subject:"RE\: Re\: haproxy tcp mode source ip"

RE: Re: haproxy tcp mode source ip

2018-02-26 Thread Tom Maher

Thanks Aaron. Our specific purpose is slightly different, and our network 
topology means TPROXY doesn't work for us.

Regards,
Tom

-Original Message-
From: Aaron West <aa...@loadbalancer.org>
Sent: 26 February 2018 13:28
To: mingbei...@baifendian.com
Cc: Wang Bin <bwang@leancloud.rocks>; haproxy <haproxy@formilux.org>
Subject: Re: Re: haproxy tcp mode source ip

Hi,

The TPROXY method truly makes it source IP transparent(Your real servers will 
see the connection as coming from the client's IP) so it will be fine for IP 
based privileges I think.

Aaron West

Loadbalancer.org Ltd.

https://emea01.safelinks.protection.outlook.com/?url=www.loadbalancer.org=02%7C01%7Ctom.maher%40asavie.com%7C0819222860dd4502ef1108d57d1cf8a2%7Cff38a05d2e5248389b077fbd50bbae9f%7C0%7C0%7C636552485746274781=eH1QWuLPjlsyf5s7nuoDDnrwyjmXEOyXvRJ4AXYT8IQ%3D=0

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG

The message together with any files transmitted with it are intended solely for 
the use of the individual or entity to whom it is addressed. It may contain 
confidential, proprietary or privileged information. If you are not the 
intended recipient you are hereby notified that: (i) direct or indirect 
disclosure, copying, printing, distribution and/or taking any action in 
reliance on the contents of this message, including any files transmitted with 
it, is strictly prohibited and may be unlawful; and (ii) you should not 
disseminate, distribute or copy this message and/or any files transmitted with 
it. If you have received this message in error, please notify the sender 
immediately and then delete it, and any copies of it, from your system. Asavie 
Technologies Limited, Asavie Technologies, Inc and Asavie Technologies Sales 
Limited (together known as “Asavie Technologies”) reserve the right to monitor 
all e-mail communications through its networks. WARNING: Computer viruses can 
be transmitted via e-mail. You should check this e-mail and any files 
transmitted with it for the presence of computer viruses. Asavie Technologies 
cannot guarantee that this e-mail and any files transmitted with it are free of 
computer viruses. Asavie Technologies accepts no liability for any loss and/or 
damage caused by any computer virus transmitted by this e-mail and/or by any 
files transmitted with it. E-mail transmission cannot be guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete. Asavie Technologies does not accept 
liability for any errors or omissions in the contents of this message, and/or 
any files transmitted with it, which arise as a result of e-mail transmission.

Re: Re: haproxy tcp mode source ip

2018-02-26 Thread Aaron West

Hi,

The TPROXY method truly makes it source IP transparent(Your real
servers will see the connection as coming from the client's IP) so it
will be fine for IP based privileges I think.

Aaron West

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG

Re: RE: haproxy tcp mode source ip

2018-02-26 Thread mingbei...@baifendian.com

Hi:
Thank you very much. I'm trying.



mingbei...@baifendian.com
徐铭贝
数据仓库助理工程师 平台业务部  
Mobile: +86-15801118167
E-mail:mingbei...@baifendian.com
BAIFENDIAN.COM - Big Data Practitioner
北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层

 
From: Tom Maher
Date: 2018-02-26 20:07
To: mingbei...@baifendian.com; Aaron West
CC: Wang Bin; haproxy
Subject: RE: Re: haproxy tcp mode source ip
We had a similar requirement. We developed a patch (on 1.8.3) that allows the 
Proxy Protocol TLV PP2_TYPE_NETNS to be configured as part of a bind with a 
“send_netns ”, e.g.:
frontend cfe
bind 192.168.1.20:3128 send_netns 1
mode tcp
 
See below an example capture of the Proxy Protocol v2 with PP2_TYPE_NETSN set 
using send_netns 1:
 
We decided to re-use PP2_TYPE_NETNS as it served our purpose reasonable well 
noting that  is a string. 
 
Below is the 1.8.3 patch. If there is general interest, happy to create a patch 
according to guidelines in “HOW TO GET YOUR CODE ACCEPTED IN HAPROXY” and 
submit to the maintainers.
 
