On Fri, Aug 7, 2015 at 11:05 PM, Rich Vigorito <ri...@ocp.org> wrote:
> Hello, this is my first time using the mailing list. I have the following
> issue.
>
>
> Followed steps to enable transparent proxy outlined here:
>
> Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer
> | HAProxy Technologies – Aloha Load Balancer
>
>
> It will not load balance however w/ the following line added:
>
>
> source 0.0.0.0 usesrc clientip
>
> Here is all the configuration and setup relevent:
>
>
> bash> lsmod | grep -i tproxy
> xt_TPROXY 17327 0
> nf_defrag_ipv6 34651 2 xt_socket,xt_TPROXY
> nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
>
> bash>sudo sysctl -p
> vm.swappiness = 0
> net.ipv4.ip_nonlocal_bind = 1
> net.ipv4.ip_forward = 1
>
> bash> sudo iptables -L -n -t mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
> [...]
> Chain DIVERT (1 references)
> target prot opt source destination
> MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> bash> ip rule show
> 0: from all lookup local
> 32762: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
>
> bash> ip route show table 100
> local default dev lo scope host
>
> #haproxy.cfg
> frontend layer4-listener
> bind *:80 transparent
> bind *:443 transparent
> bind *:3306
> bind *:8080
> mode tcp
> option tcplog
> http-request set-header X-Forwarded-Proto https if { ssl_fc }
> http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
> acl is_esp dst 10.10.130.79
> acl is_tls dst_port 443
> use_backend site_http if is_esp !is_tls
> use_backend site_https if is_esp is_tls
> backend site_https
> mode tcp
> option tcpka
> option tcp-check
> #source 0.0.0.0 usesrc clientip ## load balancing only works when commented
> out
> server site_www1 www1.site.org:443 weight 1 check inter 2000 rise 2 fall 3
> server site_www2 www2.site.org:443 weight 1 check inter 2000 rise 2 fall 3
>
> bash> haproxy -vv
> HA-Proxy version 1.5.4 2014/09/02
> Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
> Build options :
> TARGET = linux2628
> CPU = generic
> CC = gcc
> CFLAGS = -O2 -g -fno-strict-aliasing
> OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
> USE_PCRE=1
>
> bash> uname -r
> 3.10.0-229.4.2.el7.x86_64
>
>
> Our network admin was indicated the following:
>
>
> A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1)
> A SYN-ACK packet from web1 back to haproxy2
> A RST packet from haproxy2 to web1.
>
>
> Anyone able/willing to help and/or give insight into this issue?
>
>
> Thanks
Hi Rich,
the information you provide are quite inaccurate.
I've already reported this on stackoverflow where you first posted
your question.
Here, for example, you ran multiple tests, with different
configurations but you don't tell us during which one did your network
admin saw the network he described.
First point, the network packets reported by your network admin seems
to be a health check...
Second, it is hard to help troubleshooting transparent proxy without a
network diagram. So please draw and share the simplest one showing a
client, haproxy and a server, with their respective interfaces, IPs
and default gateway.
Last, a TCPdump on HAProxy box showing the traffic on the interface
between haproxy and the server for the IP address of the client.
Baptiste
