unsubscribe
unsubscribe
Re: HAproxy tproxy problem when try to make transparent proxy
Also for some reason if you are using the new kernel and the new iptables (as you seem to be) you need to specify the firewall mark on EVERY interface: ip rule add dev eth0 fwmark 111 lookup 100 ip rule add dev eth1 fwmark 111 lookup 100 ip rule add dev eth2 fwmark 111 lookup 100 ip rule add dev eth3 fwmark 111 lookup 100 Not sure why.. On 19 March 2010 18:55, Willy Tarreau w...@1wt.eu wrote: Hi, On Fri, Mar 19, 2010 at 07:03:47PM +0100, Daniele Genetti wrote: Hello, I have one big problem with HAproxy compiled with tproxy support. This is the situation... HAPROXY_SERVER os: ubuntu server kernel: 2.6.31 (so with tproxy support) iptables: 1.4.4 (so with tproxy support) ip: 192.168.1.20 WEB_SERVER os: debian kernel: 2.6.26 iptables: 1.4.2 ip: 192.168.1.21 I set up haproxy and with normal rules and configuration all works well! When I try to set the proxy transparent, adding in the configuration the line: source 0.0.0.0 usesrc clientip I have like result all connection 503 Service Unavailable In HAPROXY_SERVER I added this rules: --- iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 --- And also I changed HAPROXY_SERVER sysctrls with: echo 1 /proc/sys/net/ipv4/conf/all/forwarding echo 1 /proc/sys/net/ipv4/conf/all/send_redirects echo 1 /proc/sys/net/ipv4/conf/eth0/send_redirects Where I'm wrong? Have you got any ideas? Thanks! Daniel I suspect that you forgot to change your servers' default gateway to point to the haproxy machine, and that they are responding directly to the client without passing through haproxy. Regards, Willy -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/
Re: session length when using cookies
Hank, thanks for the reply. I was not thinking of app-cookie (i.e. appsession) load balancing at this stage, but just a SERVERID cookie which stores the backend label. I guess the answer is that it depends on what cookies the app uses, and what their expiry date is. But what about source IP persistence as well? How do we configure the timeout for that? Thanks, James On 3 Sep 2009, at 17:47, Hank A. Paulson wrote: if you use haproxy with app-generated-cookie based balancing, it will continue to send requests with that cookie to that backend as long as that cookie exists and that backend is up - afaik. If you look at the cookie in a browser tool, what is the expiration time? If it is not, as long as you want you have to change the expiration time in your CMS that is creating the cookie. On 9/3/09 8:15 AM, James Little wrote: Hi All, I'm looking for some advice on how to achieve lengthly (2 hours+) persistence with cookie insertion. I know that by default the cookies do not expire, but we are concerned here with the actual session duration. For example, say we are dealing with a web-based CMS where the user wants to be logged in for hours, but is not necessarily refreshing the screen frequently. How do we ensure he stays logged in? I'm aware that HAProxy does not support http keep-alive. Is the 'clitimeout' setting the right way to go? Also interested in knowing the *default* persistence timeout. Any pointers greatly appreciated. James
