Comments on: Configure HAProxy with TPROXY kernel for full transparent proxy http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/ When a single point of failure is not an option Fri, 30 Jul 2010 12:17:48 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Daniel http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-941 Daniel Thu, 18 Mar 2010 23:57:35 +0000 http://www.loadbalancer.org/blog/?p=106#comment-941 Hello Malcolm, I try to implement haproxy in transparent mode like in your how-to. I add rules in iptables, but when I try to access to the service, the result is "503 Service Unavailable". Without the line "source 0.0.0.0 usesrc clientip" all works correctly, obviously without transparency. Have you got any ideas? Where I'm wrong? Thanks! Daniel Hello Malcolm,
I try to implement haproxy in transparent mode like in your how-to.
I add rules in iptables, but when I try to access to the service, the result is “503 Service Unavailable”.
Without the line “source 0.0.0.0 usesrc clientip” all works correctly, obviously without transparency.
Have you got any ideas? Where I’m wrong?
Thanks! Daniel

]]> By: Bob Smith http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-912 Bob Smith Tue, 02 Mar 2010 23:22:23 +0000 http://www.loadbalancer.org/blog/?p=106#comment-912 Here is my question. I have a simple setup with HAProxy and 2 backend servers. Works like a charm except that on these backend servers I look at the HTTP_HOST with RewriteCond to do various things. When I turn logging on it looks like the "Host" that I am getting is either the IP address or nothing. I have looked at the documentation, but any idea how I can get the backend server to "see" what the URL is? Here is my question. I have a simple setup with HAProxy and 2 backend servers. Works like a charm except that on these backend servers I look at the HTTP_HOST with RewriteCond to do various things. When I turn logging on it looks like the “Host” that I am getting is either the IP address or nothing. I have looked at the documentation, but any idea how I can get the backend server to “see” what the URL is?

]]> By: Anand Phulwani http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-900 Anand Phulwani Mon, 01 Feb 2010 07:38:04 +0000 http://www.loadbalancer.org/blog/?p=106#comment-900 Dear Malcolm, After Reading The Documentation I Had An Hint That This Is An Inbound Proxy And Works For Basically For Web Server Managed In A Kind Of Cluster. So Actually This Is Just Different For What I Am Trying To Do With Squid. Thanks, Anand Dear Malcolm,

After Reading The Documentation I Had An Hint That This Is An Inbound Proxy And Works For Basically For Web Server Managed In A Kind Of Cluster.
So Actually This Is Just Different For What I Am Trying To Do With Squid.

Thanks,
Anand

]]> By: Malcolm Turnbull http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-899 Malcolm Turnbull Sun, 31 Jan 2010 19:46:24 +0000 http://www.loadbalancer.org/blog/?p=106#comment-899 Anand, 1) I guess squid is an outbound proxy (standard) and HAProxy is an inbound proxy (reverse), like Pound. 2) Why would you be running Google talk servers? (this is a reverse proxy not outbound) 3) Yes, but I'm not sure exactly what you are after... 4) Not directly, but you just terminate the HTTPS with stunnel or Pound first...so yes. Anand,

1) I guess squid is an outbound proxy (standard) and HAProxy is an inbound proxy (reverse), like Pound.
2) Why would you be running Google talk servers? (this is a reverse proxy not outbound)
3) Yes, but I’m not sure exactly what you are after…
4) Not directly, but you just terminate the HTTPS with stunnel or Pound first…so yes.

]]> By: Anand Phulwani http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-898 Anand Phulwani Sun, 31 Jan 2010 13:10:08 +0000 http://www.loadbalancer.org/blog/?p=106#comment-898 Dear Malcolm, I know its very stupid to ask such newbie questions but that is all what i have right now. 1) How is Haproxy different from squid. 2) Transparent squid does not works with gtalk, is that a problem with Haproxy too, if it runs with tproxy. 3) Does Haproxy support acl (based on time,based on url regex). 4) Can we also use acl on HTTPS or in other words how does Haproxy handles HTTPS. Your reply would indeed be a lot of help to me. Expecting your positive reply. Thanks, Anand Phulwani Dear Malcolm,

I know its very stupid to ask such newbie questions but that is all what i have right now.

1) How is Haproxy different from squid.
2) Transparent squid does not works with gtalk, is that a problem with Haproxy too, if it runs with tproxy.
3) Does Haproxy support acl (based on time,based on url regex).
4) Can we also use acl on HTTPS or in other words how does Haproxy handles HTTPS.