+++ connection.h2018-01-12 12:35:38.0 +
@@ -388,6 +388,7 @@
int (*xprt_done_cb)(struct connection *conn);  /* callback to notify of 
end of handshake */
void (*destroy_cb)(struct connection *conn);  /* callback to notify of 
imminent death of the connection */
const struct netns_entry *proxy_netns;
+   char *send_netns;  /* copied from listen */
struct {
struct sockaddr_storage from;   /* client address, or address 
to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the 
client, or address to connect to */
--- ../../../haproxy-1.8.3/include/types/listener.h   2017-12-30 
17:13:19.0 +
+++ listener.h  2018-01-12 12:27:22.0 +
@@ -206,6 +206,7 @@
__decl_hathreads(HA_SPINLOCK_T lock);
 
const struct netns_entry *netns; /* network namespace of the listener*/
+   char *send_netns;  /* value for PP2_TYPE_NETNS */
 
struct list by_fe;  /* chaining in frontend's list of 
listeners */
struct list by_bind;/* chaining in bind_conf's list of 
listeners */
--- ../../haproxy-1.8.3/src/connection.c  2017-12-30 17:13:19.0 
+
+++ connection.c2018-01-12 12:58:38.0 +
@@ -1083,6 +1083,11 @@
ret += make_tlv([ret], (buf_len - ret), PP2_TYPE_NETNS, 
remote->proxy_netns->name_len, remote->proxy_netns->node.key);
}
#endif
+   if (remote && (remote->send_netns)) {
+   if ((buf_len - ret) < sizeof(struct tlv))
+   return 0;
+   ret += make_tlv([ret], (buf_len - ret), PP2_TYPE_NETNS, 
strlen(remote->send_netns), remote->send_netns);
+   }
 
hdr->len = htons((uint16_t)(ret - PP2_HEADER_LEN));
 
--- ../../haproxy-1.8.3-casquette/src/proto_tcp.c   2017-12-30 
17:13:19.0 +
+++ proto_tcp.c 2018-01-12 12:31:29.0 +
@@ -1906,6 +1906,24 @@
}
#endif
 
+/* parse the "send_netns" bind keyword */
+static int bind_parse_send_netns(char **args, int cur_arg, struct proxy *px, 
struct bind_conf *conf, char **err)
+{
+   struct listener *l;
+   char *netns = NULL;
+
+   if (!*args[cur_arg + 1]) {
+   memprintf(err, "'%s' : missing namespace id", args[cur_arg]);
+   return ERR_ALERT | ERR_FATAL;
+   }
+   netns = args[cur_arg + 1];
+
+   list_for_each_entry(l, >listeners, by_bind) {
+   l->send_netns = strdup(netns);
+   }
+   return 0;
+}
+
#ifdef TCP_USER_TIMEOUT
/* parse the "tcp-ut" server keyword */
static int srv_parse_tcp_ut(char **args, int *cur_arg, struct proxy *px, struct 
server *newsrv, char **err)
@@ -1996,6 +2014,7 @@
#ifdef CONFIG_HAP_NS
{ "namespace", bind_parse_namespace,1 },
#endif
+   { "send_netns",bind_parse_send_netns,   1 }, /* PP2_TYPE_NETNS */
/* the versions with the NULL parse function*/
{ "defer-accept",  NULL,  0 },
{ "interface", NULL,  1 },
--- ../../haproxy-1.8.3/src/session.c 2017-12-30 17:13:19.0 +
+++ session.c   2018-01-12 12:35:42.0 +
@@ -141,6 +141,7 @@
cli_conn->flags |= CO_FL_ADDR_FROM_SET;
cli_conn->target = >obj_type;
cli_conn->proxy_netns = l->netns;
+   cli_conn->send_netns = l->send_netns;
 
conn_ctrl_init(cli_conn);
--- ../../../haproxy-1.8.3/include/types/connection.h 2017-12-30 
17:13:19.0 +
 
Regards,
Tom
 
From: mingbei...@baifendian.com <mingbei...@baifendian.com> 
Sent: 26 February 2018 11:50
To: Aaron West <aa...@loadbalancer.org>
Cc: Wang Bin <bwang@leancloud.rocks>; haproxy <haproxy@formilux.org>
Subject: Re: Re: haproxy tcp mode source ip
 
Hi:
Thank you. Is this metho

RE: Re: haproxy tcp mode source ip

2018-02-26 Thread Tom Maher

We had a similar requirement. We developed a patch (on 1.8.3) that allows the 
Proxy Protocol TLV PP2_TYPE_NETNS to be configured as part of a bind with a 
“send_netns ”, e.g.:

frontend cfe

bind 192.168.1.20:3128 send_netns 1

mode tcp

See below an example capture of the Proxy Protocol v2 with PP2_TYPE_NETSN set 
using send_netns 1:
[cid:image001.png@01D3AEFA.6BB509C0]

We decided to re-use PP2_TYPE_NETNS as it served our purpose reasonable well 
noting that  is a string.

