We are an educational setting, currently rolling out a new web filtering solution. We don’t want to have to configure all devices with proxy settings, instead we want to make this transparent to the user. I.e. with no proxy settings set – the Palo Alto firewall will pass traffic via Policy Based Routing to the filtering system which consists of 4 filter boxes. Therefore we understand we need an HAProxy server running as a load balancer and transparent proxy to do this.
Our setup:
Client subnet (10.20.64.0/24)
|
|
V
PALO ALTO FW (PBR)
|
|
V
HAPROXY (VIP 10.20.6.29/22)
|
|
V
FILTER SERVERS (e.g. 10.20.4.101– device has gateway of 10.20.6.29)
We have successfully configured an HAProxy server so that when the haproxy IP address is set in the web browser, we can browse the internet and be filtered appropriately. The filters successfully see the originating client IP to apply policies accordingly. However, as soon as the proxy settings are removed from the browser and we let the Firewall do the PBR, whilst traffic does hit the HAProxy server (seen by TCPDump) – it is not seen or handled by the HAProxy service. There are no entries in the haproxy logs. Do you have any suggestions as to what is wrong? I can confirm the client range and servers are on the same “zone” on the Palo Alto whilst on different subnets.
OS: Centos 6.7
Kernel: 2.6.32-573.12.1.el6.x86_64
HAProxy version: 1.5.4
Haproxy config file:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
user root
group root
daemon
debug
defaults
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend filter_http
bind 10.20.6.29:80 transparent
default_backend filter_app_http
backend filter_app_http
mode http
source 0.0.0.0 usesrc clientip
server filter1 10.20.4.101:3128 check
server filter2 10.20.4.102:3128 check
server filter3 10.20.4.103:3128 check
server filter4 10.20.4.104:3128 check
Firewall and other routing config:
# iptables -L -n -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
# ip rule show
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
#ip route show table 100
local default dev lo scope host
# netstat -lntp | grep 80
tcp 0 0 10.20.6.29:80 0.0.0.0:* LISTEN 1391/haproxy
# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_nonlocal_bind = 1