Re: getting transparent proxy to work.

[Baptiste]

Hi Rich,

That's why I wanted to fix your "issue" step by step.
I didn't want to add too much complexity from first step.

The question you're asking correpond to the last step. And as Igor
mentionned, you should use keepalived to create a VIP which will be used as
the default gateway by your web servers. You can simply use any of the VIP
handling the web traffic.

Baptiste



On Thu, Aug 27, 2015 at 4:25 AM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:

> Obviously you need to have a separate VIP for the 10.10.130.30 and
> 10.10.130.31 and use that as a DGW on the backend servers.
>
> On Thu, Aug 27, 2015 at 9:24 AM, Rich Vigorito  wrote:
>
>> ​In regards to setting up the default gateway on the webservers. im
>> confused on how that would work with having a load balanced haproxy
>> environment w/ keepalive.
>>
>>
>> Attached is our diagram of haproxy/webserver architecture.  When it says
>> have the default gateway point back to haproyx, is it saying the VIP or the
>> haproxy box ip? in the case default gateway being that of the vip how would
>> that work because there are multiple VIP? in the the case of changing
>> default gateway to haproxy box would would that work in a failover?
>>
>>
>> I wouldnt assume that our setup is unique because im sure most people use
>> haproxy for more than one website and most have haproxy load balanced w/
>> keepalive or pacemaker or something along those lines.
>>
>>
>> Thanks in advance,
>>
>> --Rich
>> ----------
>> *From:* Bryan Talbot 
>> *Sent:* Thursday, August 20, 2015 4:27 PM
>> *To:* Rich Vigorito
>> *Cc:* Bryan Talbot; Baptiste; HAProxy
>> *Subject:* Re: getting transparent proxy to work.
>>
>> On Thu, Aug 20, 2015 at 4:05 PM, Rich Vigorito  wrote:
>>
>>> Reading this:
>>> http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/​
>>> about PROXY protocol, what needs to happen for PROXY protocol to be
>>> recognized by the web server?
>>>
>> The webserver needs to support it. There is a (probably incomplete) list
>> here: http://blog.haproxy.com/haproxy/proxy-protocol/
>>
>>
>>
>>> Im assuming the haproxy server already does?
>>>
>>>
>>> Yes, of course.
>>
>> -Bryan
>>
>>
>
>
> --
> Igor Cicimov | DevOps
>
>
> p. +61 (0) 433 078 728
> e. ig...@encompasscorporation.com <http://encompasscorporation.com/>
> w*.* encompasscorporation.com
> a. Level 4, 65 York Street, Sydney 2000
>

Re: getting transparent proxy to work.

[Igor Cicimov]

Obviously you need to have a separate VIP for the 10.10.130.30 and
10.10.130.31 and use that as a DGW on the backend servers.

On Thu, Aug 27, 2015 at 9:24 AM, Rich Vigorito  wrote:

> ​In regards to setting up the default gateway on the webservers. im
> confused on how that would work with having a load balanced haproxy
> environment w/ keepalive.
>
>
> Attached is our diagram of haproxy/webserver architecture.  When it says
> have the default gateway point back to haproyx, is it saying the VIP or the
> haproxy box ip? in the case default gateway being that of the vip how would
> that work because there are multiple VIP? in the the case of changing
> default gateway to haproxy box would would that work in a failover?
>
>
> I wouldnt assume that our setup is unique because im sure most people use
> haproxy for more than one website and most have haproxy load balanced w/
> keepalive or pacemaker or something along those lines.
>
>
> Thanks in advance,
>
> --Rich
> --
> *From:* Bryan Talbot 
> *Sent:* Thursday, August 20, 2015 4:27 PM
> *To:* Rich Vigorito
> *Cc:* Bryan Talbot; Baptiste; HAProxy
> *Subject:* Re: getting transparent proxy to work.
>
> On Thu, Aug 20, 2015 at 4:05 PM, Rich Vigorito  wrote:
>
>> Reading this:
>> http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/​
>> about PROXY protocol, what needs to happen for PROXY protocol to be
>> recognized by the web server?
>>
> The webserver needs to support it. There is a (probably incomplete) list
> here: http://blog.haproxy.com/haproxy/proxy-protocol/
>
>
>
>> Im assuming the haproxy server already does?
>>
>>
>> Yes, of course.
>
> -Bryan
>
>


-- 
Igor Cicimov | DevOps


p. +61 (0) 433 078 728
e. ig...@encompasscorporation.com <http://encompasscorporation.com/>
w*.* encompasscorporation.com
a. Level 4, 65 York Street, Sydney 2000

Re: getting transparent proxy to work.

[Bryan Talbot]

On Thu, Aug 20, 2015 at 4:05 PM, Rich Vigorito  wrote:

> Reading this:
> http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/​
> about PROXY protocol, what needs to happen for PROXY protocol to be
> recognized by the web server?
>
The webserver needs to support it. There is a (probably incomplete) list
here: http://blog.haproxy.com/haproxy/proxy-protocol/



> Im assuming the haproxy server already does?
>
>
> Yes, of course.

-Bryan

Re: getting transparent proxy to work.

[Rich Vigorito]

Reading this: 
http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/?
 about PROXY protocol, what needs to happen for PROXY protocol to be recognized 
by the web server? Im assuming the haproxy server already does?


Thanks in advance!


From: Bryan Talbot 
Sent: Thursday, August 20, 2015 2:16 PM
To: Rich Vigorito
Cc: Baptiste; HAProxy
Subject: Re: getting transparent proxy to work.

On Wed, Aug 19, 2015 at 3:26 PM, Rich Vigorito 
mailto:ri...@ocp.org>> wrote:
I should also clarify the goal of using this approach was to do TLS from router 
to haproxy and onto webservers but to preserve the client IP. The other thought 
I had was to SSL terminate on haproxy box and initiate new TLS handshake from 
haproxy to webservers. Though Im assuming transparent proxy will mean less work 
for haproxy server. Is this second approach even possible? to accomplish the 
goal of TLS all the way through the call all ive seen is the transparent proxy 
solution which Ive been struggling with.

Transparent proxying might be one way to get the client IP onto the backend 
servers but there are others too as you've mentioned and those might be much 
easier.

Yes, you can terminate SSL on haproxy and make a new SSL connection to the 
backend. With that, you'd probably need to add the X-Forwarded-For http header 
(use 'mode http') and configure your webserver to use XFF too.

If your webserver or app can support the haproxy "PROXY" protocol, that might 
also be an option for you and allows you to pass-through the SSL (not 
terminated at haproxy) to the backend if you need that.

-Bryan

Re: getting transparent proxy to work.

