Sorry, should have been "like" instead of "link", and the next sentence didn't make much sense as-is...
In summary, I meant to say that it is a relatively simple setup as long as everything is using standard public IPs. If you are doing NAT, or anycast it is a little more complex setup, but can be done. > -----Original Message----- > From: Jason J. W. Williams [mailto:jasonjwwilli...@gmail.com] > Sent: Tuesday, September 27, 2011 8:03 PM > To: John Lauro > Subject: Re: TPROXY + Hearbeat > > Hey John, > > Thank you for the giving me more detail. I really appreciate it. > We're moving from a pair of A10 hardware load balancers to a dedicated > hosting environment where we don't have easy access to appliances or > the privilege of laying out the network. So our hope was to do exactly > what you're doing with HAProxy. > > Just one other question, what do you mean by "...just link incoming > traffic, but not a problem... That for those setup on public ips." > > Thank you again! > > -J > > > On Tue, Sep 27, 2011 at 5:39 PM, John Lauro <john.la...@covenanteyes.com> > wrote: > > As an example setup for some of systems: > > My haresources file has: > > hawebcl1 IPaddr2::xx.xx.xx.77/24/eth0 > > > > Actual IPs are xx.xx.xx.78 and xx.xx.xx.79 on the haproxy boxes. > > > > The real gateway is .1. > > > > So both haproxy hosts have the mangle setup for tproxy, gateway as .1, > > etc... > > All the backend servers have .77 as their default gateway instead of .1. > > > > I leave haproxy running on both. It means both constantly poll the > backend > > servers, but why both having heartbeat start/stop it... > > > > > > Only minor annoying part is you must specify the unique IP on the source > > lines in haproxy config which makes it slightly harder to keep them in > sync. > > IE: > > source xx.xx.xx.78 usesrc client > > If you have heartbeat stop/start haproxy you could probably just use the > > shared IP for a common config file. > > > > Both haproxys (active and passive) and all backend servers can access > > the > > internet fine for updates/etc. All outgoing traffic relays through the > > active haproxy box just link incoming traffic, but not a problem... > > That > > for those setup on public ips. > > > > > > We have some servers setup in multiple datacenters setup behind an > anycast > > network. For those it's setup much the same, except the backend servers > > have a 2nd NIC with a private IP address, and we then use policy based > > routing on each backend server so that originating outgoing traffic from > > those go to a separate NAT server, and traffic from the haproxy go back > via > > that... Have to do the split because of the anycast, as we have to > > originate from a regular public IP instead of one from the anycast ip... > > > > You could probably do it with NAT for outgoing tied to source IP of the > > private NAT, but haven't tried that and doubt running NAT on the server > > running haproxy would be a good idea for anything but light load... > > > > > >> -----Original Message----- > >> From: Jason J. W. Williams [mailto:jasonjwwilli...@gmail.com] > >> Sent: Tuesday, September 27, 2011 6:13 PM > >> To: John Lauro > >> Cc: haproxy@formilux.org > >> Subject: Re: TPROXY + Hearbeat > >> > >> Hey John, > >> > >> Thanks for the quick response. That's great to know. So both the VIPs > >> and the shared IP your backends use as their default gateway fail over > >> well? > >> > >> Is your HAProxy pair the actual network boundary box between the > >> subnets, or is it just the default gateway for your backends and the > >> pair relay off the real subnet gateway? (any issues with utility > >> traffic originating from the backend servers like package updates > >> running through HAProxy pair as the default gw?) > >> > >> Thank you so much for your help! > >> > >> -J > >> > >> On Tue, Sep 27, 2011 at 4:09 PM, John Lauro > <john.la...@covenanteyes.com> > >> wrote: > >> > Works great. I have several pairs of vm haproxy servers in > transparent > >> mode > >> > and running heartbeat to take over the shared IP. > >> > > >> > > >> >> -----Original Message----- > >> >> From: Jason J. W. Williams [mailto:jasonjwwilli...@gmail.com] > >> >> Sent: Tuesday, September 27, 2011 3:46 PM > >> >> To: haproxy@formilux.org > >> >> Subject: TPROXY + Hearbeat > >> >> > >> >> Hello, > >> >> > >> >> Is anyone running redundant HAProxy servers that use TPROXY for > >> >> transparent proxying (preserve source IP) and use Heartbeat for > >> >> failover of VIPs and shared interface IPs? We're curious if you run > >> >> into issues due to combination of shared IPs and TPROXY? Thank you > >> >> in > >> >> advance. > >> >> > >> >> -J > >> > > >> > > >
