• 12
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Transparent Proxy Issues w/ HAProxy Centos 7

Having issues following steps to transparent proxy outlined here:

Howto transparent proxying and binding with HAProxy and ALOHA Load-Balancer | HAProxy Technologies – Aloha Load Balancer

Believe to successfully done all the steps but having issues layer 4 TLS requests. The goal being in TCP mode load balance http requests on port 80 and port 443 onto webserver, where webserver terminates TLS connections. BUT to have the webserver not see the haproxy box IP but to see the client IP. The link above is the what i continually see referenced everywhere on the internet for accomplishing this. Currently HAProxy will not route requests if have the line:

source 0.0.0.0 usesrc clientip 

included in the backend. Removing that line however, haproxy routes corretly but webserver sees the ip from haproxy box, not client.

Here is the relevant set up and configs:

bash> lsmod | grep -i tproxy
 xt_TPROXY              17327  0
 nf_defrag_ipv6         34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4         12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

bash>sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1

bash> sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination
 DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0            socket
 [...]
 Chain DIVERT (1 references)
 target     prot opt source               destination
 MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

bash>  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100 
 32766: from all lookup main
 32767: from all lookup default

bash> ip route show table 100
 local default dev lo  scope host

#haproxy.cfg
frontend layer4-listener
 bind *:80  transparent
 bind *:443 transparent
 bind *:3306
 bind *:8080
 mode tcp
 option      tcplog
 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
 acl is_esp dst 10.10.130.79
 acl is_tls dst_port 443
 use_backend site_http if is_esp !is_tls
 use_backend site_https if is_esp is_tls  
backend site_https
 mode tcp
 option tcpka
 option tcp-check
 #source 0.0.0.0 usesrc clientip ## load balancing only works when commented out
 server site_www1 www1.site.org:443  weight 1 check inter 2000 rise 2 fall 3
 server site_www2 www2.site.org:443  weight 1 check inter 2000 rise 2 fall 3

bash> haproxy -vv
 HA-Proxy version 1.5.4 2014/09/02
 Copyright 2000-2014 Willy Tarreau <w@1wt.eu>
 Build options :
 TARGET  = linux2628
 CPU     = generic
 CC      = gcc
 CFLAGS  = -O2 -g -fno-strict-aliasing
 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

bash> uname -r
 3.10.0-229.4.2.el7.x86_64

From haproxy log:

Aug  5 13:06:24 localhost haproxy[61996]: 192.168.3.210:52248 [05/Aug/2015:13:05:44.815] layer4-listener site_https/site_www1 30002/-1/40001 0 sC 8/7/3/1/+3 0/0
    • The log line shows HAProxy could not establish a TCP connection on the server. It seems the server is not operational. Please add the keyword 'check' on the server lines, then try to understand why the servers aren't up. After this, we'll be able to see where your issue could come from. Baptiste
    • in backend config have both option tcp-check and check on server line. The server is up, ie if i removed the source 0.0.0.0 usesrc clientip it load balances, if i include that line it will not load balance.
      • 2
    • is there a way to determine if the loopback and/or firewall mark is happening? or a way to use tcpdump or netstat to see if the request is even leaving haproxy box or getting to backend server?
    • more info: 1) A SYN packet from 10.10.130.31 (haproxy2) to 10.10.130.152 (site on web1) 2) A SYN-ACK packet from web1 back to haproxy2 3) A RST packet from haproxy2 to web1.

Trending Tags