Hi Jinge,
What version of FreeBSD do you run? What firewall does it use pf/ipfw ?
What does haproxy -vv show? (version/transparent options)
Can you write a little about the network topology and what isn't working
about it?
For example like this:
ClientMachine = 172.16.1.100/24
Haproxy LAN1 = 172.16.1.1/24
Haproxy LAN2 = 192.168.1.1/24
Server1 = 192.168.1.101/24
Now ClientMachine sends a tcp request to 192.168.1.101. This request is
routed through the haproxy machine which functions as a 'router' but
also the request is intercepted by machine firewall (make sure to NOT
use a standard portforward rule as it will change the destination-IP..)
and redirected to the haproxy process, which determines its not http,
and then sends traffic further to Server1 using the "option transparent".
The question then is does Server1 ever recieve a SYN packet (check with
tcpdump/wireshark)?
Does HAProxy show all backends as 'available' in the stats page?
Does the clientmachine use the proper IP(so NOT the haproxy-ip) for
connecting to Server1 and is traffic routed through the haproxy machine?
Is this what doesn't currently work.?
Or is the trouble with the nginx machines machines not being able to be
connected the original client ip?
There are 3 different HAProxy options called or referred to as
'transparent' which makes it also a bit difficult to see which option
your asking about..
A- option transparent (for sending connection to original destination)
B- source 0.0.0.0 usesrc clientip (for sending client-IP to the backend
servers)
C- bind transparent (for binding to a nonlocal (CARP?) IP address)
I'm sure C is not what your asking about, but i'm unclear if your
current issue is with A or B.
Could you try and make a smallest possible haproxy configuration that
still contains the problem you currently experience?
Greets PiBa-NL
Op 11-7-2013 14:38, Baptiste schreef:
So the problem might be in the way you compiled HAProxy or you have
configured your OS.
Unfortunately, I can't help on FreeBSD :'(
Baptiste
On Thu, Jul 11, 2013 at 11:55 AM, jinge <altman87...@gmail.com> wrote:
Hi, Baptiste!
But i just test with this and found no use.
Regards
Jinge
On 2013-7-11, at 下午5:35, Baptiste <bed...@gmail.com> wrote:
Hi Jinge,
Could you update your source statement to:
source 0.0.0.0 usesrc clientip
And let us know if that fixed your issue.
Baptiste
On Thu, Jul 11, 2013 at 11:25 AM, jinge <altman87...@gmail.com> wrote:
Hi,all!
We use HAproxy for our web system. And there is a statement if not HTTP will
go backend Direct.Which is client-side transparent proxying. Here is the
configure. But we found that the Direct backend not working. Is anyone can
tell me. Are there any problem in my configure? Or should there any turning
on my FreeBSD.
global
pidfile /var/run/haproxy.pid
maxconn 200000
maxpipes 50000
daemon
stats socket /tmp/haproxy.sock
nbproc 4
spread-checks 5
tune.rcvbuf.client 16384
tune.rcvbuf.server 16384
tune.sndbuf.client 32768
tune.sndbuf.server 16384
defaults
#TCP SECTION
maxconn 200000
backlog 32768
timeout connect 5s
timeout client 60s
timeout server 60s
timeout queue 60s
timeout check 10s
timeout http-request 15s
timeout http-keep-alive 1s
timeout tunnel 3600s
option tcpka
#HTTP SECTION
hash-type consistent
option accept-invalid-http-request
option accept-invalid-http-response
option redispatch
option http-server-close
option http-pretend-keepalive
retries 2
option httplog
no option checkcache
#SYSTEM SECTION
option dontlog-normal
option dontlognull
option log-separate-errors
######### frontend ##############
frontend tcp-in
bind :2222
mode tcp
log global
option tcplog
tcp-request inspect-delay 30s
tcp-request content accept if HTTP
use_backend NginxCluster if HTTP
default_backend Direct
backend NginxCluster
mode http
option abortonclose
balance uri whole
log global
source 0.0.0.0
server ngx1 192.168.10.1:80 weight 20 check inter 5s maxconn 10000
server ngx2 192.168.10.2:80 weight 20 check inter 5s maxconn 10000
server ngx3 192.168.10.3:80 weight 20 check inter 5s maxconn 10000
backend Direct
mode tcp
log global
option tcplog
no option httpclose
no option http-server-close
no option accept-invalid-http-response
no option http-pretend-keepalive
option transparent
Regards
Jinge
