Haproxy Transparent Mode on Centos 7
HAProxy can’t do transparent binding or proxying alone. It must stand on a compiled and tuned Linux Kernel and operating system.
But Centos 7 supported haproxy transparent mode.
Step by step configuration;
1. sysctl settings
2. iptables rules
3. ip route rules
4. HAProxy configuration
2. iptables rules
3. ip route rules
4. HAProxy configuration
Step 1 is Sysctl serttings;
– net.ipv4.ip_forward
– net.ipv4.ip_nonlocal_bind
– net.ipv4.ip_nonlocal_bind
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Step 2 is iptables rules;
#iptables -F -t mangle#iptables -F
#iptables -F -t nat
#iptables -t mangle -N DIVERT
#iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#iptables -t mangle -A DIVERT -j MARK --set-mark 1
#iptables -t mangle -A DIVERT -j ACCEPT
Step 3 is ip route rules;
tell the Operating System to forward packets marked by iptables to the loopback where HAProxy can catch them:
#ip rule add fwmark 1 lookup 100
#ip route add local 0.0.0.0/0 dev lo table 100
Step 4 is haproxy configuration;
Finally, you can configure HAProxy.
* Transparent binding can be configured like this:
frontend App_in
bind ipofhaproxy:10421 transparent
mode tcp
backend App_out
mode tcp
log global
source 0.0.0.0 usesrc clientip
balance roundrobin
server backend1 ipofbackend01:10421 check
server backend2 ipofbackend02:10421 check
Note: When you reboot the server ,ip rules will be delete.
Bash script will help you ;)
#!/bin/bash
iptables -F
iptables -F -t nat
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Hiç yorum yok:
Yorum Gönder