We are an educational setting, currently rolling out a new web filtering solution. We don’t want to have to configure all devices with proxy settings, instead we want to make this transparent to the user. I.e. with no proxy settings set – the Palo Alto firewall will pass traffic via Policy Based Routing to the filtering system which consists of 4 filter boxes. Therefore we understand we need an HAProxy server running as a load balancer and transparent proxy to do this.
Client subnet (10.20.64.0/24)
PALO ALTO FW (PBR)
HAPROXY (VIP 10.20.6.29/22)
FILTER SERVERS (e.g. 10.20.4.101– device has gateway of 10.20.6.29)
We have successfully configured an HAProxy server so that when the haproxy IP address is set in the web browser, we can browse the internet and be filtered appropriately. The filters successfully see the originating client IP to apply policies accordingly. However, as soon as the proxy settings are removed from the browser and we let the Firewall do the PBR, whilst traffic does hit the HAProxy server (seen by TCPDump) – it is not seen or handled by the HAProxy service. There are no entries in the haproxy logs. Do you have any suggestions as to what is wrong? I can confirm the client range and servers are on the same “zone” on the Palo Alto whilst on different subnets.
OS: Centos 6.7
HAProxy version: 1.5.4
Haproxy config file:
global log 127.0.0.1 local2 chroot /var/lib/haproxy user root group root daemon debug defaults log global option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend filter_http bind 10.20.6.29:80 transparent default_backend filter_app_http backend filter_app_http mode http source 0.0.0.0 usesrc clientip server filter1 10.20.4.101:3128 check server filter2 10.20.4.102:3128 check server filter3 10.20.4.103:3128 check server filter4 10.20.4.104:3128 check
Firewall and other routing config:
# iptables -L -n -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain DIVERT (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 # ip rule show 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default #ip route show table 100 local default dev lo scope host
# netstat -lntp | grep 80
tcp 0 0 10.20.6.29:80 0.0.0.0:* LISTEN 1391/haproxy
# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.ip_nonlocal_bind = 1