Re: Question regarding simple setup with tproxy?

From: Jeffrey 'jf' Lim <jfs.world#gmail.com>
Date: Mon, 30 Jun 2008 13:14:49 +0800


On Wed, Jun 25, 2008 at 1:02 PM, Willy Tarreau <w#1wt.eu> wrote:

>
> On Tue, Jun 24, 2008 at 01:57:45PM +0100, lists wrote:
> > Any help appreciated:
> >
> > I've compiled ctproxy into a 2.6.25 kernel and enabled the options in
> > make menuconfig.
>

You mean tproxy (the file you downloaded would be tproxy-kernel-2.6.25-*)? If so, I would be in the same situation as you.

>
> > Also patched netfilter (but do I even need to do this?)
>
> Last time I checked, yes it was needed to patch netfilter. But keep in
> mind that I have *not* yet tried tproxy v4.
>
> > Then compiled haproxy 1.3.15 with transparency, got a working config
> > with real servers using haproxy node as the default gateway.
> > Then added the line:
> > source 192.168.2.134 usesrc clientip
> > and now it just hangs with a blank page? Any ideas where I'm going
> > wrong? (something fundamental probably)
>
> What do the logs say ? A blank page can be so many things ! Also,
> I think you'll have to provide a tcpdump trace of both sides.
>

for me, my tcpdumps show the packets going through to the real servers with the client's ip, and the real servers SYN-ACK-ing back - but the haproxy machine does not ever send an ACK back to the real server (so the connection never opens).

>
> > Do I need iptables rules? do I need to insmod anything?
>
> Normally not (but maybe I missed something in the doc).
> BTW, are you sure that your servers have their default gateway set to
> route via your load-balancer ?
>

I've got this done as well. And modprobed xt_TPROXY as well. + echo 1 > /proc/sys/net/ipv4/ip_forward (if that helps).

>
> > tried source 0.0.0.0 usesrc clientip with the same result.
> >
> > global
> > uid 99
> > gid 99
> ^^^^^^^^
> Try leaving those both to 0. I have memories of tproxy-v2 requiring to
> be run as root in order to bind to a remote IP address.
>
> Regards,
> Willy
>

I'm running as root (just to be sure) - but haproxy (see earlier description of tcp handshake) still fails...

-jf 

--
In the meantime, here is your PSA:
"It's so hard to write a graphics driver that open-sourcing it would not
help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228
Received on 2008/06/30 07:14

This archive was generated by hypermail 2.2.0 : 2008/06/30 07:30 CEST