haproxy transparent + keepalived + squid = router?
Hello, I 'm using for many years an explicit web proxy solution based on HAProxy in transparent mode in combination with a pair of linux load balancers (keepalived) and some Squid servers behind it. The Squid servers have the VRRP IP address as default gateway. All users have defined in browser a PAC file that contains the VRRP IP and the port 3128.All squid proxies behind this solution are now seeing the real client IP and this helps me to identify and define web policies.(squidguard)I run SSL inspection on Squid, having a root authority pushed via GPO. For every site that needs to be accessed directly without going via proxy, I have defined a SNAT rule in firewall and a static exception in PAC file for direct outbound Internet access. I'd like to take this solution to a higher level and make a complete transparent web proxy solution without being necessary to define a PAC file in browser. In order to do that, I want to make the routing/ filtering directly on HAProxy servers. I've configured a PBR to send the traffic from local PCs for ports 80 and 443 to VRRP IP. I see now all traffic from clients on HAProxy servers. this is part of haproxy config frontend fe_frontend_pool_proxy_3128 timeout client 30m mode tcp bind 172.17.232.232:3128 transparent # VRRP IP default_backend bk_pool_proxy_3128 backend bk_pool_proxy_3128 timeout server 30m timeout connect 5s mode tcp balance leastconn stick-table type ip size 20k stick on src default-server inter 5s fall 3 rise 2 on-marked-down shutdown-sessions source 0.0.0.0 usesrc clientip server proxy1 172.17.232.229:3128 check port 3128 inter 3s rise 3 fall 3 server proxy2 172.17.232.230:3128 check port 3128 inter 3s rise 3 fall 3 And now the question comes: Is there a way to redirect the incoming clients traffic to 172.17.232.232:3128 and all of that without affecting the web traffic from clients point of view? Any help is highly appreciated. Thanks in advance, --Marius M
Re: Haproxy w/ Keepalived using SSL Passthrough example.
Hi. Am 28.07.2019 um 03:13 schrieb TomK: > Hello, > > I'm trying to configure Haproxy w/ Keepalived to pass TLS encrypted traffic > from > the VIP to the underlying hosts which are also themselves running with TLS > Certificates. > > Highlevel overview of the setup: > > > server1:7182 ( TLS Encrypted ) 10.0.0.1 > server2:7182 ( TLS Encrypted ) 10.0.0.2 > > srv-cluster01:7182 10.0.0.3 ( TLS Encrypted ) What's your config (keepalived and haproxy) and your haproxy version? > Right now I have the client trying to connect to the server via an > Haproxy/Keepalived two node cluster, however I'm getting: > > SSLError: certificate verify failed This error is from the client, haproxy or from the backend server? > Both the server is Java based and so is the Client Agent app. I've added the > private key to the > > /etc/pki/ca-trust/extracted/java/jssecacerts You should not put the private key into the keystore only the CA which singed the certificate. Please take a look into this post to see how to handle the CA and certificates. https://fabianlee.org/2018/02/19/java-loading-self-signed-ca-and-san-certificates-into-a-java-keystore/ > Appears as if though the traffic is passing through however the certs aren't > matching up. > > So I'm wondering if anyone could share their config that I could use as an > example of how things should be configured in this scenario. Well there are a lot search results how to setup haproxy and keepalived which one have you followed? https://duckduckgo.com/?q=haproxy+keepalived Regards Aleks
Haproxy w/ Keepalived using SSL Passthrough example.
Hello, I'm trying to configure Haproxy w/ Keepalived to pass TLS encrypted traffic from the VIP to the underlying hosts which are also themselves running with TLS Certificates. Highlevel overview of the setup: server1:7182 ( TLS Encrypted ) 10.0.0.1 server2:7182 ( TLS Encrypted ) 10.0.0.2 srv-cluster01:7182 10.0.0.3 ( TLS Encrypted ) Right now I have the client trying to connect to the server via an Haproxy/Keepalived two node cluster, however I'm getting: SSLError: certificate verify failed Both the server is Java based and so is the Client Agent app. I've added the private key to the /etc/pki/ca-trust/extracted/java/jssecacerts Appears as if though the traffic is passing through however the certs aren't matching up. So I'm wondering if anyone could share their config that I could use as an example of how things should be configured in this scenario. -- Thx, TK.