Below is the 1.8.3 patch. If there is general interest, happy to create a patch 
according to guidelines in “HOW TO GET YOUR CODE ACCEPTED IN HAPROXY” and 
submit to the maintainers.


+++ connection.h2018-01-12 12:35:38.0 +

@@ -388,6 +388,7 @@

int (*xprt_done_cb)(struct connection *conn);  /* callback to notify of 
end of handshake */

void (*destroy_cb)(struct connection *conn);  /* callback to notify of 
imminent death of the connection */

const struct netns_entry *proxy_netns;

+   char *send_netns;  /* copied from listen */

struct {

struct sockaddr_storage from;   /* client address, or address 
to spoof when connecting to the server */

struct sockaddr_storage to; /* address reached by the 
client, or address to connect to */

--- ../../../haproxy-1.8.3/include/types/listener.h   2017-12-30 
17:13:19.0 +

+++ listener.h  2018-01-12 12:27:22.0 +

@@ -206,6 +206,7 @@

__decl_hathreads(HA_SPINLOCK_T lock);



const struct netns_entry *netns; /* network namespace of the listener*/

+   char *send_netns;  /* value for PP2_TYPE_NETNS */



struct list by_fe;  /* chaining in frontend's list of 
listeners */

struct list by_bind;/* chaining in bind_conf's list of 
listeners */

--- ../../haproxy-1.8.3/src/connection.c  2017-12-30 17:13:19.0 
+

+++ connection.c2018-01-12 12:58:38.0 +

@@ -1083,6 +1083,11 @@

ret += make_tlv([ret], (buf_len - ret), PP2_TYPE_NETNS, 
remote->proxy_netns->name_len, remote->proxy_netns->node.key);

}

#endif

+   if (remote && (remote->send_netns)) {

+   if ((buf_len - ret) < sizeof(struct tlv))

+   return 0;

+   ret += make_tlv([ret], (buf_len - ret), PP2_TYPE_NETNS, 
strlen(remote->send_netns), remote->send_netns);

+   }



hdr->len = htons((uint16_t)(ret - PP2_HEADER_LEN));



--- ../../haproxy-1.8.3-casquette/src/proto_tcp.c   2017-12-30 
17:13:19.0 +

+++ proto_tcp.c 2018-01-12 12:31:29.0 +

@@ -1906,6 +1906,24 @@

}

#endif



+/* parse the "send_netns" bind keyword */

+static int bind_parse_send_netns(char **args, int cur_arg, struct proxy *px, 
struct bind_conf *conf, char **err)

+{

+   struct listener *l;

+   char *netns = NULL;

+

+   if (!*args[cur_arg + 1]) {

+   memprintf(err, "'%s' : missing namespace id", args[cur_arg]);

+   return ERR_ALERT | ERR_FATAL;

+   }

+   netns = args[cur_arg + 1];

+

+   list_for_each_entry(l, >listeners, by_bind) {

+   l->send_netns = strdup(netns);

+   }

+   return 0;

+}

+

#ifdef TCP_USER_TIMEOUT

/* parse the "tcp-ut" server keyword */

static int srv_parse_tcp_ut(char **args, int *cur_arg, struct proxy *px, struct 
server *newsrv, char **err)

@@ -1996,6 +2014,7 @@

#ifdef CONFIG_HAP_NS

{ "namespace", bind_parse_namespace,1 },

#endif

+   { "send_netns",bind_parse_send_netns,   1 }, /* PP2_TYPE_NETNS */

/* the versions with the NULL parse function*/

{ "defer-accept",  NULL,  0 },

{ "interface", NULL,  1 },

--- ../../haproxy-1.8.3/src/session.c 2017-12-30 17:13:19.0 +

+++ session.c   2018-01-12 12:35:42.0 +

@@ -141,6 +141,7 @@

cli_conn->flags |= CO_FL_ADDR_FROM_SET;

cli_conn->target = >obj_type;

cli_conn->proxy_netns = l->netns;

+   cli_conn->send_netns = l->send_netns;



conn_ctrl_init(cli_conn);

--- ../../../haproxy-1.8.3/include/types/connection.h 2017-12-30 
17:13:19.0 +

Regards,
Tom

From: mingbei...@baifendian.com <mingbei...@baifendian.com>
Sent: 26 February 2018 11:50
To: Aaron West <aa...@loadbalancer.org>
Cc: Wang Bin <bwang@leancloud.rocks>; haproxy <haproxy@formilux.org>
Subject: Re: Re: haproxy tcp mode source ip

Hi:
Thank you. Is this method IP only displayed in the log? I want to control 
IP privileges.


