After having compiled the kernel & iptables with tproxy last week, it’s time to stretch that config to HAproxy. If you haven’t compiled both your running kernel and iptables with tproxy, do that first – otherwise, this won’t work.
HAProxy is a marvelous load balancing tool, which by default has only 1 drawback: all the servers where HAProxy is load balancing for, will have the IP address of the load balancer in the logs, as all traffic is routed through it.
This can make it more annoying to debug, and could possibly break some applications that require a unique source IP from the client. To solve it, we’ll compile HAProxy with TPROXY support.
First up, download the latest version of HAProxy.
wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.8.tar.gz
tar xzf haproxy-1.4.8.tar.gz
cd haproxy-1.4.8
And compile it with extra arguments, to allow tproxy.
make TARGET=linux26 CPU=i386 USE_LINUX_TPROXY=1
make install target=linux26
The TARGET= line specifies we want to build it for the 2.6 kernel, and USE_LINUX_TPROXY=1 states we want tproxy enabled.
Let’s populate our iptable-rules.
vim /usr/bin/iptables_for_haproxy.sh
in the new file, copy/paste the following.
#!/bin/bash
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK –set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Make it executable.
chmod +x /usr/bin/iptables_for_haproxy.sh
And if you prefer, you can add it to your /etc/rc.local for auto startup as well, so it’s executed whenever you reboot.
Now, this does require one more tricky bit.