[Bryan Talbot]

On Wed, Aug 19, 2015 at 3:26 PM, Rich Vigorito  wrote:

> I should also clarify the goal of using this approach was to do TLS from
> router to haproxy and onto webservers but to preserve the client IP. The
> other thought I had was to SSL terminate on haproxy box and initiate new
> TLS handshake from haproxy to webservers. Though Im assuming transparent
> proxy will mean less work for haproxy server. Is this second approach even
> possible? to accomplish the goal of TLS all the way through the call all
> ive seen is the transparent proxy solution which Ive been struggling with.
>

Transparent proxying might be one way to get the client IP onto the backend
servers but there are others too as you've mentioned and those might be
much easier.

Yes, you can terminate SSL on haproxy and make a new SSL connection to the
backend. With that, you'd probably need to add the X-Forwarded-For http
header (use 'mode http') and configure your webserver to use XFF too.

If your webserver or app can support the haproxy "PROXY" protocol, that
might also be an option for you and allows you to pass-through the SSL (not
terminated at haproxy) to the backend if you need that.

-Bryan

Re: getting transparent proxy to work.

[Baptiste]

On Tue, Aug 18, 2015 at 6:19 PM, Rich Vigorito  wrote:
> After changing the default gateway of the web servers to 10.10.130.79 this 
> didnt fix it. The site we were testing on, and then all the other sites as 
> well were unresponsive. So what I was unclear on is if we changed the default 
> gateway to the vip of the test site we were using on the web server, how 
> would the other web sites served from the box work. We have 4 sites on that 
> box all w/ different VIPs for each. So we expected the other sites to fail 
> and perhaps the test site to succeed but this wasnt the case. In the case of 
> the test site traffic was getting to the web server to haproxy but not 
> returning to either haproxy or the workstation making the request.
>
> Id just like to clarify I few of my assumptions about this doc: 
> http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
>
> "Linux Kernel requirements
> You have to ensure your kernel has been compiled with the following options:
>   – CONFIG_NETFILTER_TPROXY
>   – CONFIG_NETFILTER_XT_TARGET_TPROXY"
>
>  this to be done on haproxy boxes (not the webservers), ie:
>  [richv@haproxy2 ~]$  lsmod | grep -i tproxy
>  xt_TPROXY  17327  0
>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>
> and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
> /boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m
>
> ** note, im using centos 7. in boot file i see 
> CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
> correct, I should see both  CONFIG_NETFILTER_TPROXY & 
> CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file?
> 
>
> "sysctl settings
> The following sysctls must be enabled:
>   – net.ipv4.ip_forward
>   – net.ipv4.ip_nonlocal_bind"
>
>  this to be done on haproxy boxes (not the webservers), ie:
> [richv@haproxy2 ~]$ sudo sysctl -p
>  vm.swappiness = 0
>  net.ipv4.ip_nonlocal_bind = 1
>  net.ipv4.ip_forward = 1
> ---
>
> "iptables rules
> You must setup the following iptables rules:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT"
>
>  this to be done on haproxy boxes (not the webservers), ie:
> haproxy2> sudo iptables -L -n -t mangle
>  Chain PREROUTING (policy ACCEPT)
>  target prot opt source   destination
>  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
>  [...]
>  Chain DIVERT (1 references)
>  target prot opt source   destination
>  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
>  ACCEPT all  --  0.0.0.0/00.0.0.0/0
>
> 
> "IP route rules
> Then, tell the Operating System to forward packets marked by iptables to the 
> loopback where HAProxy can catch them:
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100"
>  this to be done on haproxy boxes (not the webservers), ie:
>
> haproxy2>  ip rule show
>  0: from all lookup local
>  32762: from all fwmark 0x1 lookup 100
>  32766: from all lookup main
>  32767: from all lookup default
>
> haproxy> ip route show table 100
>  local default dev lo  scope host
>
> 
>
> In summary for my setup, everything in that tutorial is to be performed on 
> the haproxy box, not the web servers?
>

Hi Rich,

This has to be performed on the HAProxy box only.
On your web server, you must change the default gateway to your HAProxy box.

I you did all of this and this is still not working, then it deserves
a deeper analysis of your whole platform with hands on the servers.

Baptiste

Re: getting transparent proxy to work.

[Rich Vigorito]

I should also clarify the goal of using this approach was to do TLS from router 
to haproxy and onto webservers but to preserve the client IP. The other thought 
I had was to SSL terminate on haproxy box and initiate new TLS handshake from 
haproxy to webservers. Though Im assuming transparent proxy will mean less work 
for haproxy server. Is this second approach even possible? to accomplish the 
goal of TLS all the way through the call all ive seen is the transparent proxy 
solution which Ive been struggling with. 

From: Rich Vigorito
Sent: Tuesday, August 18, 2015 9:19 AM
To: Baptiste
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

After changing the default gateway of the web servers to 10.10.130.79 this 
didnt fix it. The site we were testing on, and then all the other sites as well 
were unresponsive. So what I was unclear on is if we changed the default 
gateway to the vip of the test site we were using on the web server, how would 
the other web sites served from the box work. We have 4 sites on that box all 
w/ different VIPs for each. So we expected the other sites to fail and perhaps 
the test site to succeed but this wasnt the case. In the case of the test site 
traffic was getting to the web server to haproxy but not returning to either 
haproxy or the workstation making the request.

Id just like to clarify I few of my assumptions about this doc: 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

"Linux Kernel requirements
You have to ensure your kernel has been compiled with the following options:
  – CONFIG_NETFILTER_TPROXY
  – CONFIG_NETFILTER_XT_TARGET_TPROXY"

 this to be done on haproxy boxes (not the webservers), ie:
 [richv@haproxy2 ~]$  lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
/boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

** note, im using centos 7. in boot file i see 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
correct, I should see both  CONFIG_NETFILTER_TPROXY & 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file?


"sysctl settings
The following sysctls must be enabled:
  – net.ipv4.ip_forward
  – net.ipv4.ip_nonlocal_bind"

 this to be done on haproxy boxes (not the webservers), ie:
[richv@haproxy2 ~]$ sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1
---

"iptables rules
You must setup the following iptables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT"

 this to be done on haproxy boxes (not the webservers), ie:
haproxy2> sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0


"IP route rules
Then, tell the Operating System to forward packets marked by iptables to the 
loopback where HAProxy can catch them:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100"
 this to be done on haproxy boxes (not the webservers), ie:

haproxy2>  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100
 32766: from all lookup main
 32767: from all lookup default

haproxy> ip route show table 100
 local default dev lo  scope host



In summary for my setup, everything in that tutorial is to be performed on the 
haproxy box, not the web servers?




From: Baptiste 
Sent: Friday, August 14, 2015 1:07 AM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

"temporary" just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm

Re: getting transparent proxy to work.

