.
 Phone: +44 (0)870 443 8779
 http://www.loadbalancer.org/

Transparent Proxy

[Jason J. W. Williams]

Hello,

My understanding has been that HAProxy can be set up in conjunction
with TPROXY support in the Linux kernel so that the backend servers
see the original client's source IP address on incoming packets?

So is the option transparent
(http://code.google.com/p/haproxy-docs/wiki/transparent) not related
to that type of transparent proxying or am I mistaken and there's no
way to make HAProxy preserve the original client IP on the way to the
backend servers?

Thank you in advance.

-J

RE: transparent Proxy on FreeBSD

[GARRISON, TRAVIS J.]

After further investigation and comparing the make files, the option USE_TPROXY 
will add the -DTPROXY compile switch. It looks like a bug in where the command 
source 0.0.0.0 usesrc clientip is looking for the specific linux tproxy or 
compile option -DCONFIG_HAP_LINUX_TPROXY and not the more generic one.

Travis


From: GARRISON, TRAVIS J. [mailto:garri...@otc.edu]
Sent: Tuesday, August 09, 2011 9:08 AM
To: haproxy
Subject: transparent Proxy on FreeBSD

How can I configure haproxy to operate in transparent mode in FreeBSD. I have 
tried adding the line source 0.0.0.0 usesrc clientip to mu config but it states 
that I need to recompile with tproxy. I have tried adding the compile switch 
but it doesn't work. I have noticed that FreeBSD uses -DTPROXY. Is that 
basically the same thing? Thanks for any help

global
  maxconn 6000
  pidfile /var/run/haproxy.pid
  daemon
  nbproc 5

defaults
  mode http
  retries 3
  option redispatch
  maxconn 2000
  timeout connect 24h
  timeout client 24h
  timeout server 24h
  balance leastconn

listen PROXY 1.2.3.4:8080
  mode http
  cookie PROXY insert nocache indirect
  option forwardfor
  stats enable
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  option redispatch

Thanks
Travis

transparent Proxy on FreeBSD

[GARRISON, TRAVIS J.]

How can I configure haproxy to operate in transparent mode in FreeBSD. I have 
tried adding the line source 0.0.0.0 usesrc clientip to mu config but it states 
that I need to recompile with tproxy. I have tried adding the compile switch 
but it doesn't work. I have noticed that FreeBSD uses -DTPROXY. Is that 
basically the same thing? Thanks for any help

global
  maxconn 6000
  pidfile /var/run/haproxy.pid
  daemon
  nbproc 5

defaults
  mode http
  retries 3
  option redispatch
  maxconn 2000
  timeout connect 24h
  timeout client 24h
  timeout server 24h
  balance leastconn

listen PROXY 1.2.3.4:8080
  mode http
  cookie PROXY insert nocache indirect
  option forwardfor
  stats enable
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  server PROXY1 1.2.3.4:8080 cookie PROXY check
  option redispatch

Thanks
Travis

Re: HAproxy tproxy problem when try to make transparent proxy

[Willy Tarreau]

On Sat, Mar 20, 2010 at 02:23:29AM +0100, Daniele Genetti wrote:
 I verify default gw and it seems correct.
 I also add rules suggested, but nothing change.
 The error 503 Service Unavailable persist.
 
 So, now I try to do this test.
 
 1) Without transparent proxy
 on HAPROXY_SERVER:
  netstat -ctnup | grep 192.168.1.20:80 (ok, connection established showed)
 on WEB_SERVER:
  netstat -ctnup | grep 192.168.1.21:80 (ok, connection established showed)
 
 2) With transparent proxy activated
 on HAPROXY_SERVER:
  netstat -ctnup | grep 192.168.1.20:80 (ok, connection established showed)
 on WEB_SERVER:
  netstat -ctnup | grep 192.168.1.21:80 (nothing showed)
 
 So, probably there is a problem forwarding.. I'm right?

No, you're not watching the same connections. I'm assuming that 192.168.1.20
is your web server and 192.168.1.21 is your haproxy server. In transparent
mode, the web server will see the client's IP address as the source, not the
haproxy server. So you must use exactly the same grep on both sides.

Also, be sure not to test from 127.0.0.1, otherwise it will not work. But
what I find strange in your case is that if the connection appears established
on the haproxy server, that means that everything is correct, including routing
of backwards packets. Otherwise you would see a SYN_SENT state.

 Anyone maybe have an idea to resolve this issue?

