I have been trying for some days and still have no luck with getting transparent TCP load balancer to work using HAproxy/NGINX.
The problem is: everything works correctly, until i try to enable transparency. Both NGINX and HAproxy do load balance, but give localhost as user IP.
What i tried to change this:
-
Changed them to run as root.
-
For NGINX:
-
Tried using this article:
https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#upstream-reach-external -
Configured iptables, added routing table, etc. The part about "default gateway should be the NGINX server ip" i don't get, because NGINX and apps are running on the same machine without any containers.
-
-
For HAproxy:
- Setting up iptables and changing sysctl forward options according to the article: https://www.loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/
- However, i don't get the part about "However if the clients source IP address is going to be used then the HAProxy server MUST BE IN THE PATH of the return traffic." for the same reason as NGINX.
So, the general question is: i have HAproxy/NGINX load balancing on x.x.x.x:30000. On the same machine, i have apps at x.x.x.x:30001 and x.x.x.x:30002.
How can i load balance this configuration? Which additional routing rules are required? Do i need to create a virtual subnet for some rerouting? Because as of now it seems like load balancer can connect to the app, but can't get the answer back to the user.
Best Answer
I'm not sure you can do it on the same host.
TPROXY is complicated at the best of times. I've only ever seen it working well with two seperate subnets AND seperate hosts (virtual or physical).
Are you sure that you cant just use something simpler like DSR mode?
I know LVS DSR works on the same host.
Or what about HAPROXY PROXY PROTOCOL (if you app supports it).
In theory I guess TPROXY should be possible on a single host, so maye someone clever will answer :-).