in my opinion I do not need a transparent proxy. my rsyslog nodes directly connect to an ip address which is configured on the haproxy server. So I don't need non_local_bind and no tproxy?
On 19.05.2015 18:42, Lukas Tribus wrote: >> listen logstash01 >> bind 10.111.2.249:514 ssl ca-file /etc/haproxy/ca.pem crt >> /etc/haproxy/logstash.pem verify required crl-file /etc/haproxy/crl.pem >> ciphers >> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA >> mode tcp >> balance roundrobin >> option tcplog >> server clusternode1 192.168.1.11:514 check >> server clusternode2 192.168.1.8:514 check >> source 0.0.0.0 usesrc clientip >> >> >> logstash needs the client ip as a source, so I'm trying to use "source >> 0.0.0.0 usesrc clientip". Do I need any additional iptables magic on the >> haproxy server to make this work? > > Yes, see [1] and [2], and you also need: > - to be in the forwarding path of your backend > - enable ip_forwarding > > > [1] https://www.kernel.org/doc/Documentation/networking/tproxy.txt > [2] http://wiki.squid-cache.org/Features/Tproxy4 > > >
