HAProxy works as a reverse proxy. This means it maintains 2 connections when allowing a client to cross it:
1 connection between HAProxy and the client
1 connection between HAProxy and the server
HAProxy then manipulates buffers between these two connections. One of the drawbacks of this mode is that HAProxy will let the kernel establish the connection to the server. The kernel is going to use a local IP address to do this. Because of this, HAProxy “hides” the client IP with its own one: this can be an issue in some cases.
Here comes the transparent proxy mode: HAProxy can be configured to spoof the client IP address when establishing the TCP connection to the server. That way, the server thinks the connection comes from the client directly (of course, the server must answer back to HAProxy and not to the client; otherwise, it can’t work: the client will get an acknowledgment from the server IP while it has established the connection on HAProxy‘s IP).
Transparent Binding
By default, when one wants HAProxy to get traffic, we have to tell it to bind an IP address and a port. The IP address must exist on the operating system (unless you have setup the sysctl net.ipv4.ipnonlocalbind) and the OS must announce the availability to the other devices on the network through ARP protocol.
Well, in some cases we want HAProxy to be able to catch traffic on the fly without configuring any IP address or VRRP or whatever…
This is where transparent binding comes in: HAProxy can be configured to catch traffic on the fly even if the destination IP address is not configured on the server.
These IP addresses will never be pingable, but they’ll deliver the services configured in HAProxy.
HAProxy & the Linux Kernel
Unfortunately, HAProxy can’t do transparent binding or proxying alone. It must stand on a compiled and tuned Linux Kernel and operating system. Below, I’ll explain how to do this in a standard Linux distribution.
Here is the checklist to meet:
appropriate HAProxy compilation option
appropriate Linux Kernel compilation option
sysctl settings
iptables rules
ip route rules
HAProxy configuration
HAProxy compilation requirements
First of all, HAProxy must be compiled with the option TPROXY enabled. It is enabled by default when you use the target LINUX26 or LINUX2628.
Linux Kernel requirements
You have to ensure your kernel has been compiled with the following options:
CONFIGNETFILTERTPROXY
CONFIGNETFILTERXTTARGETTPROXY
Of course, iptables must be enabled as well in your kernel 🙂
Sysctl settings
The following sysctls must be enabled:
net.ipv4.ip_forward
net.ipv4.ipnonlocalbind
Iptables rules
You must setup the following iptables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
The purpose is to mark packets that match a socket bound locally (by HAProxy).
IP route rules
Then, tell the Operating System to forward packets marked by iptables to the loopback where HAProxy can catch them:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
HAProxy configuration
Finally, you can configure HAProxy.
Transparent binding can be configured like this:
[...]
frontend ft_application
bind 1.1.1.1:80 transparent
[...]
Transparent proxying can be configured like this:
[...]
backend bk_application
source 0.0.0.0 usesrc clientip
[...]
Transparent Mode in the ALOHA Load-Balancer
Now, the same steps in the ALOHA Load-balancer, which is an HAProxy-based load-balancing appliance:
1-5. not required, the ALOHA kernel is deeply tuned for this purpose
6. HAProxy configuration
LB Admin tab (AKA click mode)
Transparent binding can be configured like this when editing a Frontend listener:
Transparent proxying can be configured like this when editing a farm:
LB Layer 7 tab (vi in a browser mode)
Transparent binding can be configured like this:
[...]
frontend ft_application
bind 1.1.1.1:80 transparent
[...]
Transparent proxying can be configured like this:
[...]
backend bk_application
source 0.0.0.0 usesrc clientip
[...]
Links
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.