[Rich Vigorito]

After changing the default gateway of the web servers to 10.10.130.79 this 
didnt fix it. The site we were testing on, and then all the other sites as well 
were unresponsive. So what I was unclear on is if we changed the default 
gateway to the vip of the test site we were using on the web server, how would 
the other web sites served from the box work. We have 4 sites on that box all 
w/ different VIPs for each. So we expected the other sites to fail and perhaps 
the test site to succeed but this wasnt the case. In the case of the test site 
traffic was getting to the web server to haproxy but not returning to either 
haproxy or the workstation making the request. 

Id just like to clarify I few of my assumptions about this doc: 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

"Linux Kernel requirements
You have to ensure your kernel has been compiled with the following options:
  – CONFIG_NETFILTER_TPROXY
  – CONFIG_NETFILTER_XT_TARGET_TPROXY"

 this to be done on haproxy boxes (not the webservers), ie:
 [richv@haproxy2 ~]$  lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
/boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

** note, im using centos 7. in boot file i see 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
correct, I should see both  CONFIG_NETFILTER_TPROXY & 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file? 


"sysctl settings
The following sysctls must be enabled:
  – net.ipv4.ip_forward
  – net.ipv4.ip_nonlocal_bind"

 this to be done on haproxy boxes (not the webservers), ie:
[richv@haproxy2 ~]$ sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1
---

"iptables rules
You must setup the following iptables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT"

 this to be done on haproxy boxes (not the webservers), ie:
haproxy2> sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0


"IP route rules
Then, tell the Operating System to forward packets marked by iptables to the 
loopback where HAProxy can catch them:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100"
 this to be done on haproxy boxes (not the webservers), ie:

haproxy2>  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100 
 32766: from all lookup main
 32767: from all lookup default

haproxy> ip route show table 100
 local default dev lo  scope host



In summary for my setup, everything in that tutorial is to be performed on the 
haproxy box, not the web servers?




From: Baptiste 
Sent: Friday, August 14, 2015 1:07 AM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

"temporary" just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm it works after this.

Baptiste



On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito  wrote:
> A couple clarifications. What do you mean by "temporary?" ... this wouldnt be 
> needed indefinitely? What ive articulated is only one site served through the 
> 2 web servers. Our web servers serve multiple sites, how to accommodate this? 
> Ie couldnt have 5 different IPs in the loopback?
> 
> From: Baptiste 
> Sent: Wednesday, August 12, 2015 11:41 PM
> To: Rich Vigorito
> Cc: HAProxy
> Subject: Re: getting transparent proxy to work.
>
> Hi Rich,
>
> so here is your problem.
> Please temporarily c

Re: getting transparent proxy to work.

[Baptiste]

"temporary" just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm it works after this.

Baptiste



On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito  wrote:
> A couple clarifications. What do you mean by "temporary?" ... this wouldnt be 
> needed indefinitely? What ive articulated is only one site served through the 
> 2 web servers. Our web servers serve multiple sites, how to accommodate this? 
> Ie couldnt have 5 different IPs in the loopback?
> 
> From: Baptiste 
> Sent: Wednesday, August 12, 2015 11:41 PM
> To: Rich Vigorito
> Cc: HAProxy
> Subject: Re: getting transparent proxy to work.
>
> Hi Rich,
>
> so here is your problem.
> Please temporarily change this default gateway of the web servers to
> the active VIP: 10.10.130.79.
> What happens, and what you highlithed in your diagrams is that HAProxy
> creates the TCP connection with the client IP.
> by default, the server tries to talk to the client directly, but the
> client is not aware of HAProxy's connection and it refuses it.
> If you route back your traffic to HAProxy, then HAProxy will handle
> this connection and perform the relation with the real client.
>
> More information here:
> http://blog.haproxy.com/2011/08/03/layer-7-load-balancing-transparent-proxy-mode/
>
> Baptiste
>
>
> On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito  wrote:
>> No inside the firewall one default gateway. 10.10.130.1
>>
>> The web servers and haproxy servers have one interface I believe
>>
>> Sent from my Verizon Wireless 4G LTE DROID
>>
>>
>> Baptiste  wrote:
>>
>> Do you mean your web servers have 2 interfaces, each one with its own
>> default gateway?
>>
>> Baptiste
>>
>> Le 12 août 2015 23:10, "Rich Vigorito"  a écrit :
>>>
>>> Good to hear. Into the firewall 192.168.0.1 and out of the firewall
>>> 10.10.130.1
>>> Thanks!
>>>
>>> Sent from my Verizon Wireless 4G LTE DROID
>>>
>>>
>>> Baptiste  wrote:
>>>
>>> Hi Rich,
>>>
>>> Thanks a lot for this info, this is clearer now.
>>> In my first mail, I asked you to provide us the default gateway of the
>>> web servers.
>>> could you please let us know this information ?
>>>
>>> Baptiste
>>>
>>>
>>> On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito  wrote:
>>> > Also for clarification, the config listed in here is the config i used.
>>> > The only difference between the 2 tests is removing:
>>> >
>>> > source 0.0.0.0 usesrc clientip
>>> >
>>> > Removing it loadbalancing works, keeping it in the config, load
>>> > balancing doesnt work
>>> >
>>> > -Rich
>>> > 
>>> > From: Rich Vigorito 
>>> > Sent: Monday, August 10, 2015 5:22 PM
>>> > To: Baptiste
>>> > Cc: haproxy@formilux.org
>>> > Subject: RE: getting transparent proxy to work.
>>> >
>>> > Thanks you very much for all the help, and yes,  you were correct about
>>> > the capture i reported being the health check. attached are 2 pngs. one w/
>>> > our simple diagram of network topology and the other being what me and the
>>> > network admin though was happening in our TCP handshake. This was 
>>> > determined
>>> > by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which 
>>> > was
>>> > on haproxy box) and web1_dump.pcap which was taking on the web server).
>>> > What is happening is I dont think web server knows how to communicate to
>>> > back to the haproxy box. the iptables rules and the ip rule and ip route
>>> > commands from the blog post, in my set up would that be done on the 
>>> > haproxy
>>> > boxes or the web servers?
>>> > 
>>> > From: Baptiste 
>>> > Sent: Saturday, August 8, 2015 8:38 AM
>>> > To: Rich Vigorito
>>> > Cc: haproxy@formilux.org
>>> > Subject: Re: getting transparent proxy to work.
>>> >
>>> > On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
>>> >> Hello, this is my first time using the mailing li

RE: getting transparent proxy to work.

[Rich Vigorito]

A couple clarifications. What do you mean by "temporary?" ... this wouldnt be 
needed indefinitely? What ive articulated is only one site served through the 2 
web servers. Our web servers serve multiple sites, how to accommodate this? Ie 
couldnt have 5 different IPs in the loopback? 