mingbei...@baifendian.com<mailto:mingbei...@baifendian.com>
徐铭贝
数据仓库助理工程师 平台业务部
Mobile: +86-15801118167
E-mail:mingbei...@baifendian.com
BAIF

Re: Re: haproxy tcp mode source ip

2018-02-26 Thread mingbei...@baifendian.com

Hi:
Thank you. Is this method IP only displayed in the log? I want to control 
IP privileges.



mingbei...@baifendian.com
徐铭贝
数据仓库助理工程师 平台业务部  
Mobile: +86-15801118167
E-mail:mingbei...@baifendian.com
BAIFENDIAN.COM - Big Data Practitioner
北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层

 
From: Aaron West
Date: 2018-02-26 18:14
To: mingbei...@baifendian.com
CC: Wang Bin; haproxy
Subject: Re: Re: haproxy tcp mode source ip
Yes, you can use TPROXY instead of Proxy Protocol if you don't mind
the additional routing changes(Need to move to two-arm with real
servers setting the GW to be the HAProxy server).
 
You can see an example in this short Blog here:
https://loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x/
 
Aaron West
 
Loadbalancer.org Ltd.
 
www.loadbalancer.org
 
+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org
 
LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG

Re: Re: haproxy tcp mode source ip

2018-02-26 Thread Aaron West

Yes, you can use TPROXY instead of Proxy Protocol if you don't mind
the additional routing changes(Need to move to two-arm with real
servers setting the GW to be the HAProxy server).

You can see an example in this short Blog here:
https://loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x/

Aaron West

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG

Re: Re: haproxy tcp mode source ip

2018-02-26 Thread Wang Bin

Yes, haproxy has HTTP proxy mode.
You can obtain original IP address in X-Forwarded-For header (which set by
haproxy) in HTTP proxy mode.

2018-02-26 17:23 GMT+08:00 mingbei...@baifendian.com <
mingbei...@baifendian.com>:

> Hi:
> Thank you. haproxy support HTTP1.1 ?   Can Haproxy and TPROXY be ok ?
>
> --
> mingbei...@baifendian.com
> *徐铭贝*
>
> 数据仓库助理工程师 平台业务部
>
> Mobile: +86-15801118167 <+86%20158%200111%208167>
>
> E-mail:mingbei...@baifendian.com
>
> BAIFENDIAN.COM  - Big Data Practitioner
>
> 北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层
>
>
>
> *From:* Wang Bin 
> *Date:* 2018-02-26 17:10
> *To:* mingbei...@baifendian.com
> *CC:* haproxy 
> *Subject:* Re: haproxy tcp mode source ip
> It's not possible to obtain original IP address in TCP proxy mode.
> If your backend supports proxy protocol, you can enable proxy protocol
> to pass original IP to your backend.
>
> 2018-02-26 16:06 GMT+08:00 mingbei...@baifendian.com
> :
> > Hi:
> > Hello, great big brother, haproxy gets the source IP in the TCP mode,
> > not the IP address of the haproxy, Thanks;
> >
> > 
> >
> > 徐铭贝
> >
> > Mobile: +86-15801118167 <+86%20158%200111%208167>
>
>

Re: Re: haproxy tcp mode source ip

2018-02-26 Thread mingbei...@baifendian.com

Hi:
Thank you. haproxy support HTTP1.1 ?   Can Haproxy and TPROXY be ok ?



mingbei...@baifendian.com
徐铭贝
数据仓库助理工程师 平台业务部  
Mobile: +86-15801118167
E-mail:mingbei...@baifendian.com
BAIFENDIAN.COM - Big Data Practitioner
北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层

 
From: Wang Bin
Date: 2018-02-26 17:10
To: mingbei...@baifendian.com
CC: haproxy
Subject: Re: haproxy tcp mode source ip
It's not possible to obtain original IP address in TCP proxy mode.
If your backend supports proxy protocol, you can enable proxy protocol
to pass original IP to your backend.
 
2018-02-26 16:06 GMT+08:00 mingbei...@baifendian.com
:
> Hi:
> Hello, great big brother, haproxy gets the source IP in the TCP mode,
> not the IP address of the haproxy, Thanks;
>
> 
>
> 徐铭贝
>
> Mobile: +86-15801118167

RE: Re: haproxy tcp mode source ip

Re: Re: haproxy tcp mode source ip

Re: RE: haproxy tcp mode source ip

RE: Re: haproxy tcp mode source ip

Re: Re: haproxy tcp mode source ip

Re: Re: haproxy tcp mode source ip

Re: Re: haproxy tcp mode source ip

Re: Re: haproxy tcp mode source ip

8 matches

Site Navigation

Mail list logo

Footer information