> listen logstash01 > bind 10.111.2.249:514 ssl ca-file /etc/haproxy/ca.pem crt > /etc/haproxy/logstash.pem verify required crl-file /etc/haproxy/crl.pem > ciphers > EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA > mode tcp > balance roundrobin > option tcplog > server clusternode1 192.168.1.11:514 check > server clusternode2 192.168.1.8:514 check > source 0.0.0.0 usesrc clientip > > > logstash needs the client ip as a source, so I'm trying to use "source > 0.0.0.0 usesrc clientip". Do I need any additional iptables magic on the > haproxy server to make this work?
Yes, see [1] and [2], and you also need: - to be in the forwarding path of your backend - enable ip_forwarding [1] https://www.kernel.org/doc/Documentation/networking/tproxy.txt [2] http://wiki.squid-cache.org/Features/Tproxy4