RE: haproxy with keepalived
(once again I apologize for top-posting) Would you mind listing what you change (and if possible a reason)? I've grown up with *BSD-style environments (started out on NetBSD 1.2 back in the 90's on non-x86 hardware), and I keep beeing amazed by Linux. While some vendors and distros are doing good jobs with documentation and features, statements like you own about using a patchset for more than 10 years always gives me a queasy stomach. What if - oh the horror - I should have done something differently than what I think is the right way? My recent experiences with arp_filter etc tells me that I've still got something to learn.. Regards, Jens Dueholm Christensen -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: Saturday, March 31, 2012 6:36 PM To: Jens Dueholm Christensen (JEDC) Cc: haproxy@formilux.org Subject: Re: haproxy with keepalived Clearly on linux it's common to have ARP working in a strange way for some people, because its IPv4 stack works exactly like the IPv6 one, with addresses having a host scope, so any network card is able to respond to an ARP request. I've been using Julian Anastsov's patchset for more than 10 years on 2.2 then 2.4 to add the arp_announce, arp_filter, arp_ignore etc... sysctls. Now they're in 2.6 by default but I too think that the default values are confusing, so one of the very first things I do when I install a system is to switch them. The second one is to set ip_nonlocal_bind :-) Regards, Willy
Re: haproxy with keepalived
On Wed, Mar 28, 2012 at 09:47:47PM +, Jens Dueholm Christensen (JEDC) wrote: Hey Baptiste You're very welcome - hopefully others can use it. At least there was a (somewhat) reasonable explanation and easy fix to the problem once I figured out what was happening. I re-read my previous post, and realised that one thing was a bit unclear: The homepage I linked to mentioned that the rp_filter setting also *might* have something to do with correcting the problem. I cannot verify this, as I already had turned off rp_filter in my setup. Your milage may also vary depending on distribution - Debian, Suse, RHEL, CentOS etc etc - I have only tested with RHEL. At least I'm sure that this strange behaviour is limited to linux-flavour OSes. FreeBSD (that I also use) does not exibit the same behaviour. Clearly on linux it's common to have ARP working in a strange way for some people, because its IPv4 stack works exactly like the IPv6 one, with addresses having a host scope, so any network card is able to respond to an ARP request. I've been using Julian Anastsov's patchset for more than 10 years on 2.2 then 2.4 to add the arp_announce, arp_filter, arp_ignore etc... sysctls. Now they're in 2.6 by default but I too think that the default values are confusing, so one of the very first things I do when I install a system is to switch them. The second one is to set ip_nonlocal_bind :-) Regards, Willy
RE: haproxy with keepalived
Hey Baptiste You're very welcome - hopefully others can use it. At least there was a (somewhat) reasonable explanation and easy fix to the problem once I figured out what was happening. I re-read my previous post, and realised that one thing was a bit unclear: The homepage I linked to mentioned that the rp_filter setting also *might* have something to do with correcting the problem. I cannot verify this, as I already had turned off rp_filter in my setup. Your milage may also vary depending on distribution - Debian, Suse, RHEL, CentOS etc etc - I have only tested with RHEL. At least I'm sure that this strange behaviour is limited to linux-flavour OSes. FreeBSD (that I also use) does not exibit the same behaviour. Regards, Jens Dueholm Christensen From: Baptiste [bed...@gmail.com] Sent: 28 March 2012 06:14 To: Jens Dueholm Christensen (JEDC) Cc: haproxy@formilux.org Subject: Re: haproxy with keepalived hey, thanks for sharing your fix. This is an interesting one :) Baptiste
RE: haproxy with keepalived
