Do you mean your web servers have 2 interfaces, each one with its own default gateway?
Baptiste Le 12 août 2015 23:10, "Rich Vigorito" <[email protected]> a écrit : > Good to hear. Into the firewall 192.168.0.1 and out of the firewall > 10.10.130.1 > Thanks! > > *Sent from my Verizon Wireless 4G LTE DROID* > > > Baptiste <[email protected]> wrote: > > Hi Rich, > > Thanks a lot for this info, this is clearer now. > In my first mail, I asked you to provide us the default gateway of the > web servers. > could you please let us know this information ? > > Baptiste > > > On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito <[email protected]> wrote: > > Also for clarification, the config listed in here is the config i used. > The only difference between the 2 tests is removing: > > > > source 0.0.0.0 usesrc clientip > > > > Removing it loadbalancing works, keeping it in the config, load > balancing doesnt work > > > > -Rich > > ________________________________________ > > From: Rich Vigorito <[email protected]> > > Sent: Monday, August 10, 2015 5:22 PM > > To: Baptiste > > Cc: [email protected] > > Subject: RE: getting transparent proxy to work. > > > > Thanks you very much for all the help, and yes, you were correct about > the capture i reported being the health check. attached are 2 pngs. one w/ > our simple diagram of network topology and the other being what me and the > network admin though was happening in our TCP handshake. This was > determined by loading a tcpdump into wireshark. Those 2 files are dump.pcap > (Which was on haproxy box) and web1_dump.pcap which was taking on the web > server). What is happening is I dont think web server knows how to > communicate to back to the haproxy box. the iptables rules and the ip rule > and ip route commands from the blog post, in my set up would that be done > on the haproxy boxes or the web servers? > > ________________________________________ > > From: Baptiste <[email protected]> > > Sent: Saturday, August 8, 2015 8:38 AM > > To: Rich Vigorito > > Cc: [email protected] > > Subject: Re: getting transparent proxy to work. > > > > On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito <[email protected]> wrote: > >> Hello, this is my first time using the mailing list. I have the > following > >> issue. > >> > >> > >> Followed steps to enable transparent proxy outlined here: > >> > >> Howto transparent proxying and binding with HAProxy and ALOHA > Load-Balancer > >> | HAProxy Technologies – Aloha Load Balancer > >> > >> > >> It will not load balance however w/ the following line added: > >> > >> > >> source 0.0.0.0 usesrc clientip > >> > >> Here is all the configuration and setup relevent: > >> > >> > >> bash> lsmod | grep -i tproxy > >> xt_TPROXY 17327 0 > >> nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY > >> nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4 > >> > >> bash>sudo sysctl -p > >> vm.swappiness = 0 > >> net.ipv4.ip_nonlocal_bind = 1 > >> net.ipv4.ip_forward = 1 > >> > >> bash> sudo iptables -L -n -t mangle > >> Chain PREROUTING (policy ACCEPT) > >> target prot opt source destination > >> DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket > >> [...] > >> Chain DIVERT (1 references) > >> target prot opt source destination > >> MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK > set 0x1 > >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > >> > >> bash> ip rule show > >> 0: from all lookup local > >> 32762: from all fwmark 0x1 lookup 100 > >> 32766: from all lookup main > >> 32767: from all lookup default > >> > >> bash> ip route show table 100 > >> local default dev lo scope host > >> > >> #haproxy.cfg > >> frontend layer4-listener > >> bind *:80 transparent > >> bind *:443 transparent > >> bind *:3306 > >> bind *:8080 > >> mode tcp > >> option tcplog > >> http-request set-header X-Forwarded-Proto https if { ssl_fc } > >> http-request set-header X-Forwarded-Proto http if !{ ssl_fc } > >> acl is_esp dst 10.10.130.79 > >> acl is_tls dst_port 443 > >> use_backend site_http if is_esp !is_tls > >> use_backend site_https if is_esp is_tls > >> backend site_https > >> mode tcp > >> option tcpka > >> option tcp-check > >> #source 0.0.0.0 usesrc clientip ## load balancing only works when > commented > >> out > >> server site_www1 www1.site.org:443 weight 1 check inter 2000 rise 2 > fall 3 > >> server site_www2 www2.site.org:443 weight 1 check inter 2000 rise 2 > fall 3 > >> > >> bash> haproxy -vv > >> HA-Proxy version 1.5.4 2014/09/02 > >> Copyright 2000-2014 Willy Tarreau <[email protected]> > >> Build options : > >> TARGET = linux2628 > >> CPU = generic > >> CC = gcc > >> CFLAGS = -O2 -g -fno-strict-aliasing > >> OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 > >> USE_PCRE=1 > >> > >> bash> uname -r > >> 3.10.0-229.4.2.el7.x86_64 > >> > >> > >> Our network admin was indicated the following: > >> > >> > >> A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on > web1) > >> A SYN-ACK packet from web1 back to haproxy2 > >> A RST packet from haproxy2 to web1. > >> > >> > >> Anyone able/willing to help and/or give insight into this issue? > >> > >> > >> Thanks > > > > > > Hi Rich, > > > > the information you provide are quite inaccurate. > > I've already reported this on stackoverflow where you first posted > > your question. > > > > Here, for example, you ran multiple tests, with different > > configurations but you don't tell us during which one did your network > > admin saw the network he described. > > > > First point, the network packets reported by your network admin seems > > to be a health check... > > Second, it is hard to help troubleshooting transparent proxy without a > > network diagram. So please draw and share the simplest one showing a > > client, haproxy and a server, with their respective interfaces, IPs > > and default gateway. > > > > Last, a TCPdump on HAProxy box showing the traffic on the interface > > between haproxy and the server for the IP address of the client. > > > > Baptiste >