Please simplify the test first. Disable health checks on the server. That
way we'll know that health checks are not seeing the server as down. Next
step is to ensure that you're sending the request from a machine that must
be routed back via the haproxy server, so it must not be on the same local
net as your web server. If you still don't see any progress, please take a
tcpdump capture on both sides (haproxy server and web server).

Regards,
Willy

Re: HAproxy tproxy problem when try to make transparent proxy

[L. Alberto Giménez]

On 03/20/2010 08:27 PM, Daniele Genetti wrote:

 So, there is something that don't permit to communicate in transparent
 mode..
 Where is the barrier? mmm..

Hi,

Sorry for insist on that, but are you *completely* sure that your
routing is properly set up so transparent mode can work? This kind of
errors are almost always related to routing issues.

Please check that:

* You have the tproxy enabled in your kernel
* You have haproxy compiled with tproxy support

Your backend servers *can't* see the clients directly (i.e., they have
the haproxy box as default gateway and *no other* gateways).

The same for the clients (not mandatory, but if they can see the
servers, it may cause trouble).


Best regards,
L. Alberto Giménez

Re: HAproxy tproxy problem when try to make transparent proxy

[Daniele Genetti]

Hello,

L. Alberto Giménez ha scritto:

Please check that:

* You have the tproxy enabled in your kernel
* You have haproxy compiled with tproxy support

Your backend servers *can't* see the clients directly (i.e., they have
the haproxy box as default gateway and *no other* gateways).

The same for the clients (not mandatory, but if they can see the
servers, it may cause trouble).
Like I wrote before, I use ubuntu server 9.10, with kernel 2.6.31 and 
iptables 1.4.4, so with built-in tproxy support (if I'm not wrong).

And I compiled Haproxy by hands with correct parameters I think...

 lsmod
[...]
nf_tproxy_core24281 xt_socket,[permanent]
[...]

 haproxy -vv
HA-Proxy version 1.4.2 2010/03/17
Copyright 2000-2010 Willy Tarreau w...@1wt.eu
Build options :
 TARGET  = linux26
 CPU = i686
 CC  = gcc
 CFLAGS  = -O2 -march=i686 -g
 OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1
[...]

The client can't see directly the backend server.
 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
From 192.168.1.2 icmp_seq=1 Destination Host Unreachable
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

The backend server can't see the clients directly.
 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
*From 192.168.1.21 icmp_seq=1 Destination Host Unreachable* (not From 
192.168.0.2 like expected)

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

So, incredible.. I find the trick.. Alberto, you save my mind.. :-)
In backend server I have 2nd ethernet card configured with 192.168.1.21.
The cable is out but I forget to disable it (how I'm chicken..)..
So everytime the backend try to access to client from this route.

Many times errors are in the most simple things.

Thanks, thank you very much.. Really!

Daniele

Re: HAproxy tproxy problem when try to make transparent proxy

[Willy Tarreau]

Hi,

On Fri, Mar 19, 2010 at 07:03:47PM +0100, Daniele Genetti wrote:
 Hello,
 
 I have one big problem with HAproxy compiled with tproxy support.
 
 This is the situation...
 
 HAPROXY_SERVER
 os: ubuntu server
 kernel: 2.6.31 (so with tproxy support)
 iptables: 1.4.4 (so with tproxy support)
 ip: 192.168.1.20
 
 WEB_SERVER
 os: debian
 kernel: 2.6.26
 iptables: 1.4.2
 ip: 192.168.1.21
 
 I set up haproxy and with normal rules and configuration all works well!
 
 When I try to set the proxy transparent, adding in the configuration the 
 line:
 source 0.0.0.0 usesrc clientip
 I have like result all connection 503 Service Unavailable
 
 In HAPROXY_SERVER I added this rules:
 ---
 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 iptables -t mangle -A DIVERT -j MARK --set-mark 1
 iptables -t mangle -A DIVERT -j ACCEPT
 
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
 ---
 
 And also I changed HAPROXY_SERVER sysctrls with:
 echo 1  /proc/sys/net/ipv4/conf/all/forwarding
 echo 1  /proc/sys/net/ipv4/conf/all/send_redirects
 echo 1  /proc/sys/net/ipv4/conf/eth0/send_redirects
 
 Where I'm wrong?
 Have you got any ideas?
 
 Thanks! Daniel

I suspect that you forgot to change your servers' default gateway
to point to the haproxy machine, and that they are responding
directly to the client without passing through haproxy.