Hi I've got a setup with haproxy and keepalived in front handling ~10 IP's. When I was testing my setup (watching with tcpdump etc) I saw a strange behaviour, that I eventually found a solution to a long while ago. A bit of googling today lead me to answer 2 (answered Mar 16 '11 at 6:12) on this page: http://serverfault.com/questions/247472/arp-replies-contain-wrong-mac-address For my setup to work correctly - ie. have the right NIC send out the Gratuitous ARP packet - I'm doing this in my iptables-based firewall script: for interface in /proc/sys/net/ipv4/conf/*/arp_filter; do /bin/echo 1 ${interface} done The documentation for arp_filter says that 0 (the default value) usually makes sense, but in multi-home and failover senarios it does not make sense at all! Before reading the documentation I had never thought it possible that an arp request comming in through NIC 1 could be answered by NIC 2, but alas.. Before changing that I had a 1-in-6 (I've got 6 NIC's in this machine - 2 bundled for failover to 3 different networks) chance of the GARP-packet beeing sent out correctly and failover working as intended. Oh, and I should mention that my firewall-script already did contain the mentioned rp_filter fix. for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo 0 ${interface} done Regards, Jens Dueholm Christensen Rambøll Survey IT -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: Saturday, March 24, 2012 9:51 PM To: Esteban Torres Rodríguez Cc: haproxy@formilux.org Subject: Re: haproxy with keepalived On Wed, Mar 21, 2012 at 09:15:16AM +0100, Esteban Torres Rodríguez wrote: El día 21 de marzo de 2012 07:39, Willy Tarreau w...@1wt.eu escribió: On Mon, Mar 19, 2012 at 08:08:37PM +0100, Esteban Torres Rodríguez wrote: Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. You mean that both servers own the VIP ? Of the 6 ip, 4 are answered by the master and 2 backup. it is dynamic. Ip are exchanged randomly. Is this what you're observing or what you want ? Also, my concerns were about finding some IPs at the two places at once, which fortunately is not the case ! The server has 4 network cards. Is it of significance that has 3 virtual ip? No, it should be unrelated. Are the NICs on the same network ? If so I wonder what happens when keepalived receives its own packets via another NIC, maybe it forces a re-election but I may be wrong, Alex would know that much better than me ! vrrp_script chk_haproxy { script killall -0 haproxy interval 2 weight 2 } vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 101 virtual_ipaddress { 10.239.212.28 10.239.212.30 10.239.212.58 10.239.212.59 10.239.212.60 10.239.212.77 } track_script { chk_haproxy } } I really see nothing wrong here, nor anything which could explain how only some of the addresses would be added to an interface ! Regards, Willy
Re: haproxy with keepalived
hey, thanks for sharing your fix. This is an interesting one :) Baptiste
Re: haproxy with keepalived
El día 24 de marzo de 2012 21:51, Willy Tarreau w...@1wt.eu escribió: On Wed, Mar 21, 2012 at 09:15:16AM +0100, Esteban Torres Rodríguez wrote: El día 21 de marzo de 2012 07:39, Willy Tarreau w...@1wt.eu escribió: On Mon, Mar 19, 2012 at 08:08:37PM +0100, Esteban Torres Rodríguez wrote: Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. You mean that both servers own the VIP ? Of the 6 ip, 4 are answered by the master and 2 backup. it is dynamic. Ip are exchanged randomly. Is this what you're observing or what you want ? Also, my concerns were about finding some IPs at the two places at once, which fortunately is not the case ! The server has 4 network cards. Is it of significance that has 3 virtual ip? No, it should be unrelated. Are the NICs on the same network ? If so I wonder what happens when keepalived receives its own packets via another NIC, maybe it forces a re-election but I may be wrong, Alex would know that much better than me ! both servers are virtual with vmware. Each server has 4 physical cards and 3 virtual (1 physical server for management, 3 physical and 3 virtual VIP). perhaps it is vmware management making changes ownership the nic. vrrp_script chk_haproxy { script killall -0 haproxy interval 2 weight 2 } vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 101 virtual_ipaddress { 10.239.212.28 10.239.212.30 10.239.212.58 10.239.212.59 10.239.212.60 10.239.212.77 } track_script { chk_haproxy } } I really see nothing wrong here, nor anything which could explain how only some of the addresses would be added to an interface ! Regards, Willy
Re: haproxy with keepalived
On Sun, Mar 25, 2012 at 05:00:53PM +0200, Esteban Torres Rodríguez wrote: El día 24 de marzo de 2012 21:51, Willy Tarreau w...@1wt.eu escribió: On Wed, Mar 21, 2012 at 09:15:16AM +0100, Esteban Torres Rodríguez wrote: El día 21 de marzo de 2012 07:39, Willy Tarreau w...