From: Baptiste 
Sent: Wednesday, August 12, 2015 11:41 PM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

Hi Rich,

so here is your problem.
Please temporarily change this default gateway of the web servers to
the active VIP: 10.10.130.79.
What happens, and what you highlithed in your diagrams is that HAProxy
creates the TCP connection with the client IP.
by default, the server tries to talk to the client directly, but the
client is not aware of HAProxy's connection and it refuses it.
If you route back your traffic to HAProxy, then HAProxy will handle
this connection and perform the relation with the real client.

More information here:
http://blog.haproxy.com/2011/08/03/layer-7-load-balancing-transparent-proxy-mode/

Baptiste


On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito  wrote:
> No inside the firewall one default gateway. 10.10.130.1
>
> The web servers and haproxy servers have one interface I believe
>
> Sent from my Verizon Wireless 4G LTE DROID
>
>
> Baptiste  wrote:
>
> Do you mean your web servers have 2 interfaces, each one with its own
> default gateway?
>
> Baptiste
>
> Le 12 août 2015 23:10, "Rich Vigorito"  a écrit :
>>
>> Good to hear. Into the firewall 192.168.0.1 and out of the firewall
>> 10.10.130.1
>> Thanks!
>>
>> Sent from my Verizon Wireless 4G LTE DROID
>>
>>
>> Baptiste  wrote:
>>
>> Hi Rich,
>>
>> Thanks a lot for this info, this is clearer now.
>> In my first mail, I asked you to provide us the default gateway of the
>> web servers.
>> could you please let us know this information ?
>>
>> Baptiste
>>
>>
>> On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito  wrote:
>> > Also for clarification, the config listed in here is the config i used.
>> > The only difference between the 2 tests is removing:
>> >
>> > source 0.0.0.0 usesrc clientip
>> >
>> > Removing it loadbalancing works, keeping it in the config, load
>> > balancing doesnt work
>> >
>> > -Rich
>> > 
>> > From: Rich Vigorito 
>> > Sent: Monday, August 10, 2015 5:22 PM
>> > To: Baptiste
>> > Cc: haproxy@formilux.org
>> > Subject: RE: getting transparent proxy to work.
>> >
>> > Thanks you very much for all the help, and yes,  you were correct about
>> > the capture i reported being the health check. attached are 2 pngs. one w/
>> > our simple diagram of network topology and the other being what me and the
>> > network admin though was happening in our TCP handshake. This was 
>> > determined
>> > by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was
>> > on haproxy box) and web1_dump.pcap which was taking on the web server).
>> > What is happening is I dont think web server knows how to communicate to
>> > back to the haproxy box. the iptables rules and the ip rule and ip route
>> > commands from the blog post, in my set up would that be done on the haproxy
>> > boxes or the web servers?
>> > 
>> > From: Baptiste 
>> > Sent: Saturday, August 8, 2015 8:38 AM
>> > To: Rich Vigorito
>> > Cc: haproxy@formilux.org
>> > Subject: Re: getting transparent proxy to work.
>> >
>> > On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
>> >> Hello, this is my first time using the mailing list. I have the
>> >> following
>> >> issue.
>> >>
>> >>
>> >> Followed steps to enable transparent proxy outlined here:
>> >>
>> >> Howto transparent proxying and binding with HAProxy and ALOHA
>> >> Load-Balancer
>> >> | HAProxy Technologies – Aloha Load Balancer
>> >>
>> >>
>> >> It will not load balance however w/ the following line added:
>> >>
>> >>
>> >> source 0.0.0.0 usesrc clientip
>> >>
>> >> Here is all the configuration and setup relevent:
>> >>
>> >>
>> >> bash> lsmod | grep -i tproxy
>> >>  xt_TPROXY  17327  0
>> >>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>> >>  nf_defrag

Re: getting transparent proxy to work.

[Baptiste]

Hi Rich,

so here is your problem.
Please temporarily change this default gateway of the web servers to
the active VIP: 10.10.130.79.
What happens, and what you highlithed in your diagrams is that HAProxy
creates the TCP connection with the client IP.
by default, the server tries to talk to the client directly, but the
client is not aware of HAProxy's connection and it refuses it.
If you route back your traffic to HAProxy, then HAProxy will handle
this connection and perform the relation with the real client.

More information here:
http://blog.haproxy.com/2011/08/03/layer-7-load-balancing-transparent-proxy-mode/

Baptiste


On Thu, Aug 13, 2015 at 2:29 AM, Rich Vigorito  wrote:
> No inside the firewall one default gateway. 10.10.130.1
>
> The web servers and haproxy servers have one interface I believe
>
> Sent from my Verizon Wireless 4G LTE DROID
>
>
> Baptiste  wrote:
>
> Do you mean your web servers have 2 interfaces, each one with its own
> default gateway?
>
> Baptiste
>
> Le 12 août 2015 23:10, "Rich Vigorito"  a écrit :
>>
>> Good to hear. Into the firewall 192.168.0.1 and out of the firewall
>> 10.10.130.1
>> Thanks!
>>
>> Sent from my Verizon Wireless 4G LTE DROID
>>
>>
>> Baptiste  wrote:
>>
>> Hi Rich,
>>
>> Thanks a lot for this info, this is clearer now.
>> In my first mail, I asked you to provide us the default gateway of the
>> web servers.
>> could you please let us know this information ?
>>
>> Baptiste
>>
>>
>> On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito  wrote:
>> > Also for clarification, the config listed in here is the config i used.
>> > The only difference between the 2 tests is removing:
>> >
>> > source 0.0.0.0 usesrc clientip
>> >
>> > Removing it loadbalancing works, keeping it in the config, load
>> > balancing doesnt work
>> >
>> > -Rich
>> > 
>> > From: Rich Vigorito 
>> > Sent: Monday, August 10, 2015 5:22 PM
>> > To: Baptiste
>> > Cc: haproxy@formilux.org
>> > Subject: RE: getting transparent proxy to work.
>> >
>> > Thanks you very much for all the help, and yes,  you were correct about
>> > the capture i reported being the health check. attached are 2 pngs. one w/
>> > our simple diagram of network topology and the other being what me and the
>> > network admin though was happening in our TCP handshake. This was 
>> > determined
>> > by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was
>> > on haproxy box) and web1_dump.pcap which was taking on the web server).
>> > What is happening is I dont think web server knows how to communicate to
>> > back to the haproxy box. the iptables rules and the ip rule and ip route
>> > commands from the blog post, in my set up would that be done on the haproxy
>> > boxes or the web servers?
>> > 
>> > From: Baptiste 
>> > Sent: Saturday, August 8, 2015 8:38 AM
>> > To: Rich Vigorito
>> > Cc: haproxy@formilux.org
>> > Subject: Re: getting transparent proxy to work.
>> >
>> > On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
>> >> Hello, this is my first time using the mailing list. I have the
>> >> following
>> >> issue.
>> >>
>> >>
>> >> Followed steps to enable transparent proxy outlined here:
>> >>
>> >> Howto transparent proxying and binding with HAProxy and ALOHA
>> >> Load-Balancer
>> >> | HAProxy Technologies – Aloha Load Balancer
>> >>
>> >>
>> >> It will not load balance however w/ the following line added:
>> >>
>> >>
>> >> source 0.0.0.0 usesrc clientip
>> >>
>> >> Here is all the configuration and setup relevent:
>> >>
>> >>
>> >> bash> lsmod | grep -i tproxy
>> >>  xt_TPROXY  17327  0
>> >>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>> >>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>> >>
>> >> bash>sudo sysctl -p
>> >>  vm.swappiness = 0
>> >>  net.ipv4.ip_nonlocal_bind = 1
>> >>  net.ipv4.ip_forward = 1
>> >>
>> >> bash> sudo iptables -L -n -t mangle
>> >>  Chain PREROUTING (policy ACCEPT)
>> >>  target prot opt source   destination
>> >>  