Regards,
Willy

Re: HAproxy tproxy problem when try to make transparent proxy

[James Little]

Also for some reason if you are using the new kernel and the new
iptables (as you seem to be)
you need to specify the firewall mark on EVERY interface:

ip rule add dev eth0 fwmark 111 lookup 100
ip rule add dev eth1 fwmark 111 lookup 100
ip rule add dev eth2 fwmark 111 lookup 100
ip rule add dev eth3 fwmark 111 lookup 100

Not sure why..



On 19 March 2010 18:55, Willy Tarreau w...@1wt.eu wrote:

 Hi,

 On Fri, Mar 19, 2010 at 07:03:47PM +0100, Daniele Genetti wrote:
  Hello,
 
  I have one big problem with HAproxy compiled with tproxy support.
 
  This is the situation...
 
  HAPROXY_SERVER
  os: ubuntu server
  kernel: 2.6.31 (so with tproxy support)
  iptables: 1.4.4 (so with tproxy support)
  ip: 192.168.1.20
 
  WEB_SERVER
  os: debian
  kernel: 2.6.26
  iptables: 1.4.2
  ip: 192.168.1.21
 
  I set up haproxy and with normal rules and configuration all works well!
 
  When I try to set the proxy transparent, adding in the configuration the
  line:
  source 0.0.0.0 usesrc clientip
  I have like result all connection 503 Service Unavailable
 
  In HAPROXY_SERVER I added this rules:
  ---
  iptables -t mangle -N DIVERT
  iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  iptables -t mangle -A DIVERT -j MARK --set-mark 1
  iptables -t mangle -A DIVERT -j ACCEPT
 
  ip rule add fwmark 1 lookup 100
  ip route add local 0.0.0.0/0 dev lo table 100
  ---
 
  And also I changed HAPROXY_SERVER sysctrls with:
  echo 1  /proc/sys/net/ipv4/conf/all/forwarding
  echo 1  /proc/sys/net/ipv4/conf/all/send_redirects
  echo 1  /proc/sys/net/ipv4/conf/eth0/send_redirects
 
  Where I'm wrong?
  Have you got any ideas?
 
  Thanks! Daniel

 I suspect that you forgot to change your servers' default gateway
 to point to the haproxy machine, and that they are responding
 directly to the client without passing through haproxy.

 Regards,
 Willy





--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

Re: HAproxy tproxy problem when try to make transparent proxy

[Daniele Genetti]

I verify default gw and it seems correct.
I also add rules suggested, but nothing change.
The error 503 Service Unavailable persist.

So, now I try to do this test.

1) Without transparent proxy
on HAPROXY_SERVER:
 netstat -ctnup | grep 192.168.1.20:80 (ok, connection established showed)
on WEB_SERVER:
 netstat -ctnup | grep 192.168.1.21:80 (ok, connection established showed)

2) With transparent proxy activated
on HAPROXY_SERVER:
 netstat -ctnup | grep 192.168.1.20:80 (ok, connection established showed)
on WEB_SERVER:
 netstat -ctnup | grep 192.168.1.21:80 (nothing showed)

So, probably there is a problem forwarding.. I'm right?
Anyone maybe have an idea to resolve this issue?

Thanks, Daniele


James Little ha scritto:

Also for some reason if you are using the new kernel and the new
iptables (as you seem to be)
you need to specify the firewall mark on EVERY interface:

ip rule add dev eth0 fwmark 111 lookup 100
ip rule add dev eth1 fwmark 111 lookup 100
ip rule add dev eth2 fwmark 111 lookup 100
ip rule add dev eth3 fwmark 111 lookup 100

Not sure why..


On 19 March 2010 18:55, Willy Tarreau w...@1wt.eu wrote:
  

Hi,

On Fri, Mar 19, 2010 at 07:03:47PM +0100, Daniele Genetti wrote:


Hello,

I have one big problem with HAproxy compiled with tproxy support.

This is the situation...

HAPROXY_SERVER
os: ubuntu server
kernel: 2.6.31 (so with tproxy support)
iptables: 1.4.4 (so with tproxy support)
ip: 192.168.1.20

WEB_SERVER
os: debian
kernel: 2.6.26
iptables: 1.4.2
ip: 192.168.1.21

I set up haproxy and with normal rules and configuration all works well!

When I try to set the proxy transparent, adding in the configuration the
line:
source 0.0.0.0 usesrc clientip
I have like result all connection 503 Service Unavailable

In HAPROXY_SERVER I added this rules:
---
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
---

And also I changed HAPROXY_SERVER sysctrls with:
echo 1  /proc/sys/net/ipv4/conf/all/forwarding
echo 1  /proc/sys/net/ipv4/conf/all/send_redirects
echo 1  /proc/sys/net/ipv4/conf/eth0/send_redirects

Where I'm wrong?
Have you got any ideas?

