RE: TPROXY + Hearbeat

As an example setup for some of systems: My haresources file has:
hawebcl1 IPaddr2::xx.xx.xx.77/24/eth0

Actual IPs are xx.xx.xx.78 and xx.xx.xx.79 on the haproxy boxes.

The real gateway is .1.

So both haproxy hosts have the mangle setup for tproxy, gateway as .1, etc...
All the backend servers have .77 as their default gateway instead of .1.

I leave haproxy running on both. It means both constantly poll the backend servers, but why both having heartbeat start/stop it...

Only minor annoying part is you must specify the unique IP on the source lines in haproxy config which makes it slightly harder to keep them in sync. IE:
source xx.xx.xx.78 usesrc client If you have heartbeat stop/start haproxy you could probably just use the shared IP for a common config file.

Both haproxys (active and passive) and all backend servers can access the internet fine for updates/etc. All outgoing traffic relays through the active haproxy box just link incoming traffic, but not a problem... That for those setup on public ips.

We have some servers setup in multiple datacenters setup behind an anycast network. For those it's setup much the same, except the backend servers have a 2nd NIC with a private IP address, and we then use policy based routing on each backend server so that originating outgoing traffic from those go to a separate NAT server, and traffic from the haproxy go back via that... Have to do the split because of the anycast, as we have to originate from a regular public IP instead of one from the anycast ip...

You could probably do it with NAT for outgoing tied to source IP of the private NAT, but haven't tried that and doubt running NAT on the server running haproxy would be a good idea for anything but light load...

> -----Original Message-----
> From: Jason J. W. Williams [mailto:jasonjwwilliams#gmail.com]
> Sent: Tuesday, September 27, 2011 6:13 PM
> To: John Lauro
> Cc: haproxy#formilux.org
> Subject: Re: TPROXY + Hearbeat
>
> Hey John,
>
> Thanks for the quick response. That's great to know. So both the VIPs
> and the shared IP your backends use as their default gateway fail over
> well?
>
> Is your HAProxy pair the actual network boundary box between the
> subnets, or is it just the default gateway for your backends and the
> pair relay off the real subnet gateway? (any issues with utility
> traffic originating from the backend servers like package updates
> running through HAProxy pair as the default gw?)
>
> Thank you so much for your help!
>
> -J
>
> On Tue, Sep 27, 2011 at 4:09 PM, John Lauro <john.lauro#covenanteyes.com>
> wrote:
> > Works great. I have several pairs of vm haproxy servers in transparent
> mode
> > and running heartbeat to take over the shared IP.
> >
> >
> >> -----Original Message-----
> >> From: Jason J. W. Williams [mailto:jasonjwwilliams#gmail.com]
> >> Sent: Tuesday, September 27, 2011 3:46 PM
> >> To: haproxy#formilux.org
> >> Subject: TPROXY + Hearbeat
> >>
> >> Hello,
> >>
> >> Is anyone running redundant HAProxy servers that use TPROXY for
> >> transparent proxying (preserve source IP) and use Heartbeat for
> >> failover of VIPs and shared interface IPs? We're curious if you run
> >> into issues due to combination of shared IPs and TPROXY? Thank you in
> >> advance.
> >>
> >> -J
> >
> >
Received on 2011/09/28 01:39