Re: getting transparent proxy to work.

Wed, 12 Aug 2015 13:45:07 -0700 

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito <ri...@ocp.org> wrote:
> Also for clarification, the config listed in here is the config i used. The 
> only difference between the 2 tests is removing:
>
> source 0.0.0.0 usesrc clientip
>
> Removing it loadbalancing works, keeping it in the config, load balancing 
> doesnt work
>
> -Rich
> ________________________________________
> From: Rich Vigorito <ri...@ocp.org>
> Sent: Monday, August 10, 2015 5:22 PM
> To: Baptiste
> Cc: haproxy@formilux.org
> Subject: RE: getting transparent proxy to work.
>
> Thanks you very much for all the help, and yes,  you were correct about the 
> capture i reported being the health check. attached are 2 pngs. one w/ our 
> simple diagram of network topology and the other being what me and the 
> network admin though was happening in our TCP handshake. This was determined 
> by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
> on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
> is happening is I dont think web server knows how to communicate to back to 
> the haproxy box. the iptables rules and the ip rule and ip route commands 
> from the blog post, in my set up would that be done on the haproxy boxes or 
> the web servers?
> ________________________________________
> From: Baptiste <bed...@gmail.com>
> Sent: Saturday, August 8, 2015 8:38 AM
> To: Rich Vigorito
> Cc: haproxy@formilux.org
> Subject: Re: getting transparent proxy to work.
>
> On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito <ri...@ocp.org> wrote:
>> Hello, this is my first time using the mailing list. I have the following
>> issue.
>>
>>
>> Followed steps to enable transparent proxy outlined here:
>>
>> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
>> | HAProxy Technologies – Aloha Load Balancer
>>
>>
>> It will not load balance however w/ the following line added:
>>
>>
>> source 0.0.0.0 usesrc clientip
>>
>> Here is all the configuration and setup relevent:
>>
>>
>> bash> lsmod | grep -i tproxy
>>  xt_TPROXY              17327  0
>>  nf_defrag_ipv6         34651  2 xt_socket,xt_TPROXY
>>  nf_defrag_ipv4         12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>>
>> bash>sudo sysctl -p
>>  vm.swappiness = 0
>>  net.ipv4.ip_nonlocal_bind = 1
>>  net.ipv4.ip_forward = 1
>>
>> bash> sudo iptables -L -n -t mangle
>>  Chain PREROUTING (policy ACCEPT)
>>  target     prot opt source               destination
>>  DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket
>>  [...]
>>  Chain DIVERT (1 references)
>>  target     prot opt source               destination
>>  MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
>>  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>
>> bash>  ip rule show
>>  0: from all lookup local
>>  32762: from all fwmark 0x1 lookup 100
>>  32766: from all lookup main
>>  32767: from all lookup default
>>
>> bash> ip route show table 100
>>  local default dev lo  scope host
>>
>> #haproxy.cfg
>> frontend layer4-listener
>>  bind *:80  transparent
>>  bind *:443 transparent
>>  bind *:3306
>>  bind *:8080
>>  mode tcp
>>  option      tcplog
>>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
>>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
>>  acl is_esp dst 10.10.130.79
>>  acl is_tls dst_port 443
>>  use_backend site_http if is_esp !is_tls
>>  use_backend site_https if is_esp is_tls
>> backend site_https
>>  mode tcp
>>  option tcpka
>>  option tcp-check
>>  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
>> out
>>  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>>  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>>
>> bash> haproxy -vv
>>  HA-Proxy version 1.5.4 2014/09/02
>>  Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
>>  Build options :
>>  TARGET  = linux2628
>>  CPU     = generic
>>  CC      = gcc
>>  CFLAGS  = -O2 -g -fno-strict-aliasing
>>  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
>> USE_PCRE=1
>>
>> bash> uname -r
>>  3.10.0-229.4.2.el7.x86_64
>>
>>
>> Our network admin was indicated the following:
>>
>>
>> A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
>> A SYN-ACK packet from web1 back to haproxy2
>> A RST packet from haproxy2 to web1.
>>
>>
>> Anyone able/willing to help and/or give insight into this issue?
>>
>>
>> Thanks
>
>
> Hi Rich,
>
> the information you provide are quite inaccurate.
> I've already reported this on stackoverflow where you first posted
> your question.
>
> Here, for example, you ran multiple tests, with different
> configurations but you don't tell us during which one did your network
> admin saw the network he described.
>
> First point, the network packets reported by your network admin seems
> to be a health check...
> Second, it is hard to help troubleshooting transparent proxy without a
> network diagram. So please draw and share the simplest one showing a
> client, haproxy and a server, with their respective interfaces, IPs
> and default gateway.
>
> Last, a TCPdump on HAProxy box showing the traffic on the interface
> between haproxy and the server for the IP address of the client.
>
> Baptiste

Reply via email to