Re: getting transparent proxy to work.

[Rich Vigorito]

No inside the firewall one default gateway. 10.10.130.1<http://10.10.130.1>

The web servers and haproxy servers have one interface I believe

Sent from my Verizon Wireless 4G LTE DROID


Baptiste  wrote:


Do you mean your web servers have 2 interfaces, each one with its own default 
gateway?

Baptiste

Le 12 août 2015 23:10, "Rich Vigorito" mailto:ri...@ocp.org>> a 
écrit :
Good to hear. Into the firewall 192.168.0.1<http://192.168.0.1> and out of the 
firewall 10.10.130.1<http://10.10.130.1>
Thanks!

Sent from my Verizon Wireless 4G LTE DROID


Baptiste mailto:bed...@gmail.com>> wrote:

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito 
mailto:ri...@ocp.org>> wrote:
> Also for clarification, the config listed in here is the config i used. The 
> only difference between the 2 tests is removing:
>
> source 0.0.0.0 usesrc clientip
>
> Removing it loadbalancing works, keeping it in the config, load balancing 
> doesnt work
>
> -Rich
> 
> From: Rich Vigorito mailto:ri...@ocp.org>>
> Sent: Monday, August 10, 2015 5:22 PM
> To: Baptiste
> Cc: haproxy@formilux.org<mailto:haproxy@formilux.org>
> Subject: RE: getting transparent proxy to work.
>
> Thanks you very much for all the help, and yes,  you were correct about the 
> capture i reported being the health check. attached are 2 pngs. one w/ our 
> simple diagram of network topology and the other being what me and the 
> network admin though was happening in our TCP handshake. This was determined 
> by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
> on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
> is happening is I dont think web server knows how to communicate to back to 
> the haproxy box. the iptables rules and the ip rule and ip route commands 
> from the blog post, in my set up would that be done on the haproxy boxes or 
> the web servers?
> 
> From: Baptiste mailto:bed...@gmail.com>>
> Sent: Saturday, August 8, 2015 8:38 AM
> To: Rich Vigorito
> Cc: haproxy@formilux.org<mailto:haproxy@formilux.org>
> Subject: Re: getting transparent proxy to work.
>
> On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito 
> mailto:ri...@ocp.org>> wrote:
>> Hello, this is my first time using the mailing list. I have the following
>> issue.
>>
>>
>> Followed steps to enable transparent proxy outlined here:
>>
>> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
>> | HAProxy Technologies – Aloha Load Balancer
>>
>>
>> It will not load balance however w/ the following line added:
>>
>>
>> source 0.0.0.0 usesrc clientip
>>
>> Here is all the configuration and setup relevent:
>>
>>
>> bash> lsmod | grep -i tproxy
>>  xt_TPROXY  17327  0
>>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>>
>> bash>sudo sysctl -p
>>  vm.swappiness = 0
>>  net.ipv4.ip_nonlocal_bind = 1
>>  net.ipv4.ip_forward = 1
>>
>> bash> sudo iptables -L -n -t mangle
>>  Chain PREROUTING (policy ACCEPT)
>>  target prot opt source   destination
>>  DIVERT tcp  --  0.0.0.0/0<http://0.0.0.0/0>
>> 0.0.0.0/0<http://0.0.0.0/0>socket
>>  [...]
>>  Chain DIVERT (1 references)
>>  target prot opt source   destination
>>  MARK   all  --  0.0.0.0/0<http://0.0.0.0/0>
>> 0.0.0.0/0<http://0.0.0.0/0>MARK set 0x1
>>  ACCEPT all  --  0.0.0.0/0<http://0.0.0.0/0>
>> 0.0.0.0/0<http://0.0.0.0/0>
>>
>> bash>  ip rule show
>>  0: from all lookup local
>>  32762: from all fwmark 0x1 lookup 100
>>  32766: from all lookup main
>>  32767: from all lookup default
>>
>> bash> ip route show table 100
>>  local default dev lo  scope host
>>
>> #haproxy.cfg
>> frontend layer4-listener
>>  bind *:80  transparent
>>  bind *:443 transparent
>>  bind *:3306
>>  bind *:8080
>>  mode tcp
>>  option  tcplog
>>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
>>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
>>  acl is_esp dst 10.10.130.79
>>  acl is_tls dst_port 443
&g

Re: getting transparent proxy to work.

[Baptiste]

Do you mean your web servers have 2 interfaces, each one with its own
default gateway?