@1wt.eu escribió: On Mon, Mar 19, 2012 at 08:08:37PM +0100, Esteban Torres Rodríguez wrote: Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. You mean that both servers own the VIP ? Of the 6 ip, 4 are answered by the master and 2 backup. it is dynamic. Ip are exchanged randomly. Is this what you're observing or what you want ? Also, my concerns were about finding some IPs at the two places at once, which fortunately is not the case ! The server has 4 network cards. Is it of significance that has 3 virtual ip? No, it should be unrelated. Are the NICs on the same network ? If so I wonder what happens when keepalived receives its own packets via another NIC, maybe it forces a re-election but I may be wrong, Alex would know that much better than me ! both servers are virtual with vmware. Each server has 4 physical cards and 3 virtual (1 physical server for management, 3 physical and 3 virtual VIP). perhaps it is vmware management making changes ownership the nic. I really have no idea. That's the beauty of virtualization, adding (clouds of) smoke between where the problems occur and where they are observed. What's funny is that the cost of debugging these issues is *much* higher than the cost of the server that was saved by the operation :-) The only thing you can do at the moment is to try to stabilize the lower layers and ensure they're not doing any more magics in your back. Regards, Willy
Re: haproxy with keepalived
On Wed, Mar 21, 2012 at 09:15:16AM +0100, Esteban Torres Rodríguez wrote: El día 21 de marzo de 2012 07:39, Willy Tarreau w...@1wt.eu escribió: On Mon, Mar 19, 2012 at 08:08:37PM +0100, Esteban Torres Rodríguez wrote: Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. You mean that both servers own the VIP ? Of the 6 ip, 4 are answered by the master and 2 backup. it is dynamic. Ip are exchanged randomly. Is this what you're observing or what you want ? Also, my concerns were about finding some IPs at the two places at once, which fortunately is not the case ! The server has 4 network cards. Is it of significance that has 3 virtual ip? No, it should be unrelated. Are the NICs on the same network ? If so I wonder what happens when keepalived receives its own packets via another NIC, maybe it forces a re-election but I may be wrong, Alex would know that much better than me ! vrrp_script chk_haproxy { script killall -0 haproxy interval 2 weight 2 } vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 101 virtual_ipaddress { 10.239.212.28 10.239.212.30 10.239.212.58 10.239.212.59 10.239.212.60 10.239.212.77 } track_script { chk_haproxy } } I really see nothing wrong here, nor anything which could explain how only some of the addresses would be added to an interface ! Regards, Willy
Re: haproxy with keepalived
On Mon, Mar 19, 2012 at 08:08:37PM +0100, Esteban Torres Rodríguez wrote: Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. You mean that both servers own the VIP ? Willy
Re: haproxy with keepalived
El día 21 de marzo de 2012 07:39, Willy Tarreau w...@1wt.eu escribió: On Mon, Mar 19, 2012 at 08:08:37PM +0100, Esteban Torres Rodríguez wrote: Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. You mean that both servers own the VIP ? Of the 6 ip, 4 are answered by the master and 2 backup. it is dynamic. Ip are exchanged randomly. The server has 4 network cards. Is it of significance that has 3 virtual ip? vrrp_script chk_haproxy { script killall -0 haproxy interval 2 weight 2 } vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 101 virtual_ipaddress { 10.239.212.28 10.239.212.30 10.239.212.58 10.239.212.59 10.239.212.60 10.239.212.77 } track_script { chk_haproxy } } Willy
Re: haproxy with keepalived
Hey Esteban, Your config looks good to me. Sometimes it can happen that during failover not all servers receive the gratuitous arp and they keep sending traffic to the backup router. I normally force another failover to force another gratuitous arp get it working again. It shouldn't happen to often tho Greets, Sander
haproxy with keepalived
Maybe I have to ask this in the keepalived list. I have 2 servers configured in debian with keepalived and haproxy. Today I found that both servers are running. Keepalived is assumed that this active-passive, but .. When I stop a server, the other works perfectly! I followed this manual: http://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-keepalived-on-debian-lenny-p2 Has anyone been the same? In /var/log/messages: Keepalived_healthcheckers: Registering Kernel netlink command channel Keepalived_healthcheckers: Opening file '/etc/keepalived/keepalived.conf'. Keepalived_healthcheckers: Configuration is using: 3739 Bytes Keepalived_vrrp: IPVS: Can not initialize IPVS: Protocol not available Keepalived_healthcheckers: Using kernel netlink reflector LinkWatch ... Keepalived_vrrp: Opening file '/etc/keepalived/keepalived.conf'. Keepalived_vrrp: Configuration is using: 34986 Bytes Keepalived_vrrp: Using kernel netlink reflector LinkWatch ... Keepalived_vrrp: VRRP_Instance (VI_1) Entering MASTER STATE