Re: Transparent haproxy

On Mon, Feb 04, 2008 at 09:53:20PM +0200, Reinis Rozitis wrote:
> Hello,
> before trying to setup haproxy to use the clients IPs wanted to clarify few
> questions:
>
> Does Haproxy work with the new tproxy4?

Yes it should. However I've not tried it yet, but on different implementation I did for kernel 2.4, I tried to follow their API so that we can use tproxy4 on 2.6 and my patch on 2.4 without changing the code.

> Because on the site there is refference to cttproxy which I think is not
> maintained by Balabit anymore (at least the patchset ends at 2.6.20 kernel)
> (or am I wrong?).

no you're right. I was angry first, until I noticed that the new one is much much cleaner!

> I am bit confused about the Makefile:
> # USE_CTTPROXY : enable CTTPROXY on Linux (needs kernel patch).
> # USE_TPROXY : enable transparent proxy. Automatic.
>
> Which option actually enables what?

none, you need this one instead :

# USE_LINUX_TPROXY : enable full transparent proxy (need kernel patch).

> You still need to use iptables and prerouting right? Or can haproxy spoof
> the IP on its own?

From what I understood from the patch, you still need iptables, but just to have the tproxy module loaded, nothing else. It automatically enables session lookup, it's done as a netfilter hook. In my 2.4 version, iptables is not needed at all, everything is done in ip_forward instead of netfilter, but the concepts are the same.

> Is there any guide or quick howto on the installation steps?

I've not seen one yet. I think that you just have to patch and build your kernel, then load iptable_tproxy and you should be done. With this, you should be able to bind to any address and receive incoming traffic, as well as connect from any address, including the client's (with "usesrc clientip").

Take a look at latest doc in 1.3.14.2 (or on the web site), I think almost everything is there for the haproxy side.

Regards,
Willy Received on 2008/02/04 21:44