Thanks! Daniel
  

I suspect that you forgot to change your servers' default gateway
to point to the haproxy machine, and that they are responding
directly to the client without passing through haproxy.

Regards,
Willy




--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/
  

Re: Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto

[Willy Tarreau]

On Mon, Jul 20, 2009 at 03:23:22PM +0100, Malcolm Turnbull wrote:
 Many thanks to Ivansceó Krisztián for working on the TPROXY patch for
 Pound for us, we can finally do SSL termination - HAProxy - backend
 with TPROXY.
 
 http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/
 
 Patches to Pound are here:
 http://www.loadbalancer.org/download/PoundSSL-Tproxy/poundtp-2.4.5.tgz
 
 Willy,
 
 You mentioned that it may be more sensible to do something like:
 
 source 0.0.0.0 usesrc hdr(x-forwarded-for)
 
 rather than having 2 sets of TPROXY set up.. but I don't think this is
 possible yet?

Unfortunately not yet. I've had to arbitrate between that and the ability
to perform content-switching on TCP frontends and the priority went to
the later.

Another issue you might run into is the reduced number of source ports for
the same source IP, because now you have the client, pound, and haproxy
all using the same source IP, so you need to be careful that the client
never hits haproxy directly on the same port as pound, otherwise it may
use a same source port as pound and conflict with an existing session.
A trick might consist in using a distinct port on haproxy for direct
client connection and pound connections.

Regards,
Willy

Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto

[Malcolm Turnbull]

Many thanks to Ivansceó Krisztián for working on the TPROXY patch for
Pound for us, we can finally do SSL termination - HAProxy - backend
with TPROXY.

http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/

Patches to Pound are here:
http://www.loadbalancer.org/download/PoundSSL-Tproxy/poundtp-2.4.5.tgz

Willy,

You mentioned that it may be more sensible to do something like:

source 0.0.0.0 usesrc hdr(x-forwarded-for)

rather than having 2 sets of TPROXY set up.. but I don't think this is
possible yet?






--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

R: Transparent proxy

[Carlo Granisso]

I've solved my problem (many thansk to John) but now I've another problem
with url rewrite/redirection.

I need that www.domain.tld is redirected to www.domain.tld/folder/index.jsp
(I'm using resin behind haproxy).

Here's my cfg:
acl addr1  path_end /
redirect location /dnshst/index.jsp if addr1

It work but If I try to login, sometimes work, some time I obtain this url:
www.domain.tld/index.jsp (and not www.domain.tld/folder/index.jsp)

Have you got ideas on how to do it properly (my backend is in http mode with
cookie by SERVERID).


Thanks,


Carlo

-Messaggio originale-
Da: L. Alberto Giménez [mailto:agimenez-hapr...@sysvalve.homelinux.net] 
Inviato: martedì 12 maggio 2009 23.06
A: Carlo Granisso
Cc: haproxy@formilux.org
Oggetto: Re: Transparent proxy

Carlo Granisso wrote:
 Hello everybody, I have a problem with haproxy (1.3.17) and kernel 
 2.6.29
  
 I have successfully recompiled my kernel with TPROXY modules and 
 installed haproxy (compiled from source with tproxy option enabled) 
 and installed iptables 1.4.3 (that have tproxy patch).
 Now I can't use transparent proxy function: if I leave in haproxy.cfg 
 this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service 
 unavailable.
 If I comment out the line, everything work fine (without transparent
proxy).
  
 My situation:
  
 haproxy with two ethernet device: first one for public IP, sceond one 
 for private IP (192.168.XX.XX) two web server with one ethernet for 
 each one connected to my private network.
  
  
  
 Have you got ideas or you can provide me examples
Hi, I've just set up a transparent proxy with kernel 2.6.28 (the first one
with official tproxy support) and haproxy 1.3.15 (the version Debian comes
with, but rebuilding the package with the tproxy linux option enabled).

Just make sure your backends route their outgoing traffic through the load
balancer, since the response packets with the fake address MUST be seen by
the load blancer box to undo the transparent-proxy magic.

