Transparent proxy
Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29 I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). Now I can't use transparent proxy function: if I leave in haproxy.cfg this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable. If I comment out the line, everything work fine (without transparent proxy). My situation: haproxy with two ethernet device: first one for public IP, sceond one for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. Have you got ideas or you can provide me examples? Thanks, Carlo
Re: Transparent proxy
Carlo, Sorry got busy and forgot to post back to you, I was going to ask whats your output from : iptables -L -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 192.168.2.0/24 anywhere tcp dpt:http MARK set 0x1 DIVERT tcp -- anywhere anywhere socket Is the divert to socket in place? 2009/5/11 Carlo Granisso c.grani...@dnshosting.it Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29 I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). Now I can't use transparent proxy function: if I leave in haproxy.cfg this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable. If I comment out the line, everything work fine (without transparent proxy). My situation: haproxy with two ethernet device: first one for public IP, sceond one for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. Have you got ideas or you can provide me examples? Thanks, Carlo -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/
RE: Transparent proxy
It's a little different config than I have, but it looks ok to me. What's haproxy -vv give? I have: [r...@haf1 etc]# haproxy -vv HA-Proxy version 1.3.15.7 2008/12/04 Copyright 2000-2008 Willy Tarreau w...@1wt.eu Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g OPTIONS = USE_LINUX_TPROXY=1 (I know, I am a little behind, but if it's not broke.) When you say, haproxy says 503., I assume it doesn't actually say that but that's what a web browser gets back from it? I assume the web servers have the haproxy's private IP address as their default route? If they are going to some other device as a NAT gateway, that will not work. Do they show a SYN_RECV or ESTABLISHED connection from the public client trying to connect? From: Carlo Granisso [mailto:c.grani...@dnshosting.it] Sent: Monday, May 11, 2009 7:06 AM To: haproxy@formilux.org Subject: Transparent proxy Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29 I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). Now I can't use transparent proxy function: if I leave in haproxy.cfg this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable. If I comment out the line, everything work fine (without transparent proxy). My situation: haproxy with two ethernet device: first one for public IP, sceond one for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. Have you got ideas or you can provide me examples? Thanks, Carlo No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.320 / Virus Database: 270.12.10/2088 - Release Date: 05/05/09 13:07:00
R: Transparent proxy
I've tried to use webserver through public interface on the same ip class of haproxy: it doesn't work :-( Thanks, Carlo _ Da: John Lauro [mailto:john.la...@covenanteyes.com] Inviato: lunedì 11 maggio 2009 14.42 A: 'Carlo Granisso'; haproxy@formilux.org Oggetto: RE: Transparent proxy Its a little different config than I have, but it looks ok to me Whats haproxy vv give? I have: [r...@haf1 etc]# haproxy -vv HA-Proxy version 1.3.15.7 2008/12/04 Copyright 2000-2008 Willy Tarreau w...@1wt.eu Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g OPTIONS = USE_LINUX_TPROXY=1 (I know, I am a little behind, but if its not broke ) When you say, haproxy says 503 , I assume it doesnt actually say that but thats what a web browser gets back from it? I assume the web servers have the haproxys private IP address as their default route? If they are going to some other device as a NAT gateway, that will not work Do they show a SYN_RECV or ESTABLISHED connection from the public client trying to connect? From: Carlo Granisso [mailto:c.grani...@dnshosting.it] Sent: Monday, May 11, 2009 7:06 AM To: haproxy@formilux.org Subject: Transparent proxy Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29 I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). Now I can't use transparent proxy function: if I leave in haproxy.cfg this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable. If I comment out the line, everything work fine (without transparent proxy). My situation: haproxy with two ethernet device: first one for public IP, sceond one for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. Have you got ideas or you can provide me examples? Thanks, Carlo No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.320 / Virus Database: 270.12.10/2088 - Release Date: 05/05/09 13:07:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.238 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00
Re: R: R: Transparent proxy
Willy Tarreau wrote: do you mean that the OpenBSD supports a linux-compatible tproxy ? I was not aware of this, because for me, tproxy is 100% linux-specific. Do you know what versions provide it (if so) and how to detect whether it's supported ? I've seen a bunch of pf+squid magic to do it, but I think that tinyproxy (https://www.banu.com/tinyproxy) supports transparent proxying, at least for HTTP. Not sure if that's of any help. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Wireless, Inc work: 508.848.2484 mobile: 860.617.5750 jbuchbin...@ravewireless.com
[PATCH] Fix 'tcp-request content [accept|reject] if condition' parser for missing 'if'.
Hi, attached is a patch which fixes a configuration mistake regarding the 'tcp-request' option. If you have the following in your configuration file: acl localnet dst 10.0.0.0/8 tcp-request content reject if localnet This will work fine, but if you change the 'tcp-request' line and remove the 'if' haproxy-1.3.17 will segfault, I think the following changelog entry in 1.3.18 addresses this problem: [BUG] fix parser crash on unconditional tcp content rules But now in 1.3.18 the default behaviour is a bit weird. If you remove the 'if' statement the haproxy will reject every connection, regardless of matching to 'localnet' or not and the configuration seems to be valid, but which is definetly not what expected. I have changed this to the following behaviour: If nothing is specified after accept or reject the default condition will apply (like source and documentation says) and if there is some parameter after accept or reject it has to be 'if' or 'unless' anything else will result in: [ALERT] 131/012555 (27042) : parsing [/etc/haproxy/haproxy.cfg:94] : 'tcp-request content reject' expects 'if', 'unless' or nothing, but found 'localnet' [ALERT] 131/012555 (27042) : Error reading configuration file : /etc/haproxy/haproxy.cfg I think this is much more accurate. At least it took me some time to verify why the hell my configuration file is valid, but did not work as expected. :) --Maik diff -Nur haproxy-1.3.18/src/proto_tcp.c haproxy-1.3.18-tcp-request-condition-fix/src/proto_tcp.c --- haproxy-1.3.18/src/proto_tcp.c 2009-05-10 20:27:47.0 +0200 +++ haproxy-1.3.18-tcp-request-condition-fix/src/proto_tcp.c2009-05-12 01:25:48.0 +0200 @@ -509,6 +509,13 @@ pol = ACL_COND_IF; else if (!strcmp(args[3], unless)) pol = ACL_COND_UNLESS; + else { + if (args[3][0] != '\0') { + snprintf(err, errlen, '%s %s %s' expects 'if', 'unless' or nothing, but found '%s', +args[0], args[1], args[2], args[3]); + return -1; + } + } /* Note: we consider if TRUE when there is no condition */ if (pol != ACL_COND_NONE
TCP traffic multiplexing as balance algorithm?
Hi, I have a small question. Did someone know if it is possible to do simple traffic multiplexing with HAProxy? Maybe I am missing it somehow, but want to ask on the list before creating a patch for it. Just to answer the real-world scenario question. TCP multiplexing can be very useful for debugging backend servers or doing a simple logging and passive traffic dumping. There are two major ideas of implementing it: - 1:N (Active / Passive) - 1:N (Active / Active) Well active means that request is going to destination and response back to client and passive means that only request is going to the destination. In configuration it could look like: listen smtp-filter 127.0.0.1:25 modetcp balance multiplex server smtp1 10.0.0.5:25 server smtp2 10.0.0.6:25 The active / active would be very hard to implement, tcp stream synchronisation would be a pain and I think no one will really need this, but active / passive is a very useful feature. In my environment it is often so, that developers need access to real traffic data to debug (in the example above) their developed smtp software. Is anyone else missing such functionality? :) --Maik