Hi Jinge,

What version of FreeBSD do you run? What firewall does it use pf/ipfw ?
What does haproxy -vv show? (version/transparent options)

Can you write a little about the network topology and what isn't working about it?
For example like this:
ClientMachine =
Haproxy LAN1 =
Haproxy LAN2 =
Server1 =
Now ClientMachine sends a tcp request to This request is routed through the haproxy machine which functions as a 'router' but also the request is intercepted by machine firewall (make sure to NOT use a standard portforward rule as it will change the destination-IP..) and redirected to the haproxy process, which determines its not http, and then sends traffic further to Server1 using the "option transparent". The question then is does Server1 ever recieve a SYN packet (check with tcpdump/wireshark)?
Does HAProxy show all backends as 'available' in the stats page?

Does the clientmachine use the proper IP(so NOT the haproxy-ip) for connecting to Server1 and is traffic routed through the haproxy machine?

Is this what doesn't currently work.?
Or is the trouble with the nginx machines machines not being able to be connected the original client ip?

There are 3 different HAProxy options called or referred to as 'transparent' which makes it also a bit difficult to see which option your asking about..
A- option transparent (for sending connection to original destination)
B- source usesrc clientip (for sending client-IP to the backend servers)
C- bind transparent (for binding to a nonlocal (CARP?) IP address)

I'm sure C is not what your asking about, but i'm unclear if your current issue is with A or B.

Could you try and make a smallest possible haproxy configuration that still contains the problem you currently experience?

Greets PiBa-NL

Op 11-7-2013 14:38, Baptiste schreef:
So the problem might be in the way you compiled HAProxy or you have
configured your OS.
Unfortunately, I can't help on FreeBSD :'(


On Thu, Jul 11, 2013 at 11:55 AM, jinge <altman87...@gmail.com> wrote:
Hi, Baptiste!

But i just test with this and found no use.


On 2013-7-11, at 下午5:35, Baptiste <bed...@gmail.com> wrote:

Hi Jinge,

Could you update your source statement to:
source usesrc clientip

And let us know if that fixed your issue.


On Thu, Jul 11, 2013 at 11:25 AM, jinge <altman87...@gmail.com> wrote:

We use HAproxy for our web system. And there is a statement if not HTTP will
go backend Direct.Which is client-side transparent proxying. Here is the
configure. But we found that the Direct backend not working. Is anyone can
tell me. Are there any problem in my configure? Or should there any turning
on my FreeBSD.

       pidfile /var/run/haproxy.pid
       maxconn 200000
maxpipes 50000
       stats socket /tmp/haproxy.sock
       nbproc 4
       spread-checks 5
tune.rcvbuf.client 16384
tune.rcvbuf.server 16384
tune.sndbuf.client 32768
       tune.sndbuf.server 16384

       maxconn 200000
backlog 32768
       timeout connect 5s
       timeout client 60s
       timeout server 60s
       timeout queue 60s
       timeout check 10s
       timeout http-request 15s
       timeout http-keep-alive 1s
timeout tunnel 3600s
       option tcpka

       hash-type consistent
       option accept-invalid-http-request
       option accept-invalid-http-response
       option redispatch
       option http-server-close
       option http-pretend-keepalive
       retries 2
       option httplog
no option checkcache

       option dontlog-normal
       option dontlognull
       option log-separate-errors

######### frontend ##############
frontend tcp-in
       bind :2222
       mode tcp
       log global
option tcplog

tcp-request inspect-delay 30s
tcp-request content accept if HTTP

       use_backend NginxCluster if HTTP
       default_backend Direct

backend NginxCluster
       mode http
       option abortonclose
       balance uri whole
       log global
       server ngx1 weight 20 check inter 5s maxconn 10000
       server ngx2 weight 20 check inter 5s maxconn 10000
       server ngx3 weight 20 check inter 5s maxconn 10000

backend Direct
       mode tcp
       log global
option tcplog
no option httpclose
no option http-server-close
no option accept-invalid-http-response
no option http-pretend-keepalive
option transparent


Reply via email to