Baptiste
Le 12 août 2015 23:10, "Rich Vigorito"  a écrit :

> Good to hear. Into the firewall 192.168.0.1 and out of the firewall
> 10.10.130.1
> Thanks!
>
> *Sent from my Verizon Wireless 4G LTE DROID*
>
>
> Baptiste  wrote:
>
> Hi Rich,
>
> Thanks a lot for this info, this is clearer now.
> In my first mail, I asked you to provide us the default gateway of the
> web servers.
> could you please let us know this information ?
>
> Baptiste
>
>
> On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito  wrote:
> > Also for clarification, the config listed in here is the config i used.
> The only difference between the 2 tests is removing:
> >
> > source 0.0.0.0 usesrc clientip
> >
> > Removing it loadbalancing works, keeping it in the config, load
> balancing doesnt work
> >
> > -Rich
> > 
> > From: Rich Vigorito 
> > Sent: Monday, August 10, 2015 5:22 PM
> > To: Baptiste
> > Cc: haproxy@formilux.org
> > Subject: RE: getting transparent proxy to work.
> >
> > Thanks you very much for all the help, and yes,  you were correct about
> the capture i reported being the health check. attached are 2 pngs. one w/
> our simple diagram of network topology and the other being what me and the
> network admin though was happening in our TCP handshake. This was
> determined by loading a tcpdump into wireshark. Those 2 files are dump.pcap
> (Which was on haproxy box) and web1_dump.pcap which was taking on the web
> server).  What is happening is I dont think web server knows how to
> communicate to back to the haproxy box. the iptables rules and the ip rule
> and ip route commands from the blog post, in my set up would that be done
> on the haproxy boxes or the web servers?
> > ____
> > From: Baptiste 
> > Sent: Saturday, August 8, 2015 8:38 AM
> > To: Rich Vigorito
> > Cc: haproxy@formilux.org
> > Subject: Re: getting transparent proxy to work.
> >
> > On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
> >> Hello, this is my first time using the mailing list. I have the
> following
> >> issue.
> >>
> >>
> >> Followed steps to enable transparent proxy outlined here:
> >>
> >> Howto transparent proxying and binding with HAProxy and ALOHA
> Load-Balancer
> >> | HAProxy Technologies – Aloha Load Balancer
> >>
> >>
> >> It will not load balance however w/ the following line added:
> >>
> >>
> >> source 0.0.0.0 usesrc clientip
> >>
> >> Here is all the configuration and setup relevent:
> >>
> >>
> >> bash> lsmod | grep -i tproxy
> >>  xt_TPROXY  17327  0
> >>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
> >>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
> >>
> >> bash>sudo sysctl -p
> >>  vm.swappiness = 0
> >>  net.ipv4.ip_nonlocal_bind = 1
> >>  net.ipv4.ip_forward = 1
> >>
> >> bash> sudo iptables -L -n -t mangle
> >>  Chain PREROUTING (policy ACCEPT)
> >>  target prot opt source   destination
> >>  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
> >>  [...]
> >>  Chain DIVERT (1 references)
> >>  target prot opt source   destination
> >>  MARK   all  --  0.0.0.0/00.0.0.0/0MARK
> set 0x1
> >>  ACCEPT all  --  0.0.0.0/00.0.0.0/0
> >>
> >> bash>  ip rule show
> >>  0: from all lookup local
> >>  32762: from all fwmark 0x1 lookup 100
> >>  32766: from all lookup main
> >>  32767: from all lookup default
> >>
> >> bash> ip route show table 100
> >>  local default dev lo  scope host
> >>
> >> #haproxy.cfg
> >> frontend layer4-listener
> >>  bind *:80  transparent
> >>  bind *:443 transparent
> >>  bind *:3306
> >>  bind *:8080
> >>  mode tcp
> >>  option  tcplog
> >>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
> >>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
> >>  acl is_esp dst 10.10.130.79
> >>  acl is_tls dst_port 443
> >>  use_backend site_http if is_esp !is_tls
> >>  use_backend site_https if is_esp is_tls
> >> backend site_https
> >>  mode tcp
> >>  option tcpk

Re: getting transparent proxy to work.

[Rich Vigorito]

Good to hear. Into the firewall 192.168.0.1<http://192.168.0.1> and out of the 
firewall 10.10.130.1<http://10.10.130.1>
Thanks!

Sent from my Verizon Wireless 4G LTE DROID


Baptiste  wrote:

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito  wrote:
> Also for clarification, the config listed in here is the config i used. The 
> only difference between the 2 tests is removing:
>
> source 0.0.0.0 usesrc clientip
>
> Removing it loadbalancing works, keeping it in the config, load balancing 
> doesnt work
>
> -Rich
> 
> From: Rich Vigorito 
> Sent: Monday, August 10, 2015 5:22 PM
> To: Baptiste
> Cc: haproxy@formilux.org
> Subject: RE: getting transparent proxy to work.
>
> Thanks you very much for all the help, and yes,  you were correct about the 
> capture i reported being the health check. attached are 2 pngs. one w/ our 
> simple diagram of network topology and the other being what me and the 
> network admin though was happening in our TCP handshake. This was determined 
> by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
> on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
> is happening is I dont think web server knows how to communicate to back to 
> the haproxy box. the iptables rules and the ip rule and ip route commands 
> from the blog post, in my set up would that be done on the haproxy boxes or 
> the web servers?
> 
> From: Baptiste 
> Sent: Saturday, August 8, 2015 8:38 AM
> To: Rich Vigorito
> Cc: haproxy@formilux.org
> Subject: Re: getting transparent proxy to work.
>
> On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
>> Hello, this is my first time using the mailing list. I have the following
>> issue.
>>
>>
>> Followed steps to enable transparent proxy outlined here:
>>
>> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
>> | HAProxy Technologies – Aloha Load Balancer
>>
>>
>> It will not load balance however w/ the following line added:
>>
>>
>> source 0.0.0.0 usesrc clientip
>>
>> Here is all the configuration and setup relevent:
>>
>>
>> bash> lsmod | grep -i tproxy
>>  xt_TPROXY  17327  0
>>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>>
>> bash>sudo sysctl -p
>>  vm.swappiness = 0
>>  net.ipv4.ip_nonlocal_bind = 1
>>  net.ipv4.ip_forward = 1
>>
>> bash> sudo iptables -L -n -t mangle
>>  Chain PREROUTING (policy ACCEPT)
>>  target prot opt source   destination
>>  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
>>  [...]
>>  Chain DIVERT (1 references)
>>  target prot opt source   destination
>>  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
>>  ACCEPT all  --  0.0.0.0/00.0.0.0/0
>>
>> bash>  ip rule show
>>  0: from all lookup local
>>  32762: from all fwmark 0x1 lookup 100
>>  32766: from all lookup main
>>  32767: from all lookup default
>>
>> bash> ip route show table 100
>>  local default dev lo  scope host
>>
>> #haproxy.cfg
>> frontend layer4-listener
>>  bind *:80  transparent
>>  bind *:443 transparent
>>  bind *:3306
>>  bind *:8080
>>  mode tcp
>>  option  tcplog
>>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
>>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
>>  acl is_esp dst 10.10.130.79
>>  acl is_tls dst_port 443
>>  use_backend site_http if is_esp !is_tls
>>  use_backend site_https if is_esp is_tls
>> backend site_https
>>  mode tcp
>>  option tcpka
>>  option tcp-check
>>  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
>> out
>>  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>>  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>>
>> bash> haproxy -vv
>>  HA-Proxy version 1.5.4 2014/09/02
>>  Copyright 2000-2014 Willy Tarreau 
>>  Build options :
>>  TARGET  = linux2628
>>  CPU = generic
>>  CC  = gcc
>>  CFLAGS  = -O2 -g -fno-strict-aliasing
>>  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 US

Re: getting transparent proxy to work.

