Hello,
L. Alberto Giménez ha scritto:
Please check that:
* You have the tproxy enabled in your kernel
* You have haproxy compiled with tproxy support
Your backend servers *can't* see the clients directly (i.e., they have
the haproxy box as default gateway and *no other* gateways).
The same for the clients (not mandatory, but if they can see the
servers, it may cause trouble).
Like I wrote before, I use ubuntu server 9.10, with kernel 2.6.31 and
iptables 1.4.4, so with built-in tproxy support (if I'm not wrong).
And I compiled Haproxy by "hands" with correct parameters I think...
> lsmod
[...]
nf_tproxy_core 2428 1 xt_socket,[permanent]
[...]
> haproxy -vv
HA-Proxy version 1.4.2 2010/03/17
Copyright 2000-2010 Willy Tarreau <[email protected]>
Build options :
TARGET = linux26
CPU = i686
CC = gcc
CFLAGS = -O2 -march=i686 -g
OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1
[...]
The client can't see directly the backend server.
> ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
From 192.168.1.2 icmp_seq=1 Destination Host Unreachable
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
The backend server can't see the clients directly.
> ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
*From 192.168.1.21 icmp_seq=1 Destination Host Unreachable* (not From
192.168.0.2 like expected)
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
So, incredible.. I find the trick.. Alberto, you save my mind.. :-)
In backend server I have 2nd ethernet card configured with 192.168.1.21.
The cable is out but I forget to disable it (how I'm chicken......)..
So everytime the backend try to access to client from this route.
Many times errors are in the most simple things.
Thanks, thank you very much.. Really!
Daniele
