Hi Willy,
Thanks the patches look good, and when applied separately all compile
without issues on FreeBSD. (Except when using the USE_LINUX_TPROXY flag,
but that shouldn't be used on FreeBSD anyway.)
And transparent proxying works correctly on FreeBSD as was expected.
Ive included a "transparent_proxy.cfg" which could be added to the
'examples' folder of HAProxy. Though i'm not sure anyone would find it
there.
Also it includes quite a bit of 'supposedly' better configuration hints,
that i'm currently unable to verify, but still might help someone in the
future..
As for Linux i think some iptable rules are needed. Maybe someone can
added those to the example.
If you don't want to include it in its current form or want to reformat
the whole thing i have no problem with that.
Thanks,
Pieter Baauw
Op 8-5-2013 23:54, Willy Tarreau schreef:
OK here's what I came up with. There are 3 patches :
- 0001 : reorganize flags processing
- 0002 : add support for freebsd
- 0003 : add support for openbsd
Please review and test if you can. At least it seems OK on linux here.
I have written all the commit messages. Feel free to change them if you
want, as they're made under your name. If you want to provide additional
doc, let's just add a 4th patch on top of this.
The code is not quite beautiful, but that's always the price to pay
when playing with ifdefs, and there are already a large number of them
in the same functions anyway.
Also, if you could provide a real name for the commits, it would be nice!
Thanks!
Willy
#
# This is an example of how to configure HAProxy to be used as a 'full
transparent proxy' for a single backend server.
#
# Note that to actually make this work extra firewall/nat rules are required.
# Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19
you can check if this is the case with "haproxy -vv".
#
global
frontend MyFrontend
bind 192.168.1.22:80
default_backend TransparentBack_http
backend TransparentBack_http
mode http
source 0.0.0.0 usesrc client
server MyWebServer 192.168.0.40:80
#
# To create the the nat rules perform the following:
#
# ### (FreeBSD 8) ###
# --- Step 1 ---
# ipfw is needed to get 'reply traffic' back to the HAProxy process, this can
be achieved by configuring a rule like this:
# fwd localhost tcp from 192.168.0.40 80 to any in recv em0
#
# The following would be even better but this did not seam to work on the
pfSense2.1 distribution of FreeBSD 8.3:
# fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid
${proxy_uid}
#
# If only 'pf' is currently used some aditional steps are needed to load and
configure ipfw:
# You need to configure this to always run on startup:
#
# /sbin/kldload ipfw
# /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf"
net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf"
# /sbin/sysctl net.link.ether.ipfw=1
# ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0
#
# the above does the folowing:
# - load the ipfw kernal module
# - set pf as the outer firewall to keep control of routing packets for example
to route them to a non-default gateway
# - enable ipfw
# - set a rule to catches reply traffic on em0 comming from the webserver
#
# --- Step 2 ---
# To also make the client connection transparent its possible to redirect
incomming requests to HAProxy with a pf rule:
# rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22
# here em1 is the interface that faces the clients, and traffic that is
originally send straight to the webserver is redirected to HAProxy
#
# ### (FreeBSD 9) (OpenBSD 4.4) ###
# pf supports "divert-reply" which is probably better suited for the job
above then ipfw..
#