Your reply would indeed be a lot of help to me.
Expecting your positive reply.
Thanks,
Anand Phulwani

]]> By: Malcolm Turnbull http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-889 Malcolm Turnbull Tue, 05 Jan 2010 13:09:15 +0000 http://www.loadbalancer.org/blog/?p=106#comment-889 Hanlin, Er... no idea.. It probably won't work with Apache on the same host as HAProxy... But If Apache is on the same host why do you need HAProxy anyway? Hanlin,

Er… no idea.. It probably won’t work with Apache on the same host as HAProxy… But If Apache is on the same host why do you need HAProxy anyway?

]]> By: hanlin http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-868 hanlin Sat, 24 Oct 2009 15:48:53 +0000 http://www.loadbalancer.org/blog/?p=106#comment-868 Hello,I have got a probelm like this: haproxy bind on a public IP,the apache server is on the same machine with haproxy'server (haproxy's server have two eth with public and private ip) Whitout “source 0.0.0.0 usesrc clientip” it work. could they at the same machine? (please note: the other apache server is not on the same machine wich haproxy'server,and I have set the default gateway on the backend server to point at the internal interface on the haproxy instance,it can work) Have you got ideas? thanks Hello,I have got a probelm like this:
haproxy bind on a public IP,the apache server is on the same machine with haproxy’server (haproxy’s server have two eth with public and private ip)
Whitout “source 0.0.0.0 usesrc clientip” it work.
could they at the same machine?

(please note: the other apache server is not on the same machine wich haproxy’server,and I have set the default gateway on the backend server to point at the internal interface on the haproxy instance,it can work)

Have you got ideas?
thanks

]]> By: Malcolm Turnbull http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-854 Malcolm Turnbull Fri, 25 Sep 2009 10:05:18 +0000 http://www.loadbalancer.org/blog/?p=106#comment-854 You need something more like: <code>frontend blah acl notsms url_sub !sms use_backend backend1 acl sms url_sub sms use_backend backend2 backend backend1 source 0.0.0.0 usesrc clientip server server1 x.x.x.x:10000 cookie XXX.COM check</code> <em>NB. I haven't tested this just off the top of my head....</em>. Check out the HAProxy manual and mailing list for more specific help on ACLs... You need something more like:

frontend blah
acl notsms url_sub !sms use_backend backend1
acl sms url_sub sms use_backend backend2

backend backend1
source 0.0.0.0 usesrc clientip
server server1 x.x.x.x:10000 cookie XXX.COM check

NB. I haven’t tested this just off the top of my head…..
Check out the HAProxy manual and mailing list for more specific help on ACLs…

]]> By: Malcolm Turnbull http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-853 Malcolm Turnbull Fri, 25 Sep 2009 09:52:32 +0000 http://www.loadbalancer.org/blog/?p=106#comment-853 Willy suggests starting HAProxy as root because it can then jail itself in a chroot and drop all of its privileges before starting the instances. This is not possible if it is not started as root because only root can execute chroot() Willy suggests starting HAProxy as root because it can then jail itself in a chroot and drop all of its privileges before starting the instances. This is not possible if it is not started as root because only root can execute chroot()

]]> By: Gael http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/comment-page-1/#comment-849 Gael Thu, 17 Sep 2009 17:43:54 +0000 http://www.loadbalancer.org/blog/?p=106#comment-849 Hi Malcolm and thanks for your brilliant article! I have wasted a couple of days trying to debug the kernel which was throwing SOFT LOCKUP bugs. After investigation it was down to having 2 vCPU in the VM (from VMWare) I was using. Moving back to only one vCPU did the trick. Hope this can help someone else! In your post, you have commented the following line: # uid 99 # gid 99 Therefore, haproxy is running as root. I know it produces the following error if haproxy is run with another user then root: "Starting haproxy: [ALERT] 259/184020 (3497) : [/usr/sbin/haproxy.main()] Some configuration options require full privileges, so global.uid cannot be changed." So it seems compulsory to run haproxy as root. I am now wondering if this can cause any problem related to using root to run haproxy. Thanks in advance for your answer! Gael Hi Malcolm and thanks for your brilliant article!

I have wasted a couple of days trying to debug the kernel which was throwing SOFT LOCKUP bugs. After investigation it was down to having 2 vCPU in the VM (from VMWare) I was using. Moving back to only one vCPU did the trick. Hope this can help someone else!

In your post, you have commented the following line:
# uid 99
# gid 99

Therefore, haproxy is running as root.

I know it produces the following error if haproxy is run with another user then root:
“Starting haproxy: [ALERT] 259/184020 (3497) : [/usr/sbin/haproxy.main()] Some configuration options require full privileges, so global.uid cannot be changed.”

So it seems compulsory to run haproxy as root.
I am now wondering if this can cause any problem related to using root to run haproxy.

Thanks in advance for your answer!

Gael

]]>