[Baptiste]

Hi Rich,

Thanks a lot for this info, this is clearer now.
In my first mail, I asked you to provide us the default gateway of the
web servers.
could you please let us know this information ?

Baptiste


On Wed, Aug 12, 2015 at 5:54 PM, Rich Vigorito  wrote:
> Also for clarification, the config listed in here is the config i used. The 
> only difference between the 2 tests is removing:
>
> source 0.0.0.0 usesrc clientip
>
> Removing it loadbalancing works, keeping it in the config, load balancing 
> doesnt work
>
> -Rich
> 
> From: Rich Vigorito 
> Sent: Monday, August 10, 2015 5:22 PM
> To: Baptiste
> Cc: haproxy@formilux.org
> Subject: RE: getting transparent proxy to work.
>
> Thanks you very much for all the help, and yes,  you were correct about the 
> capture i reported being the health check. attached are 2 pngs. one w/ our 
> simple diagram of network topology and the other being what me and the 
> network admin though was happening in our TCP handshake. This was determined 
> by loading a tcpdump into wireshark. Those 2 files are dump.pcap (Which was 
> on haproxy box) and web1_dump.pcap which was taking on the web server).  What 
> is happening is I dont think web server knows how to communicate to back to 
> the haproxy box. the iptables rules and the ip rule and ip route commands 
> from the blog post, in my set up would that be done on the haproxy boxes or 
> the web servers?
> 
> From: Baptiste 
> Sent: Saturday, August 8, 2015 8:38 AM
> To: Rich Vigorito
> Cc: haproxy@formilux.org
> Subject: Re: getting transparent proxy to work.
>
> On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
>> Hello, this is my first time using the mailing list. I have the following
>> issue.
>>
>>
>> Followed steps to enable transparent proxy outlined here:
>>
>> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
>> | HAProxy Technologies – Aloha Load Balancer
>>
>>
>> It will not load balance however w/ the following line added:
>>
>>
>> source 0.0.0.0 usesrc clientip
>>
>> Here is all the configuration and setup relevent:
>>
>>
>> bash> lsmod | grep -i tproxy
>>  xt_TPROXY  17327  0
>>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>>
>> bash>sudo sysctl -p
>>  vm.swappiness = 0
>>  net.ipv4.ip_nonlocal_bind = 1
>>  net.ipv4.ip_forward = 1
>>
>> bash> sudo iptables -L -n -t mangle
>>  Chain PREROUTING (policy ACCEPT)
>>  target prot opt source   destination
>>  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
>>  [...]
>>  Chain DIVERT (1 references)
>>  target prot opt source   destination
>>  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
>>  ACCEPT all  --  0.0.0.0/00.0.0.0/0
>>
>> bash>  ip rule show
>>  0: from all lookup local
>>  32762: from all fwmark 0x1 lookup 100
>>  32766: from all lookup main
>>  32767: from all lookup default
>>
>> bash> ip route show table 100
>>  local default dev lo  scope host
>>
>> #haproxy.cfg
>> frontend layer4-listener
>>  bind *:80  transparent
>>  bind *:443 transparent
>>  bind *:3306
>>  bind *:8080
>>  mode tcp
>>  option  tcplog
>>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
>>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
>>  acl is_esp dst 10.10.130.79
>>  acl is_tls dst_port 443
>>  use_backend site_http if is_esp !is_tls
>>  use_backend site_https if is_esp is_tls
>> backend site_https
>>  mode tcp
>>  option tcpka
>>  option tcp-check
>>  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
>> out
>>  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>>  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>>
>> bash> haproxy -vv
>>  HA-Proxy version 1.5.4 2014/09/02
>>  Copyright 2000-2014 Willy Tarreau 
>>  Build options :
>>  TARGET  = linux2628
>>  CPU = generic
>>  CC  = gcc
>>  CFLAGS  = -O2 -g -fno-strict-aliasing
>>  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
>> USE_PCRE=1
>>
>> bash> uname -r
>>  3.10.0-229.4.2.el7.x86_64
>>
>>
>> Our network admin was indicated the following:
>>
>&g

RE: getting transparent proxy to work.

[Rich Vigorito]

Also for clarification, the config listed in here is the config i used. The 
only difference between the 2 tests is removing:

source 0.0.0.0 usesrc clientip 

Removing it loadbalancing works, keeping it in the config, load balancing 
doesnt work 

-Rich

From: Rich Vigorito 
Sent: Monday, August 10, 2015 5:22 PM
To: Baptiste
Cc: haproxy@formilux.org
Subject: RE: getting transparent proxy to work.

Thanks you very much for all the help, and yes,  you were correct about the 
capture i reported being the health check. attached are 2 pngs. one w/ our 
simple diagram of network topology and the other being what me and the network 
admin though was happening in our TCP handshake. This was determined by loading 
a tcpdump into wireshark. Those 2 files are dump.pcap (Which was on haproxy 
box) and web1_dump.pcap which was taking on the web server).  What is happening 
is I dont think web server knows how to communicate to back to the haproxy box. 
the iptables rules and the ip rule and ip route commands from the blog post, in 
my set up would that be done on the haproxy boxes or the web servers?

From: Baptiste 
Sent: Saturday, August 8, 2015 8:38 AM
To: Rich Vigorito
Cc: haproxy@formilux.org
Subject: Re: getting transparent proxy to work.

