Re: cttproxy

From: Willy Tarreau <>
Date: Sat, 29 Nov 2008 21:42:54 +0100

On Fri, Nov 28, 2008 at 03:44:51PM +0000, James wrote:
> Hi,
> I've spent the last couple of days on this. We're using haproxy on a
> CentOS 5.2 machine, and that works fine however we now want to make use
> of cttproxy, so I grabbed the latest patch from the site, patched the
> relevant kernel version ( lsmod returns a tproxy module:
> [root#haproxy haproxy-]# lsmod | grep tproxy
> nf_tproxy_core 7168 1 xt_TPROXY,[permanent]
> [root#haproxy haproxy-]#
> Which I would assume is correct? (It's the only module with the word
> tproxy in the name in the whole of /lib/modules)
> So, I try to fire up haproxy (compiled with USE_CTTPROXY) and it returns

Be careful, there are several CTTPROXY versions :

In doubt, enable both.

> [root#haproxy haproxy-]# ./haproxy -f examples/cttproxy-src.cfg
> [WARNING] 332/153721 (8424) : parsing [examples/cttproxy-src.cfg:33]:
> keyword 'redispatch' is deprecated, please use 'option redispatch' instead.
> [WARNING] 332/153721 (8424) : Parsing [examples/cttproxy-src.cfg:47]:
> proxy 'sample1' has same name as another proxy.
> [WARNING] 332/153721 (8424) : parsing [examples/cttproxy-src.cfg:52]:
> keyword 'redispatch' is deprecated, please use 'option redispatch' instead.
> [ALERT] 332/153721 (8424) : [./haproxy.main()] Cannot enable cttproxy.
> Make sure you have enough permissions and that the module is loaded.
> [root#haproxy haproxy-]#

You also need to have 'uid 0' in your global configuration in order to use cttproxy. The reason is that the system prevents random users from binding to foreign IP addresses.

> I've also patched, and recompiled iptables for good measure and that's
> not helped - I know there's warnings on that output - but the main cause
> for concern is the alert. I do notice, however, that the module names at
> the top of the example config file aren't present in my kernel, could it
> be that the modules have been renamed and haproxy needs updating to
> reflect this?

No, haproxy does not know about the modules. It tries to bind to the sockets, and complains if this fails. I've read somewhere else on this list about someone recently setting up cttproxy on RH5. It was not easy (I don't remember the details), but you might want to check the archives.

> Does anyone have any ideas on what is causing this, or any pointers on
> how to fix? I don't feel it's relevant to include the config file as
> it's just the example config file, and I'm not sure what else I can
> include to give you more information.

It always helps in a report anyway. As does the version.

Just in case, recompile with both options above, with luck it will help.

willy Received on 2008/11/29 21:42

This archive was generated by hypermail 2.2.0 : 2008/11/29 21:45 CET