I am absolutely flabbergasted... I have a "simple" transparent proxy application with two ldap backends.
Here is my haproxy config: > erlacher@vmrbg80:~$ cat /etc/haproxy/haproxy.cfg > # Managed by saltstack > global > log /dev/log local0 > log /dev/log local1 notice > # chroot /var/lib/haproxy > # user haproxy > # group haproxy > daemon > external-check > > defaults > log global > mode tcp > option tcplog > option dontlognull > timeout connect 5000 > timeout client 1d > timeout server 1d > errorfile 400 /etc/haproxy/errors/400.http > errorfile 403 /etc/haproxy/errors/403.http > errorfile 408 /etc/haproxy/errors/408.http > errorfile 500 /etc/haproxy/errors/500.http > errorfile 502 /etc/haproxy/errors/502.http > errorfile 503 /etc/haproxy/errors/503.http > errorfile 504 /etc/haproxy/errors/504.http > > frontend ft_ldaps > bind ldap-ha-ft:636 transparent > default_backend bk_ldaps > backend bk_ldaps > balance source > source 0.0.0.0 usesrc clientip > option external-check > external-check command /usr/local/bin/ldapcheck.sh > server ldap1 ldap-ha-bk1:636 check > server ldap2 ldap-ha-bk2:636 check > > frontend ft_ldap > bind ldap-ha-ft:389 transparent > default_backend bk_ldap > backend bk_ldap > balance source > source 0.0.0.0 usesrc clientip > option external-check > external-check command /usr/local/bin/ldapcheck.sh > server ldap1 ldap-ha-bk1:389 check > server ldap2 ldap-ha-bk2:389 check Here is the ldapcheck.sh script: > erlacher@vmrbg80:~$ cat /usr/local/bin/ldapcheck.sh > #!/bin/bash > > backend=$3 > > #/usr/bin/ldapsearch -x -L -H "ldap://$backend"; -b ou=blabliblub '(mail=!)' dn > > exit 0 I will neglect to post all of the sysctl, ip rule, ip route etc. etc. settings, they roughly follow the instructions in [1] with my own improvements previously posted to this ML and they work. Everything works in this configuration. HOWEVER, if I delete the "exit 0" and uncomment the ldapsearch call so it's actually a functional health check, the output of the ldapsearch ends up in the load balanced tcp traffic! > erlacher@atrbg13 ~ % telnet ldap-ha-ft 389 > > > ~ > Trying 131.159.255.33... > Connected to ldap-ha-ft. > Escape character is '^]'. > version: 1 > > # > # LDAPv3 > # base <ou=Personen,ou=IN,o=TUM,c=DE> with scope subtree > # filter: (mail=!) > # requesting: dn > # > > # search result I can, of course, fix this by redirecting the output of the ldapsearch command to /dev/null, but why the heck does this end up in the tcp traffic anyway? Needless to say, this completely clobbers the actual client connection and it gets closed immediately. Best regards, Luke :D [1] http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ haproxy -vv: > erlacher@vmrbg80:~$ sudo haproxy -vv > HA-Proxy version 1.6.5 2016/05/10 > Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org> > > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat > -Werror=format-security -D_FORTIFY_SOURCE=2 > OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") > Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 > Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.31 2012-07-06 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with Lua version : Lua 5.3.1 > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. -- Mit freundlichen Gruessen, Lukas Erlacher -- Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik Raum 00.05.042 Tel. 089-289-18258 erlac...@in.tum.de Technische Universität München - Boltzmannstr. 3 - 85748 Garching
smime.p7s
Description: S/MIME Cryptographic Signature
