Hi Rich, Thanks a lot for this info, this is clearer now. In my first mail, I asked you to provide us the default gateway of the web servers. could you please let us know this information ?
Baptiste On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito <ri...@ocp.org> wrote: > Also for clarification, the config listed in here is the config i used. The > only difference between the 2 tests is removing: > > source 0.0.0.0 usesrc clientip > > Removing it loadbalancing works, keeping it in the config, load balancing > doesnt work > > -Rich > ________________________________________ > From: Rich Vigorito <ri...@ocp.org> > Sent: Monday, August 10, 2015 5:22 PM > To: Baptiste > Cc: haproxy@formilux.org > Subject: RE: getting transparent proxy to work. > > Thanks you very much for all the help, and yes, you were correct about the > capture i reported being the health check. attached are 2 pngs. one w/ our > simple diagram of network topology and the other being what me and the > network admin though was happening in our TCP handshake. This was determined > by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was > on haproxy box) and web1_dump.pcap which was taking on the web server). What > is happening is I dont think web server knows how to communicate to back to > the haproxy box. the iptables rules and the ip rule and ip route commands > from the blog post, in my set up would that be done on the haproxy boxes or > the web servers? > ________________________________________ > From: Baptiste <bed...@gmail.com> > Sent: Saturday, August 8, 2015 8:38 AM > To: Rich Vigorito > Cc: haproxy@formilux.org > Subject: Re: getting transparent proxy to work. > > On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito <ri...@ocp.org> wrote: >> Hello, this is my first time using the mailing list. I have the following >> issue. >> >> >> Followed steps to enable transparent proxy outlined here: >> >> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer >> | HAProxy Technologies – Aloha Load Balancer >> >> >> It will not load balance however w/ the following line added: >> >> >> source 0.0.0.0 usesrc clientip >> >> Here is all the configuration and setup relevent: >> >> >> bash> lsmod | grep -i tproxy >> xt_TPROXY 17327 0 >> nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY >> nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4 >> >> bash>sudo sysctl -p >> vm.swappiness = 0 >> net.ipv4.ip_nonlocal_bind = 1 >> net.ipv4.ip_forward = 1 >> >> bash> sudo iptables -L -n -t mangle >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket >> [...] >> Chain DIVERT (1 references) >> target prot opt source destination >> MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 >> >> bash> ip rule show >> 0: from all lookup local >> 32762: from all fwmark 0x1 lookup 100 >> 32766: from all lookup main >> 32767: from all lookup default >> >> bash> ip route show table 100 >> local default dev lo scope host >> >> #haproxy.cfg >> frontend layer4-listener >> bind *:80 transparent >> bind *:443 transparent >> bind *:3306 >> bind *:8080 >> mode tcp >> option tcplog >> http-request set-header X-Forwarded-Proto https if { ssl_fc } >> http-request set-header X-Forwarded-Proto http if !{ ssl_fc } >> acl is_esp dst 10.10.130.79 >> acl is_tls dst_port 443 >> use_backend site_http if is_esp !is_tls >> use_backend site_https if is_esp is_tls >> backend site_https >> mode tcp >> option tcpka >> option tcp-check >> #source 0.0.0.0 usesrc clientip ## load balancing only works when commented >> out >> server site_www1 www1.site.org:443 weight 1 check inter 2000 rise 2 fall 3 >> server site_www2 www2.site.org:443 weight 1 check inter 2000 rise 2 fall 3 >> >> bash> haproxy -vv >> HA-Proxy version 1.5.4 2014/09/02 >> Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> >> Build options : >> TARGET = linux2628 >> CPU = generic >> CC = gcc >> CFLAGS = -O2 -g -fno-strict-aliasing >> OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 >> USE_PCRE=1 >> >> bash> uname -r >> 3.10.0-229.4.2.el7.x86_64 >> >> >> Our network admin was indicated the following: >> >> >> A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1) >> A SYN-ACK packet from web1 back to haproxy2 >> A RST packet from haproxy2 to web1. >> >> >> Anyone able/willing to help and/or give insight into this issue? >> >> >> Thanks > > > Hi Rich, > > the information you provide are quite inaccurate. > I've already reported this on stackoverflow where you first posted > your question. > > Here, for example, you ran multiple tests, with different > configurations but you don't tell us during which one did your network > admin saw the network he described. > > First point, the network packets reported by your network admin seems > to be a health check... > Second, it is hard to help troubleshooting transparent proxy without a > network diagram. So please draw and share the simplest one showing a > client, haproxy and a server, with their respective interfaces, IPs > and default gateway. > > Last, a TCPdump on HAProxy box showing the traffic on the interface > between haproxy and the server for the IP address of the client. > > Baptiste