Am 05.07.2013 21:51, schrieb Willy Tarreau: > > Obviously. Don't worry, this mess is much more common than you can > think, and personally, I'm really not a fan of transparent proxying. > I was proud of it when I managed to get it and quickly got fed up > with all the issues it causes due to the various possible configuration > errors in field. Not to mention the fact that you have to carefully set > your timewait timeouts on your machines or ensure that your LB doesn't > forward IP, otherwise you risk some ACK storms between the clients and > the server when source ports get reused too fast.
The reason why we do transparent proxy is: - we want to decouple mail processing into its own VM - we put it on an internatl IP to save routed IPs - now we need to forward the traffic, which we do via haproxy - but then the MTA won't see the real source IP address, which is a problem, because then debugging becomes harder (who's actually trying and failing to send me some mail?) and because the IP is a relatively important factor in deciding upon the spamminess of incoming mail - therefore TPROXY is there a superior alternative to this setup? Or to the more general case? Greets, *t There are facets of this problem for other services.
