5

Alright so I have a server box with HAProxy installed and I need it to forward traffic to two MySQL servers. They are both located in completely different datacenters. It works when I have this removed from the config: source 0.0.0.0 usesrc clientip However, when enabled I can't get a response from the MySQL servers.

I have these IPTables rules on the HAProxy server: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 111 iptables -t mangle -A DIVERT -j ACCEPT ip rule add dev eth0 fwmark 111 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100

And no connection can be made. However, when I add this: iptables -A POSTROUTING -t nat -j MASQUERADE

It works but the client IP is not being sent, just the proxy IP.

The MySQL servers are configured to have the HAProxy server's ip as their default gateway.

I'm not sure if this is even possible, I've been messing with this for days.

My HAProxy config:

global
    log 127.0.0.1 local0 debug
    daemon

defaults
    log global
    retries 2
    #option dontlognull
    option tcp-smart-accept
    option tcp-smart-connect
    option tcplog
    option log-health-checks
    timeout connect 3000
    timeout server 5000
    timeout client 5000

frontend mysql-frontend
    bind 100.111.111.111:3306 transparent
    default_backend mysql-backend

backend mysql-backend
    mode tcp
    source 0.0.0.0 usesrc clientip
    option mysql-check user haproxy_check
    server mysql1 192.111.111.111:3306 check
    server mysql2 200.111.111.111:3306 check

Route tables for one of the MySQL servers:

Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 100.111.111.111 0.0.0.0 UG 2 0 0 eth0 100.111.111.111 0.0.0.0 255.255.255.255 UH 2 0 0 eth0 192.111.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

Sysctl for the HAProxy box:

net.ipv4.ip_forward = 1 net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.eth0.send_redirects = 1 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.default.accept_source_route = 0

The TProxy module is also compiled into HAProxy, and the required kernel modules are enabled as well.

There is also only one interface, eth0.

Please let me know what I'm doing wrong, or if this is even possible!

Thanks!

Rhododendron
  • 83
  • 1
  • 1
  • 5

1 Answers1

6

Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • Is it not possible for a remote gateway? And then how would I be able to do this then as I need the origin IP. – Rhododendron Jul 08 '16 at 17:50
  • You don't. Pick a different solution. – longneck Jul 08 '16 at 17:52
  • What available solutions are there that can get me the origin IP in this instance? I can't find anything. – Rhododendron Jul 08 '16 at 17:53
  • With remote servers and the origin IP on the packet? None. – longneck Jul 08 '16 at 17:54
  • Would the most secure way then to do it without the transparency and just do whitelisting on HAProxy instead of MySQL and restrict access to the MySQL server to only the HAProxy server? – Rhododendron Jul 08 '16 at 17:55
  • 1
    This is one of those situations where you re-think the requirements. You have three things in play here: true origin IP, remote servers and a load balancer. Eliminate any one of those things and you have a workable solution. It's up to you to decide what's best. – longneck Jul 08 '16 at 17:57
  • re: whitelisting. I'm not going to comment on "more secure". security statements are best provided by someone with a complete view of the situation. – longneck Jul 08 '16 at 17:59