I forgot to mention im using HAproxy 1.5dev18.
Hello HAProxy developers/users,
I would like to be able to run HAProxy transparently on FreeBSD 8.3.
This would be both for my own usage and also to make it available to a
larger public by including it in a 'haproxy-devel' package for pfSense.
However when trying to use it i get the error:
[ALERT] 104/235847 (72477) : parsing [/var/etc/haproxy.cfg:34] : 'usesrc'
not allowed here because support for TPROXY was not compiled in.
From what i read it seams it should be possible.
For example the Makefile contains the following:
ifeq ($(TARGET),freebsd)
USE_TPROXY = implicit
Which seams like it is supposed to be 'supported'.
Ive also tried the USE_LINUX_TPROXY=yes compile flag, but this returns 2
undeclared variables SOL_IP and SOL_IPV6. Ive tried declaring them with
substitute values like 'IP_BINDANY', or the value 6 which could stand for
the TCP protocol type, or 0. , but though the source did then compile the
end result still was that either an error was returned to the browser that
no backend was available, together with the following debug error:
[ALERT] 104/235129 (17380) : Cannot bind to tproxy source address before
connect() for backend pb3TEST_http. Aborting.
Or i dont get a response at all and HAproxy seems to be waiting for
'something' to happen..
Could it be that something is not fully supported in HAProxy toghether with
FreeBSD to allow transparent proxying? Or am i looking at the wrong side of
the problem and would i need to compile the FreeBSD kernel with tproxy
support.? Which I believe would be natively supported in version 8, but i
might be wrong on that..
I i add after "setsockopt(fd, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)"
this line:
setsockopt(fd, SOL_IP, IP_FREEBIND, &one, sizeof(one));
It removes the error about 'Cannot bind to tproxy source address...' and
packets do seam to be send to the proper destination. Except the connection
never establishes..
The browser running on 192.168.1.50 contacts haproxy on its IP:port
http://192.168.1.22:81/
Haproxy then forwards the traffic to the server 192.168.0.40.81 which is
according to status page "L7OK/200 in 0ms".
Also the reply packets gets routed back to the original client pc (wireshark
confirmed that..), and seam not to get intercepted by HAproxy which i think
is supposed to happen.?.. when passing through the 'FreeBSD router'.
But when performing a tcpdump on the interface in the 192.168.0.117 network
only SYN and SYN-ack packets seem to be 'exchanged'.. Bet never any actual
'data'
21:02:04.915310 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1556876
ecr 0], length 0
21:02:04.915464 IP 192.168.0.40.81 > 192.168.1.50.51194: Flags [S.], seq
4102632929, ack 352103920, win 8192, options [mss 1260,nop,wscale
8,sackOK,TS val 1281557 ecr 1556876], length 0
21:02:04.915546 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1556876
ecr 0], length 0
21:02:07.910690 IP 192.168.0.40.81 > 192.168.1.50.51194: Flags [S.], seq
4102632929, ack 352103920, win 8192, options [mss 1260,nop,wscale
8,sackOK,TS val 1281857 ecr 1556876], length 0
21:02:07.911073 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1557176
ecr 0], length 0
21:02:07.911079 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1557176
ecr 0], length 0
21:02:11.110673 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1557496
ecr 0], length 0
21:02:11.110685 IP 192.168.1.50.51194 > 192.168.0.40.81: Flags [S], seq
352103919, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1557496
ecr 0], length 0
21:02:13.913959 IP 192.168.0.40.81 > 192.168.1.50.51194: Flags [S.], seq
4102632929, ack 352103920, win 8192, options [mss 1260,sackOK,TS val 1282457
ecr 1556876], length 0
While when the pc contacts the webserver directly it works 'normally'..
20:45:12.746359 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [S], seq
24635592, win 64240, options [mss 1460,nop,nop,sackOK], length 0
20:45:12.746473 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [S.], seq
3353931105, ack 24635593, win 8192, options [mss 1260,nop,nop,sackOK],
length 0
20:45:12.746937 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [.], ack 1,
win 64260, length 0
20:45:12.747071 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [P.], ack 1,
win 64260, length 282
20:45:12.750878 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [.], ack 283,
win 65520, length 1260
20:45:12.751005 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [P.], ack 283,
win 65520, length 1142
20:45:12.751463 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [.], ack 2403,
win 64260, length 0
20:45:12.800179 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [P.], ack
2403, win 64260, length 297
20:45:12.800753 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [.], ack 580,
win 65223, length 1260
20:45:12.800871 IP 192.168.0.40.81 > 192.168.1.50.3588: Flags [P.], ack 580,
win 65223, length 151
20:45:12.801488 IP 192.168.1.50.3588 > 192.168.0.40.81: Flags [.], ack 3814,
win 64260, length 0
See below my configuration of HAproxy:
global
maxconn 300
log /var/run/log local6 debug
stats socket /tmp/haproxy.socket level admin
nbproc 1
chroot /var/empty
daemon
frontend test_pb3
bind 192.168.1.22:81
mode http
log global
option dontlognull
maxconn 444
timeout client 30000
default_backend pb3TEST_http
backend pb3TEST_http
mode http
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
source 192.168.0.117 usesrc clientip
server pb3_srv 192.168.0.40:81 check inter 10000 weight 1
Could someone give me advice on what might need to change, what to test or
how i could proceed further with making it work ?
Thanks in advance,
PiBa-NL