Re: Issue on tproxy configuration

[PiBa-NL]

Hi Marcello,

If you add a stats page on haproxy config, the backends are all properly 
reported as 'up'?
I think the be01 gateway should be pointing to the haproxy machine.
Op 5-3-2016 om 23:06 schreef Marcello Lorenzi:
Hi All,
i'm testing a TPROXY implementaion on RHEL 7 KVM servers but i noticed 
some issue. All the connections are collected by the VLAN 
192.168.10.0/24 <http://192.168.10.0/24> and the backend communication 
between HAPROXY and APACHE are perfomed on VLAN 192.168.20.0/24 
<http://192.168.20.0/24>. The IP addresses are

192.168.10.20 fe01-dmz
192.168.20.20 fe01-priv
192.168.20.21 be01-priv

I configured the IPTABLES and sysctl with all the commands provided 
into the HAPROXY documentation but if i tried to enable trasparent 
proxy mode i received an 503 service unavailable error. The haproxy 
configuration is:

[root@fe01 ~]# cat /etc/haproxy/haproxy.cfg
global
        log         127.0.0.1 local2
        chroot      /var/lib/haproxy
        pidfile     /var/run/haproxy.pid
        maxconn     4096
        daemon

defaults
        log global
        mode  http
        option  httplog
        option  dontlognull
        option forwardfor
        option http-server-close
        retries 3
        timeout connect  5000
        timeout client  50000
        timeout server  50000

frontend http-lb
        bind 192.168.10.20:80 <http://192.168.10.20:80> transparent
        default_backend backen-it

backend backen-it
        option httpclose
        option forwardfor
    source 0.0.0.0 usesrc clientip
        server apache-be01 192.168.20.21:8888 
<http://192.168.20.21:8888> maxconn 1000 check inter 5000 fastinter 
2000 downinter 2000 rise 3 fall 3

I notice that all the connections from haproxy and apache remain on 
SYNC_SENT status and this could be related to routing issue but i 
can't find a solution.

[root@fe01 boot]# netstat -antp | grep 8888
tcp        0      1 192.168.10.1:44073 <http://192.168.10.1:44073> 
192.168.20.21:8888 <http://192.168.20.21:8888> SYN_SENT    11937/haproxy

 The default gateway is configured as:

[root@fe01 ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags MSS Window  irtt 
Iface
0.0.0.0         192.168.10.1    0.0.0.0         UG 0 0          0 eth0

[root@be01 ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags MSS Window  irtt 
Iface
0.0.0.0         192.168.20.1    0.0.0.0         UG 0 0          0 ens3
Gateway should imho point to haproxy, as i understand that would be 
192.168.20.20 instead of 192.168.20.1.?

Could someone help me to debug this issue?
"tcpdump -en -i <nic>" might show if reply packets from the webserver 
are properly delivered back to the haproxy machine.

Thanks,
Marcello
Regards,
PiBa-NL