R: Transparent proxy
I've solved my problem (many thansk to John) but now I've another problem with url rewrite/redirection. I need that www.domain.tld is redirected to www.domain.tld/folder/index.jsp (I'm using resin behind haproxy). Here's my cfg: acl addr1 path_end / redirect location /dnshst/index.jsp if addr1 It work but If I try to login, sometimes work, some time I obtain this url: www.domain.tld/index.jsp (and not www.domain.tld/folder/index.jsp) Have you got ideas on how to do it properly (my backend is in http mode with cookie by SERVERID). Thanks, Carlo -Messaggio originale- Da: L. Alberto Giménez [mailto:agimenez-hapr...@sysvalve.homelinux.net] Inviato: martedì 12 maggio 2009 23.06 A: Carlo Granisso Cc: haproxy@formilux.org Oggetto: Re: Transparent proxy Carlo Granisso wrote: Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29 I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). Now I can't use transparent proxy function: if I leave in haproxy.cfg this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable. If I comment out the line, everything work fine (without transparent proxy). My situation: haproxy with two ethernet device: first one for public IP, sceond one for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. Have you got ideas or you can provide me examples Hi, I've just set up a transparent proxy with kernel 2.6.28 (the first one with official tproxy support) and haproxy 1.3.15 (the version Debian comes with, but rebuilding the package with the tproxy linux option enabled). Just make sure your backends route their outgoing traffic through the load balancer, since the response packets with the fake address MUST be seen by the load blancer box to undo the transparent-proxy magic. Regards, L. Alberto Giménez No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database: 270.12.25/2109 - Release Date: 05/11/09 16:14:00
R: Transparent proxy
-Messaggio originale- Da: John Lauro [mailto:john.la...@covenanteyes.com] Inviato: lunedì 11 maggio 2009 18.30 A: 'Carlo Granisso'; haproxy@formilux.org Oggetto: RE: Transparent proxy And no request were found into webserver (netstat -ntap | grep :80) After few seconds: 503 Service Unavailable No server is available to handle this request. Can you ping your webserver from the haproxy box ok? Yes What does the following show from your webserver: netstat -rn Does it show the private IP address of your haproxy box as the gateway for 0.0.0.0? Here's the output: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.0.56255.255.255.255 UGH 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 On my haproxy box I've lot of connecctions in TIME_WAIT state from haproxy to webservers. When I try to get default page from browser no connections were made on webserver (haproxy open only one tcp connection in SYN_SENT state). Thanks for your patience. Carlo No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00
R: Transparent proxy
I've tried to use webserver through public interface on the same ip class of haproxy: it doesn't work :-( Thanks, Carlo _ Da: John Lauro [mailto:john.la...@covenanteyes.com] Inviato: lunedì 11 maggio 2009 14.42 A: 'Carlo Granisso'; haproxy@formilux.org Oggetto: RE: Transparent proxy Its a little different config than I have, but it looks ok to me Whats haproxy vv give? I have: [r...@haf1 etc]# haproxy -vv HA-Proxy version 1.3.15.7 2008/12/04 Copyright 2000-2008 Willy Tarreau w...@1wt.eu Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -O2 -g OPTIONS = USE_LINUX_TPROXY=1 (I know, I am a little behind, but if its not broke ) When you say, haproxy says 503 , I assume it doesnt actually say that but thats what a web browser gets back from it? I assume the web servers have the haproxys private IP address as their default route? If they are going to some other device as a NAT gateway, that will not work Do they show a SYN_RECV or ESTABLISHED connection from the public client trying to connect? From: Carlo Granisso [mailto:c.grani...@dnshosting.it] Sent: Monday, May 11, 2009 7:06 AM To: haproxy@formilux.org Subject: Transparent proxy Hello everybody, I have a problem with haproxy (1.3.17) and kernel 2.6.29 I have successfully recompiled my kernel with TPROXY modules and installed haproxy (compiled from source with tproxy option enabled) and installed iptables 1.4.3 (that have tproxy patch). Now I can't use transparent proxy function: if I leave in haproxy.cfg this line source 0.0.0.0 usesrc clientip haproxy say 503 - Service unavailable. If I comment out the line, everything work fine (without transparent proxy). My situation: haproxy with two ethernet device: first one for public IP, sceond one for private IP (192.168.XX.XX) two web server with one ethernet for each one connected to my private network. Have you got ideas or you can provide me examples? Thanks, Carlo No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.320 / Virus Database: 270.12.10/2088 - Release Date: 05/05/09 13:07:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.238 / Virus Database: 270.12.24/2107 - Release Date: 05/10/09 07:02:00
Re: R: R: Transparent proxy
Willy Tarreau wrote: do you mean that the OpenBSD supports a linux-compatible tproxy ? I was not aware of this, because for me, tproxy is 100% linux-specific. Do you know what versions provide it (if so) and how to detect whether it's supported ? I've seen a bunch of pf+squid magic to do it, but I think that tinyproxy (https://www.banu.com/tinyproxy) supports transparent proxying, at least for HTTP. Not sure if that's of any help. -- Jeff Buchbinder Senior Infrastructure Engineer Rave Wireless, Inc work: 508.848.2484 mobile: 860.617.5750 jbuchbin...@ravewireless.com
