Hi Willy,

Thanks the patches look good, and when applied separately all compile without issues on FreeBSD. (Except when using the USE_LINUX_TPROXY flag, but that shouldn't be used on FreeBSD anyway.)
And transparent proxying works correctly on FreeBSD as was expected.

Ive included a "transparent_proxy.cfg" which could be added to the 'examples' folder of HAProxy. Though i'm not sure anyone would find it there. Also it includes quite a bit of 'supposedly' better configuration hints, that i'm currently unable to verify, but still might help someone in the future..

As for Linux i think some iptable rules are needed. Maybe someone can added those to the example. If you don't want to include it in its current form or want to reformat the whole thing i have no problem with that.

Pieter Baauw

Op 8-5-2013 23:54, Willy Tarreau schreef:
OK here's what I came up with. There are 3 patches :

   - 0001 : reorganize flags processing
   - 0002 : add support for freebsd
   - 0003 : add support for openbsd

Please review and test if you can. At least it seems OK on linux here.
I have written all the commit messages. Feel free to change them if you
want, as they're made under your name. If you want to provide additional
doc, let's just add a 4th patch on top of this.

The code is not quite beautiful, but that's always the price to pay
when playing with ifdefs, and there are already a large number of them
in the same functions anyway.

Also, if you could provide a real name for the commits, it would be nice!


# This is an example of how to configure HAProxy to be used as a 'full 
transparent proxy' for a single backend server.
# Note that to actually make this work extra firewall/nat rules are required.
# Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 
you can check if this is the case with "haproxy -vv".

frontend MyFrontend
        default_backend         TransparentBack_http

backend TransparentBack_http
        mode                    http
        source usesrc client
        server                  MyWebServer

# To create the the nat rules perform the following:
# ### (FreeBSD 8) ###
# --- Step 1 ---
# ipfw is needed to get 'reply traffic' back to the HAProxy process, this can 
be achieved by configuring a rule like this:
#       fwd localhost tcp from 80 to any in recv em0
# The following would be even better but this did not seam to work on the 
pfSense2.1 distribution of FreeBSD 8.3:
#   fwd tcp from any 80 to any in recv ${outside_iface} uid 
# If only 'pf' is currently used some aditional steps are needed to load and 
configure ipfw:
# You need to configure this to always run on startup:
# /sbin/kldload ipfw
# /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" 
net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf"
# /sbin/sysctl net.link.ether.ipfw=1
# ipfw add 10 fwd localhost tcp from 80 to any in recv em0
# the above does the folowing:
# - load the ipfw kernal module
# - set pf as the outer firewall to keep control of routing packets for example 
to route them to a non-default gateway
# - enable ipfw
# - set a rule to catches reply traffic on em0 comming from the webserver
# --- Step 2 ---
# To also make the client connection transparent its possible to redirect 
incomming requests to HAProxy with a pf rule:
#   rdr on em1 proto tcp from any to port 80 ->
# here em1 is the interface that faces the clients, and traffic that is 
originally send straight to the webserver is redirected to HAProxy
# ### (FreeBSD 9) (OpenBSD 4.4) ###
#   pf supports "divert-reply" which is probably better suited for the job 
above then ipfw..

Reply via email to