On Tue, Aug 18, 2015 at 6:19 PM, Rich Vigorito <[email protected]> wrote: > After changing the default gateway of the web servers to 10.10.130.79 this > didnt fix it. The site we were testing on, and then all the other sites as > well were unresponsive. So what I was unclear on is if we changed the default > gateway to the vip of the test site we were using on the web server, how > would the other web sites served from the box work. We have 4 sites on that > box all w/ different VIPs for each. So we expected the other sites to fail > and perhaps the test site to succeed but this wasnt the case. In the case of > the test site traffic was getting to the web server to haproxy but not > returning to either haproxy or the workstation making the request. > > Id just like to clarify I few of my assumptions about this doc: > http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ > > "Linux Kernel requirements > You have to ensure your kernel has been compiled with the following options: > – CONFIG_NETFILTER_TPROXY > – CONFIG_NETFILTER_XT_TARGET_TPROXY" > > ^^^^ this to be done on haproxy boxes (not the webservers), ie: > [richv@haproxy2 ~]$ lsmod | grep -i tproxy > xt_TPROXY 17327 0 > nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY > nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4 > > and: [richv@haproxy2 ~]$ grep -i tproxy /boot/* > /boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m > > ** note, im using centos 7. in boot file i see > CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is > correct, I should see both CONFIG_NETFILTER_TPROXY & > CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file? > ---------------------------------------------------------------------------------------------------------------- > > "sysctl settings > The following sysctls must be enabled: > – net.ipv4.ip_forward > – net.ipv4.ip_nonlocal_bind" > > ^^^^ this to be done on haproxy boxes (not the webservers), ie: > [richv@haproxy2 ~]$ sudo sysctl -p > vm.swappiness = 0 > net.ipv4.ip_nonlocal_bind = 1 > net.ipv4.ip_forward = 1 > --------------------------------------------------------------------------------------------------------------- > > "iptables rules > You must setup the following iptables rules: > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT" > > ^^^^ this to be done on haproxy boxes (not the webservers), ie: > haproxy2> sudo iptables -L -n -t mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket > [...] > Chain DIVERT (1 references) > target prot opt source destination > MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > ---------------------------------------------------------------------------------------------------------------- > "IP route rules > Then, tell the Operating System to forward packets marked by iptables to the > loopback where HAProxy can catch them: > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100" > ^^^^ this to be done on haproxy boxes (not the webservers), ie: > > haproxy2> ip rule show > 0: from all lookup local > 32762: from all fwmark 0x1 lookup 100 > 32766: from all lookup main > 32767: from all lookup default > > haproxy> ip route show table 100 > local default dev lo scope host > > ---------------------------------------------------------------------------------------------------------------- > > In summary for my setup, everything in that tutorial is to be performed on > the haproxy box, not the web servers? >
Hi Rich, This has to be performed on the HAProxy box only. On your web server, you must change the default gateway to your HAProxy box. I you did all of this and this is still not working, then it deserves a deeper analysis of your whole platform with hands on the servers. Baptiste
