[SOLVED] Send connections from ip to server A and all others to server B?


#1

Hi all,

I have a working loadbalancing config with balance source and hash-type-consistent for my FTP but isn’t sufficient.
It seems that I’m still getting to much connections from one IP address on one of my FTP servers.

If I can send all of the traffic from one customer with one IP address to one FTP server I should have fixed the issue.
How can I send all traffic to FTP server A and traffic coming from a certain external IP address to server B?

Regards,

John


#2

Use ACL’s and use_backend or use-server directives:

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-use_backend
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-use-server


#3

Hi Lukastribus,

Thank you for the useful information!
ACL is probably what I was looking for although I can’t find any examples for forwarding by source ip.

What I have now is:

listen ftp-pool
        bind *:21 transparent
        bind *:50000-50049 transparent
        mode tcp
        maxconn 2000
        option tcplog
        option tcp-check
        balance source
        hash-type consistent
        server ftp01 192.168.1.1 check port 21
        server ftp02 192.168.1.2 check port 21

and when using a backend I should do the below if I’m not mistaken:

frontend ftp-pool
        bind *:21 transparent
        bind *:50000-50049 transparent
        mode tcp
        maxconn 2000
        option tcplog
        option tcp-check
	default_backend ftp-pool-backend

backend ftp-pool-backend
        balance source
        hash-type consistent
        server ftp01 192.168.1.1 check port 21

backend ftp-pool-backend-static
        balance source
        hash-type consistent
        server ftp02 192.168.1.2 check port 21

The only part I’m still trying to figure out is the ACL whichis confusing even with the documentation that you provided via link.

What I have is:

acl forwarding_acl -ip eq 190.190.10.10
use_backend backend ftp-pool-backend-static if forwarding_acl

This doesn’t seem to work. Is the ACL part wrong or is the backend part wrong?


#4
acl forwarding_acl src 190.190.10.10
use_backend ftp-pool-backend-static if forwarding_acl

#5

That does seem more logical thanks!

I added the acl to the frontend, but now it fails to start the haproxy service with code=exited, status=1/FAILURE.
Commenting the ACL rules out makes it run again.
These acl rules must be added in the frontend part right?

Current config:

frontend ftp-pool
        bind *:21 transparent
        bind *:50000-50049 transparent
        mode tcp
        maxconn 2000
        option tcplog
        option tcp-check
#       acl forwarding_acl src 190.190.10.10
#       use_backend backend ftp-pool-backend-static if forwarding_acl
        default_backend ftp-pool-backend

backend ftp-pool-backend
        balance source
        hash-type consistent
        server ftp01 192.168.1.1 check port 21

backend ftp-pool-backend-static
        balance source
        hash-type consistent
        server ftp02 192.168.1.2 check port 21

#6

Alright I found the problem.
use_backend backend ftp-pool-backend-static if forwarding_acl
Removed the extra backend and now it runs.

This config doesn’t send the connections to the servers now even though I got the HAPROXY service running.
Without the backend it works, but with the backend it doesn’t send anything to ftp01 or ftp02 server.
Have I made a mistake in the config?


#7

Got it working.
It seems that the backend part also needs the “mode” part to work.
Added the mode tcp to both backends and it’s now routing correctly.
Thanks for the help lukastribus!