On 5/15/2015 4:40 PM, Cyril Bonté wrote: >> If "mode http" or "option forwardfor" are in the defaults section, I >> cannot get a frontend configured with "mode tcp" to work. >> >> The "mode tcp" config is not overriding the default choice, it operates >> in the http mode specified in defaults. > > It should not, are you sure this is not because you're using a backend > with "mode http" enabled ? both have to be in tcp mode to disable the > defaults, as it is valid to have a frontend in tcp mode with a backend > in http mode.
This is a lab setup where I'm woking on active and passive FTP. I finally managed to get that functional in the lab, but now I need to configure the firewall (required since FTP uses TPROXY) to allow direct access to the back end servers -- this lab machine and the production load balancer pair also serve as the default gateway for their backend servers. That means that it is the only path to reach them, so I must have ssh passing through the firewall at an absolute minimum. This isn't an haproxy problem, but if anyone here knows how to get that working, I'd appreciate a hand. FYI, the SNAT that I configured for FTP is only activated on a source port of 20, so the private IP address on the back end server won't have to contend with NAT for ssh. When I noticed the problems I reported at the start of this thread, I copied my haproxy config for http and https, ripped out all the frontends and backends that were there, none of which had a mode command in them. Then I added the config for FTP, which DOES have a mode command. That wouldn't allow the FTP control channel to connect until I took the mode and option forwardfor out of defaults. The only place I had "mode" commands was in defaults and the frontends, the backends do not have mode commands. Once I solve the firewall issue with direct access to the back end servers, I will combine the http/https and ftp into a single haproxy config and put it on my production pair. > Sometimes, you can use an interesting trick : do you know you can > declare several "defaults" sections ? It allows to declare a "defaults" > one for you "http" frontends/backends, and another one for the tcp ones. Is that as simple as having a defaults section followed by frontends and backends doing http/https, then another defaults section with the tcp settings, followed by the frontends and backends for tcp? Do all settings reset back to just what's in global for the second defaults section? Thanks, Shawn
