HAProxy TCP Transparent Mode Remote Servershaproxy tcp transparent mode on the same box as serviceTomcat 6 session replication does not work with HAProxyHaproxy logging not workHA-Proxy 301 re-direct: https to https://wwwHaProxy giving - 503 Service UnavailableHAProxy not logging all requestsRedis & HAProxy - updated configuration settings?SASL auth to LDAP behind HAPROXY with name mismatchesTransparent HAProxy, clients cannot connectopenldap with haproxy - (ldap_result() failed: Can't contact LDAP server)
How did the Vostok ejection seat safely eject an astronaut from a sealed space capsule?
Explain why a line can never intersect a plane in exactly two points.
Very tricky nonogram - where to go next?
Explicit song lyrics checker
Justifying Affordable Bespoke Spaceships
Going back in time in and initial value problem
Encounter design and XP thresholds
Why is "Congress shall have power to enforce this article by appropriate legislation" necessary?
King or Queen-Which piece is which?
Is there a difference between an NFC and RFID chip?
Is there a term for the belief that "if it's legal, it's moral"?
Why does std::string_view create a dangling view in a ternary expression?
What triggered jesuits' ban on infinitesimals in 1632?
Are there any individual aliens that have gained superpowers in the Marvel universe?
Is there a name for the trope when there is a moments dialogue when someone pauses just before they leave the room?
Cut the gold chain
Greeting with "Ho"
Should I include an appendix for inessential, yet related worldbuilding to my story?
Why is it easier to balance a non-moving bike standing up than sitting down?
Helping ease my back pain by studying 13 hours everyday , even weekends
What is the most suitable position for a bishop here?
Too early in the morning to have SODA?
Why don't we have a weaning party like Avraham did?
How do I remove this inheritance-related code smell?
HAProxy TCP Transparent Mode Remote Servers
haproxy tcp transparent mode on the same box as serviceTomcat 6 session replication does not work with HAProxyHaproxy logging not workHA-Proxy 301 re-direct: https to https://wwwHaProxy giving - 503 Service UnavailableHAProxy not logging all requestsRedis & HAProxy - updated configuration settings?SASL auth to LDAP behind HAPROXY with name mismatchesTransparent HAProxy, clients cannot connectopenldap with haproxy - (ldap_result() failed: Can't contact LDAP server)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Alright so I have a server box with HAProxy installed and I need it to forward traffic to two MySQL servers. They are both located in completely different datacenters. It works when I have this removed from the config:source 0.0.0.0 usesrc clientip
However, when enabled I can't get a response from the MySQL servers.
I have these IPTables rules on the HAProxy server:iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add dev eth0 fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
And no connection can be made. However, when I add this:iptables -A POSTROUTING -t nat -j MASQUERADE
It works but the client IP is not being sent, just the proxy IP.
The MySQL servers are configured to have the HAProxy server's ip as their default gateway.
I'm not sure if this is even possible, I've been messing with this for days.
My HAProxy config:
global
log 127.0.0.1 local0 debug
daemon
defaults
log global
retries 2
#option dontlognull
option tcp-smart-accept
option tcp-smart-connect
option tcplog
option log-health-checks
timeout connect 3000
timeout server 5000
timeout client 5000
frontend mysql-frontend
bind 100.111.111.111:3306 transparent
default_backend mysql-backend
backend mysql-backend
mode tcp
source 0.0.0.0 usesrc clientip
option mysql-check user haproxy_check
server mysql1 192.111.111.111:3306 check
server mysql2 200.111.111.111:3306 check
Route tables for one of the MySQL servers:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.111.111.111 0.0.0.0 UG 2 0 0 eth0
100.111.111.111 0.0.0.0 255.255.255.255 UH 2 0 0 eth0
192.111.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
Sysctl for the HAProxy box:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
The TProxy module is also compiled into HAProxy, and the required kernel modules are enabled as well.
There is also only one interface, eth0.
Please let me know what I'm doing wrong, or if this is even possible!
Thanks!
haproxy transparent-proxy
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
add a comment |
Alright so I have a server box with HAProxy installed and I need it to forward traffic to two MySQL servers. They are both located in completely different datacenters. It works when I have this removed from the config:source 0.0.0.0 usesrc clientip
However, when enabled I can't get a response from the MySQL servers.
I have these IPTables rules on the HAProxy server:iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add dev eth0 fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
And no connection can be made. However, when I add this:iptables -A POSTROUTING -t nat -j MASQUERADE
It works but the client IP is not being sent, just the proxy IP.
The MySQL servers are configured to have the HAProxy server's ip as their default gateway.
I'm not sure if this is even possible, I've been messing with this for days.
My HAProxy config:
global
log 127.0.0.1 local0 debug
daemon
defaults
log global
retries 2
#option dontlognull
option tcp-smart-accept
option tcp-smart-connect
option tcplog
option log-health-checks
timeout connect 3000
timeout server 5000
timeout client 5000
frontend mysql-frontend
bind 100.111.111.111:3306 transparent
default_backend mysql-backend
backend mysql-backend
mode tcp
source 0.0.0.0 usesrc clientip
option mysql-check user haproxy_check
server mysql1 192.111.111.111:3306 check
server mysql2 200.111.111.111:3306 check
Route tables for one of the MySQL servers:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.111.111.111 0.0.0.0 UG 2 0 0 eth0
100.111.111.111 0.0.0.0 255.255.255.255 UH 2 0 0 eth0
192.111.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
Sysctl for the HAProxy box:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
The TProxy module is also compiled into HAProxy, and the required kernel modules are enabled as well.
