HAProxy TCP Transparent Mode Remote Servers

haproxytransparent-proxy

Alright so I have a server box with HAProxy installed and I need it to forward traffic to two MySQL servers. They are both located in completely different datacenters. It works when I have this removed from the config:
source 0.0.0.0 usesrc clientip
However, when enabled I can't get a response from the MySQL servers.

I have these IPTables rules on the HAProxy server:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add dev eth0 fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

And no connection can be made. However, when I add this:
iptables -A POSTROUTING -t nat -j MASQUERADE

It works but the client IP is not being sent, just the proxy IP.

The MySQL servers are configured to have the HAProxy server's ip as their default gateway.

I'm not sure if this is even possible, I've been messing with this for days.

My HAProxy config:

global
    log 127.0.0.1 local0 debug
    daemon

defaults
    log global
    retries 2
    #option dontlognull
    option tcp-smart-accept
    option tcp-smart-connect
    option tcplog
    option log-health-checks
    timeout connect 3000
    timeout server 5000
    timeout client 5000

frontend mysql-frontend
    bind 100.111.111.111:3306 transparent
    default_backend mysql-backend

backend mysql-backend
    mode tcp
    source 0.0.0.0 usesrc clientip
    option mysql-check user haproxy_check
    server mysql1 192.111.111.111:3306 check
    server mysql2 200.111.111.111:3306 check

Route tables for one of the MySQL servers:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.111.111.111 0.0.0.0 UG 2 0 0 eth0
100.111.111.111 0.0.0.0 255.255.255.255 UH 2 0 0 eth0
192.111.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

Sysctl for the HAProxy box:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0

The TProxy module is also compiled into HAProxy, and the required kernel modules are enabled as well.

There is also only one interface, eth0.

Please let me know what I'm doing wrong, or if this is even possible!

Thanks!

Best Answer

Transparent mode requires that the haproxy be the default gateway of the backend servers. Remote servers won't work.

Related Topic