On Tue, Aug 05, 2008 at 12:21:09PM -0600, Caleb Anthony wrote:
> > I really need to try those patches again :-)
>
>
> I know what you mean. I'm not toally sure if this is a TProxy problem or
> HAProxy problem. ;-)
My real problem is that we still have no success report of Tproxy4, mostly by lack of necessity and tests.
> Attached is an strace of HAproxy, and a tcpdump of the traffic. In the
> tcpdump 10.193.67.9 is the client, 10.193.67.17 is the server running
> HAProxy, and 10.35.154.142 is the backend web server. I noticed that in the
> tcpdump that the client to HAproxy looks ok, but the communication from
> HAproxy to the backend server isn't working. HAProxy sends out 8 requests
> with the spoofed cleint ip (10.193.67.9),
OK this is excellent, because it proves that the foreign binding works.
> but it seems that the backend web
> server dosen't reply, or is trying to reply to the real client, and not
> HAProxy.
I'd bet it's the backend server which doesn't have its default gateway set to route through haproxy. I'm almost 99% sure! It absolutely needs to route the return traffic through haproxy so that the traffic is transformed again.
> That causes HAProxy to return a 503 to the client. That tells me
> that there is a problem with TProxy or my iptables config.
Till there, the forward traffic looks OK on your haproxy box. You need to sniff on the backend server if you can't get more info out of the routing tables. It is also possible that you have some iptables enabled on the backend server, which blocks any non-local traffic ;-)
> I've seen some
> information on the web about setting up a bridge when using TProxy so that
> the routing will be correct. As far as you know, is that still the case with
> TProxy 4.1 and HAProxy?
I have no idea. This might impact backwards traffic, but let's fix one problem at a time. When we get responses routed back through haproxy, if the traffic is not processed, we'll have to investigate further.
> Great, I was trying to go as minimal as possible so that I could avoid any
> potential problems with my config.
That's a good choice.
Regards,
Willy
Received on 2008/08/05 23:46
This archive was generated by hypermail 2.2.0 : 2008/08/06 00:00 CEST