Firewall Ports + HaProxy

firewallhaproxy

Using HaProxy as a SSH load balancer, We have HaProxy running in IP1:2222 and redirecting to IP1:2223-2233 and IP2:2223-2233.

In this case, do I need to open Firewall Ports from

Source IP:2222,2223-2233 to IP1:2223-2233 and IP2:2223-2233
or
Source IP:2222 to IP1:2222 and IP1:2222 to IP1:2223-2233 and IP2:2223-2233?

When I trace the route I don't see the request forwarding from LB to actual targets in the sftp/ssh -vvv logs.

Best Answer

I assume haproxy IP is IP. In that case on your firewall you need to allow any port with source as IP to destination IP1:2223-2233 or destination IP2:2223-2233 Similarly allow traffic to haproxy destination IP:2222 from any port in your required source subnet In short source ports will be random >1024 picked by os based on availability. Source port won't be the same 2222

Related Solutions

HAProxy Balance Source – Alternative Options

Here's how I solved my problem.

frontend name_of_frontend
    bind *:20000-20010
    default_backend     servers

backend servers
    balance roundrobin
    stick-table type integer size 1k expire 3h
    stick on dst_port
    server name ip-address check maxconn 1
    ...
    server name ip-address check maxconn 1

Willy warned in a previous answer's comment that it "will not guarantee that each client will go to a different port".

In my specific case, I have complete control over my 'clients'. The only reason I am pointing them at different ports on the proxy server is so that I can identify them as different clients. This is most definitely not a 'public' system.

HAProxy – Forwarding Client IP Address to Servers

I solved this problem. May be it was not a problem from the beginning. I made google search when I faced this problem, and I saw that

option forwardfor

line in order to use in haproxy.cfg file and also other options. I tried those options including recompiling the haproxy... But the real problem related to learning real client's IPs on web servers is not sourced from HAproxy, it is about reading headers by server scripts, in our case this scripting language is PHP.

I try to learn client's IPs by these commands

echo 'Client IP: '.$_SERVER["REMOTE_ADDR"];
echo 'Client IP: '.$_SERVER["HTTP_CLIENT_IP"];

and these commands displays loadbalancer's IP. This is correct but that is not what I am expected. Despite the forwardfor option these commands, gave me loadbalancer's IP

By using forwardfor option we make enable HAproxy to insert the x-forwarded-for header into client's requests sent to our web servers. HAproxy put this field to header but I have ignored this. Today I realized that this is a header field and I have to read this header like this

echo 'Client IP: '.$_SERVER["HTTP_X_FORWARDED_FOR"];

With this command I got the client's IP address not loadbalancer's IP address.

But my offer is in order to get the header data to investigate the other information is getallheaders() function for PHP.

//from php.net http://php.net/manual/en/function.getallheaders.php
foreach (getallheaders() as $name => $value) {
    echo "$name: $value<br>\n";
}

End of all my last haproxy.cfg file is like below.

global
    maxconn 100000
    uid 99
    gid 99
    daemon

defaults
    option forwardfor except 127.0.0.1
    mode    http
    contimeout  5000
    clitimeout  50000
    srvtimeout  50000

listen  myWeb 0.0.0.0:80
    mode http
    balance source
    option forwardfor
    option http-server-close
    stats enable
    stats refresh 10s
    stats hide-version
    stats scope   .
    stats uri     /lb?stats
    stats realm   LB2\ Statistics
    stats auth admin:passwd

    server  S1 192.168.1.117:80 check inter 2000 fall 3
    server  S2 192.168.1.116:80 check inter 2000 fall 3
    server  S3 192.168.1.118:80 check inter 2000 fall 3

Nevertheless I have many missing things about HAproxy like what is the meaning uid or gid.

Best Answer

Related Solutions

HAProxy Balance Source – Alternative Options

HAProxy – Forwarding Client IP Address to Servers

Related Topic