Regards,
L. Alberto Giménez





No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.325 / Virus Database: 270.12.25/2109 - Release Date: 05/11/09
16:14:00

R: Transparent proxy

[Carlo Granisso]

 

-Messaggio originale-
Da: John Lauro [mailto:john.la...@covenanteyes.com] 
Inviato: lunedì 11 maggio 2009 18.30
A: 'Carlo Granisso'; haproxy@formilux.org
Oggetto: RE: Transparent proxy

 
 And no request were found into webserver (netstat -ntap | grep :80)
 
 After few seconds: 503 Service Unavailable No server is available to 
 handle this request. 
 

 Can you ping your webserver from the haproxy box ok?

Yes


 What does the following show from your webserver:
 netstat -rn
 Does it show the private IP address of your haproxy box as the gateway for
 0.0.0.0?

Here's the output:

Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt
Iface
0.0.0.0 192.168.0.56255.255.255.255 UGH   0 0  0
eth1
192.168.0.0 0.0.0.0 255.255.255.0   U 0 0  0
eth1


On my haproxy box I've lot of connecctions in TIME_WAIT state from haproxy
to webservers.
When I try to get default page from browser no connections were made on
webserver (haproxy open only one tcp connection in SYN_SENT state).


Thanks for your patience.


Carlo



No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.325 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09
07:02:00

Re: Transparent proxy

[L. Alberto Giménez]

Carlo Granisso wrote:
 Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29
  
 I have successfully recompiled my kernel with TPROXY modules and installed
 haproxy (compiled from source with tproxy option enabled) and installed
 iptables 1.4.3 (that have tproxy patch).
 Now I can't use transparent proxy function: if I leave in haproxy.cfg this
 line source 0.0.0.0 usesrc clientip haproxy say 503 - Service
 unavailable.
 If I comment out the line, everything work fine (without transparent proxy).
  
 My situation:
  
 haproxy with two ethernet device: first one for public IP, sceond one for
 private IP (192.168.XX.XX)
 two web server with one ethernet for each one connected to my private
 network.
  
  
  
 Have you got ideas or you can provide me examples
Hi, I've just set up a transparent proxy with kernel 2.6.28 (the first
one with official tproxy support) and haproxy 1.3.15 (the version Debian
comes with, but rebuilding the package with the tproxy linux option
enabled).

Just make sure your backends route their outgoing traffic through the
load balancer, since the response packets with the fake address MUST
be seen by the load blancer box to undo the transparent-proxy magic.

Regards,
L. Alberto Giménez

Transparent proxy

[Carlo Granisso]

Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29
 
I have successfully recompiled my kernel with TPROXY modules and installed
haproxy (compiled from source with tproxy option enabled) and installed
iptables 1.4.3 (that have tproxy patch).
Now I can't use transparent proxy function: if I leave in haproxy.cfg this
line source 0.0.0.0 usesrc clientip haproxy say 503 - Service
unavailable.
If I comment out the line, everything work fine (without transparent proxy).
 
My situation:
 
haproxy with two ethernet device: first one for public IP, sceond one for
private IP (192.168.XX.XX)
two web server with one ethernet for each one connected to my private
network.
 
 
 
Have you got ideas or you can provide me examples?
 
 
Thanks,
 
 
Carlo

Re: Transparent proxy

[Malcolm Turnbull]

Carlo,

Sorry got busy and forgot to post back to you,
I was going to ask whats your output from :

iptables -L -t mangle

Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
MARK   tcp  --  192.168.2.0/24   anywhere    tcp
dpt:http MARK set 0x1
DIVERT tcp  --  anywhere anywhere    socket


Is the divert to socket in place?





2009/5/11 Carlo Granisso c.grani...@dnshosting.it

 Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29

 I have successfully recompiled my kernel with TPROXY modules and installed 
 haproxy (compiled from source with tproxy option enabled) and installed 
 iptables 1.4.3 (that have tproxy patch).
 Now I can't use transparent proxy function: if I leave in haproxy.cfg this 
 line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable.
 If I comment out the line, everything work fine (without transparent proxy).

 My situation:

 haproxy with two ethernet device: first one for public IP, sceond one for 
 private IP (192.168.XX.XX)
 two web server with one ethernet for each one connected to my private network.



 Have you got ideas or you can provide me examples?


 Thanks,


 Carlo


--
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/

RE: Transparent proxy

[John Lauro]

It's a little different config than I have, but it looks ok to me.

 

What's haproxy -vv give?

I have:

[r...@haf1 etc]# haproxy -vv

HA-Proxy version 1.3.15.7 2008/12/04

Copyright 2000-2008 Willy Tarreau w...@1wt.eu

 

Build options :

  TARGET  = linux26

  CPU = generic

  CC  = gcc

  CFLAGS  = -O2 -g

  OPTIONS = USE_LINUX_TPROXY=1

 

(I know, I am a little behind, but if it's not broke.)