On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
> Hello, this is my first time using the mailing list. I have the following
> issue.
>
>
> Followed steps to enable transparent proxy outlined here:
>
> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
> | HAProxy Technologies – Aloha Load Balancer
>
>
> It will not load balance however w/ the following line added:
>
>
> source 0.0.0.0 usesrc clientip
>
> Here is all the configuration and setup relevent:
>
>
> bash> lsmod | grep -i tproxy
>  xt_TPROXY  17327  0
>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>
> bash>sudo sysctl -p
>  vm.swappiness = 0
>  net.ipv4.ip_nonlocal_bind = 1
>  net.ipv4.ip_forward = 1
>
> bash> sudo iptables -L -n -t mangle
>  Chain PREROUTING (policy ACCEPT)
>  target prot opt source   destination
>  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
>  [...]
>  Chain DIVERT (1 references)
>  target prot opt source   destination
>  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
>  ACCEPT all  --  0.0.0.0/00.0.0.0/0
>
> bash>  ip rule show
>  0: from all lookup local
>  32762: from all fwmark 0x1 lookup 100
>  32766: from all lookup main
>  32767: from all lookup default
>
> bash> ip route show table 100
>  local default dev lo  scope host
>
> #haproxy.cfg
> frontend layer4-listener
>  bind *:80  transparent
>  bind *:443 transparent
>  bind *:3306
>  bind *:8080
>  mode tcp
>  option  tcplog
>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
>  acl is_esp dst 10.10.130.79
>  acl is_tls dst_port 443
>  use_backend site_http if is_esp !is_tls
>  use_backend site_https if is_esp is_tls
> backend site_https
>  mode tcp
>  option tcpka
>  option tcp-check
>  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
> out
>  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>
> bash> haproxy -vv
>  HA-Proxy version 1.5.4 2014/09/02
>  Copyright 2000-2014 Willy Tarreau 
>  Build options :
>  TARGET  = linux2628
>  CPU = generic
>  CC  = gcc
>  CFLAGS  = -O2 -g -fno-strict-aliasing
>  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1
>
> bash> uname -r
>  3.10.0-229.4.2.el7.x86_64
>
>
> Our network admin was indicated the following:
>
>
> A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
> A SYN-ACK packet from web1 back to haproxy2
> A RST packet from haproxy2 to web1.
>
>
> Anyone able/willing to help and/or give insight into this issue?
>
>
> Thanks


Hi Rich,

the information you provide are quite inaccurate.
I've already reported this on stackoverflow where you first posted
your question.

Here, for example, you ran multiple tests, with different
configurations but you don't tell us during which one did your network
admin saw the network he described.

First point, the network packets reported by your network admin seems
to be a health check...
Second, it is hard to help troubleshooting transparent proxy without a
network diagram. So please draw and share the simplest one showing a
client, haproxy and a server, with their respective interfaces, IPs
and default gateway.

Last, a TCPdump on HAProxy box showing the traffic on the interface
between haproxy and the server for the IP address of the client.

Baptiste

Re: getting transparent proxy to work.

[Baptiste]

On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito  wrote:
> Hello, this is my first time using the mailing list. I have the following
> issue.
>
>
> Followed steps to enable transparent proxy outlined here:
>
> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
> | HAProxy Technologies – Aloha Load Balancer
>
>
> It will not load balance however w/ the following line added:
>
>
> source 0.0.0.0 usesrc clientip
>
> Here is all the configuration and setup relevent:
>
>
> bash> lsmod | grep -i tproxy
>  xt_TPROXY  17327  0
>  nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
>  nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>
> bash>sudo sysctl -p
>  vm.swappiness = 0
>  net.ipv4.ip_nonlocal_bind = 1
>  net.ipv4.ip_forward = 1
>
> bash> sudo iptables -L -n -t mangle
>  Chain PREROUTING (policy ACCEPT)
>  target prot opt source   destination
>  DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
>  [...]
>  Chain DIVERT (1 references)
>  target prot opt source   destination
>  MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
>  ACCEPT all  --  0.0.0.0/00.0.0.0/0
>
> bash>  ip rule show
>  0: from all lookup local
>  32762: from all fwmark 0x1 lookup 100
>  32766: from all lookup main
>  32767: from all lookup default
>
> bash> ip route show table 100
>  local default dev lo  scope host
>
> #haproxy.cfg
> frontend layer4-listener
>  bind *:80  transparent
>  bind *:443 transparent
>  bind *:3306
>  bind *:8080
>  mode tcp
>  option  tcplog
>  http-request set-header X-Forwarded-Proto https if { ssl_fc }
>  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
>  acl is_esp dst 10.10.130.79
>  acl is_tls dst_port 443
>  use_backend site_http if is_esp !is_tls
>  use_backend site_https if is_esp is_tls
> backend site_https
>  mode tcp
>  option tcpka
>  option tcp-check
>  #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
> out
>  server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>  server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3
>
> bash> haproxy -vv
>  HA-Proxy version 1.5.4 2014/09/02
>  Copyright 2000-2014 Willy Tarreau 
>  Build options :
>  TARGET  = linux2628
>  CPU = generic
>  CC  = gcc
>  CFLAGS  = -O2 -g -fno-strict-aliasing
>  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1
>
> bash> uname -r
>  3.10.0-229.4.2.el7.x86_64
>
>
> Our network admin was indicated the following:
>
>
> A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
> A SYN-ACK packet from web1 back to haproxy2
> A RST packet from haproxy2 to web1.
>
>
> Anyone able/willing to help and/or give insight into this issue?
>
>
> Thanks


Hi Rich,

the information you provide are quite inaccurate.
I've already reported this on stackoverflow where you first posted
your question.

Here, for example, you ran multiple tests, with different
configurations but you don't tell us during which one did your network
admin saw the network he described.

First point, the network packets reported by your network admin seems
to be a health check...
Second, it is hard to help troubleshooting transparent proxy without a
network diagram. So please draw and share the simplest one showing a
client, haproxy and a server, with their respective interfaces, IPs
and default gateway.

Last, a TCPdump on HAProxy box showing the traffic on the interface
between haproxy and the server for the IP address of the client.

Baptiste

getting transparent proxy to work.

[Rich Vigorito]

Hello, this is my first time using the mailing list. I have the following issue.


Followed steps to enable transparent proxy outlined here:

Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer | 
HAProxy Technologies - Aloha Load 
Balancer


It will not load balance however w/ the following line added:


source 0.0.0.0 usesrc clientip

Here is all the configuration and setup relevent:


bash> lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

bash>sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1

bash> sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0

bash>  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100
 32766: from all lookup main
 32767: from all lookup default

bash> ip route show table 100
 local default dev lo  scope host

#haproxy.cfg
frontend layer4-listener
 bind *:80  transparent
 bind *:443 transparent
 bind *:3306
 bind *:8080
 mode tcp
 option  tcplog
 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 acl is_esp dst 10.10.130.79
 acl is_tls dst_port 443
 use_backend site_http if is_esp !is_tls
 use_backend site_https if is_esp is_tls
backend site_https
 mode tcp
 option tcpka
 option tcp-check
 #source 0.0.0.0 usesrc clientip ## load balancing only works when commented out
 server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
 server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

bash> haproxy -vv
 HA-Proxy version 1.5.4 2014/09/02
 Copyright 2000-2014 Willy Tarreau 
 Build options :
 TARGET  = linux2628
 CPU = generic
 CC  = gcc
 CFLAGS  = -O2 -g -fno-strict-aliasing
 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

bash> uname -r
 3.10.0-229.4.2.el7.x86_64

Our network admin was indicated the following:


  1.  A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
  2.  A SYN-ACK packet from web1 back to haproxy2
  3.  A RST packet from haproxy2 to web1.?


Anyone able/willing to help and/or give insight into this issue?


Thanks