Hi,
I updated my old linux transparent proxy patch.
TPROXY is available in mainline kernel from 2.6.30.
This feature can be used just with Linux.
Patches are available for 2.4.5 and 2.5c. (2.4.5 patch used in
production, 2.5c is not tested)
It adds a new TProxy global option and a TProxy option for backend.
If global TProxy option is switched on Pound preserves NET_ADMIN
capability which needs for TPROXY.
If global TProxy option is switched off Pound works as unpatched version.
You can switch on transparent proxy feature on a backend by adding
TProxy 1 to that in config.
You should set the following:
|iptables -t mangle -N DIVERT|
|iptables -t mangle -A PREROUTING -s 10.0.1.141 -p tcp -sport 80 -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
|(10.0.0.141:80 is a backend address, but not on Pound host. If you use
a different backend server than Pound host backend hosts need to use
Pound host as gateway.)
and following:
iptables -t mangle -A OUTPUT -s 10.0.0.142 -p tcp –sport 81 -j DIVERT
(10.0.0.142:81 is a backend address on host which runs Pound)
You can find some useful information at:
http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/
Best regards,
ivan
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