 

When you say, haproxy says 503., I assume it doesn't actually say that but
that's what a web browser gets back from it?

 

I assume the web servers have the haproxy's private IP address as their
default route?  If they are going to some other device as a NAT gateway,
that will not work.

Do they show a SYN_RECV or ESTABLISHED connection from the public client
trying to connect?

 

 

From: Carlo Granisso [mailto:c.grani...@dnshosting.it] 
Sent: Monday, May 11, 2009 7:06 AM
To: haproxy@formilux.org
Subject: Transparent proxy

 

Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29

 

I have successfully recompiled my kernel with TPROXY modules and installed
haproxy (compiled from source with tproxy option enabled) and installed
iptables 1.4.3 (that have tproxy patch).

Now I can't use transparent proxy function: if I leave in haproxy.cfg this
line source 0.0.0.0 usesrc clientip haproxy say 503 - Service
unavailable.

If I comment out the line, everything work fine (without transparent proxy).

 

My situation:

 

haproxy with two ethernet device: first one for public IP, sceond one for
private IP (192.168.XX.XX)

two web server with one ethernet for each one connected to my private
network.

 

 

 

Have you got ideas or you can provide me examples?

 

 

Thanks,

 

 

Carlo

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.320 / Virus Database: 270.12.10/2088 - Release Date: 05/05/09
13:07:00

R: Transparent proxy

[Carlo Granisso]

I've tried to use webserver through public interface on the same ip class of
haproxy: it doesn't work :-(
 
 
Thanks,
 
 
Carlo

  _  

Da: John Lauro [mailto:john.la...@covenanteyes.com] 
Inviato: lunedì 11 maggio 2009 14.42
A: 'Carlo Granisso'; haproxy@formilux.org
Oggetto: RE: Transparent proxy



It’s a little different config than I have, but it looks ok to me…

 

What’s haproxy –vv give?

I have:

[r...@haf1 etc]# haproxy -vv

HA-Proxy version 1.3.15.7 2008/12/04

Copyright 2000-2008 Willy Tarreau w...@1wt.eu

 

Build options :

  TARGET  = linux26

  CPU = generic

  CC  = gcc

  CFLAGS  = -O2 -g

  OPTIONS = USE_LINUX_TPROXY=1

 

(I know, I am a little behind, but if it’s not broke…)

 

When you say, haproxy says 503…, I assume it doesn’t actually say that but
that’s what a web browser gets back from it?

 

I assume the web servers have the haproxy’s private IP address as their
default route?  If they are going to some other device as a NAT gateway,
that will not work…

Do they show a SYN_RECV or ESTABLISHED connection from the public client
trying to connect?

 

 

From: Carlo Granisso [mailto:c.grani...@dnshosting.it] 
Sent: Monday, May 11, 2009 7:06 AM
To: haproxy@formilux.org
Subject: Transparent proxy

 

Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29

 

I have successfully recompiled my kernel with TPROXY modules and installed
haproxy (compiled from source with tproxy option enabled) and installed
iptables 1.4.3 (that have tproxy patch).

Now I can't use transparent proxy function: if I leave in haproxy.cfg this
line source 0.0.0.0 usesrc clientip haproxy say 503 - Service
unavailable.

If I comment out the line, everything work fine (without transparent proxy).

 

My situation:

 

haproxy with two ethernet device: first one for public IP, sceond one for
private IP (192.168.XX.XX)

two web server with one ethernet for each one connected to my private
network.

 

 

 

Have you got ideas or you can provide me examples?

 

 

Thanks,

 

 

Carlo

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.320 / Virus Database: 270.12.10/2088 - Release Date: 05/05/09
13:07:00

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.238 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09
07:02:00

Re: R: R: Transparent proxy

[Jeff Buchbinder]

Willy Tarreau wrote:

do you mean that the OpenBSD supports a linux-compatible tproxy ? I was
not aware of this, because for me, tproxy is 100% linux-specific.

Do you know what versions provide it (if so) and how to detect whether it's
supported ?
  
I've seen a bunch of pf+squid magic to do it, but I think that tinyproxy 
(https://www.banu.com/tinyproxy) supports transparent proxying, at least 
for HTTP.


Not sure if that's of any help.

--
Jeff Buchbinder
Senior Infrastructure Engineer
Rave Wireless, Inc
work: 508.848.2484
mobile: 860.617.5750
jbuchbin...@ravewireless.com