There is also only one interface, eth0.
Please let me know what I'm doing wrong, or if this is even possible!
Thanks!
haproxy transparent-proxy
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
add a comment |
Alright so I have a server box with HAProxy installed and I need it to forward traffic to two MySQL servers. They are both located in completely different datacenters. It works when I have this removed from the config:source 0.0.0.0 usesrc clientip
However, when enabled I can't get a response from the MySQL servers.
I have these IPTables rules on the HAProxy server:iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add dev eth0 fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
And no connection can be made. However, when I add this:iptables -A POSTROUTING -t nat -j MASQUERADE
It works but the client IP is not being sent, just the proxy IP.
The MySQL servers are configured to have the HAProxy server's ip as their default gateway.
I'm not sure if this is even possible, I've been messing with this for days.
My HAProxy config:
global
log 127.0.0.1 local0 debug
daemon
defaults
log global
retries 2
#option dontlognull
option tcp-smart-accept
option tcp-smart-connect
option tcplog
option log-health-checks
timeout connect 3000
timeout server 5000
timeout client 5000
frontend mysql-frontend
bind 100.111.111.111:3306 transparent
default_backend mysql-backend
backend mysql-backend
mode tcp
source 0.0.0.0 usesrc clientip
option mysql-check user haproxy_check
server mysql1 192.111.111.111:3306 check
server mysql2 200.111.111.111:3306 check
Route tables for one of the MySQL servers:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.111.111.111 0.0.0.0 UG 2 0 0 eth0
100.111.111.111 0.0.0.0 255.255.255.255 UH 2 0 0 eth0
192.111.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
Sysctl for the HAProxy box:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
The TProxy module is also compiled into HAProxy, and the required kernel modules are enabled as well.
There is also only one interface, eth0.
Please let me know what I'm doing wrong, or if this is even possible!
Thanks!
haproxy transparent-proxy
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
Alright so I have a server box with HAProxy installed and I need it to forward traffic to two MySQL servers. They are both located in completely different datacenters. It works when I have this removed from the config:source 0.0.0.0 usesrc clientip
However, when enabled I can't get a response from the MySQL servers.
I have these IPTables rules on the HAProxy server:iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add dev eth0 fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
And no connection can be made. However, when I add this:iptables -A POSTROUTING -t nat -j MASQUERADE
It works but the client IP is not being sent, just the proxy IP.
The MySQL servers are configured to have the HAProxy server's ip as their default gateway.
I'm not sure if this is even possible, I've been messing with this for days.
My HAProxy config:
global
log 127.0.0.1 local0 debug
daemon
defaults
log global
retries 2
#option dontlognull
option tcp-smart-accept
option tcp-smart-connect
option tcplog
option log-health-checks
timeout connect 3000
timeout server 5000
timeout client 5000
frontend mysql-frontend
bind 100.111.111.111:3306 transparent
default_backend mysql-backend
backend mysql-backend
mode tcp
source 0.0.0.0 usesrc clientip
option mysql-check user haproxy_check
server mysql1 192.111.111.111:3306 check
server mysql2 200.111.111.111:3306 check
Route tables for one of the MySQL servers:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.111.111.111 0.0.0.0 UG 2 0 0 eth0
100.111.111.111 0.0.0.0 255.255.255.255 UH 2 0 0 eth0
192.111.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
Sysctl for the HAProxy box:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
The TProxy module is also compiled into HAProxy, and the required kernel modules are enabled as well.
There is also only one interface, eth0.
Please let me know what I'm doing wrong, or if this is even possible!
Thanks!
haproxy transparent-proxy
haproxy transparent-proxy
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
edited Jul 8 '16 at 16:56
Rhododendron
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
asked Jul 8 '16 at 16:50
RhododendronRhododendron
4315
4315
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
1
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
|
show 2 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f788726%2fhaproxy-tcp-transparent-mode-remote-servers%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
1
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
|
show 2 more comments
Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
1
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
|
show 2 more comments
Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
edited Jul 14 '16 at 19:01
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
answered Jul 8 '16 at 17:48
longnecklongneck
21k34176
21k34176
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
1
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
|
show 2 more comments
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
1
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP.
– Rhododendron
Jul 8 '16 at 17:50
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
You don't. Pick a different solution.
– longneck
Jul 8 '16 at 17:52
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
What available solutions are there that can get me the origin IP in this instance? I can't find anything.
– Rhododendron
Jul 8 '16 at 17:53
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
With remote servers and the origin IP on the packet? None.
– longneck
Jul 8 '16 at 17:54
1
1
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best.
– longneck
Jul 8 '16 at 17:57
|
show 2 more comments
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f788726%2fhaproxy-tcp-transparent-mode-remote-servers%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
