Tcp proxy not working


#1

Following is the configuration for the proxy (IPs in logs modified for privacy):

   global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   #stats timeout 30s
   #user haproxy
   #group haproxy
   daemon

defaults
   log global
   mode tcp
   option tcplog
   option dontlognull
   option logasap
   timeout connect 50000
   timeout client 50000
   timeout server 50000

listen stats
        maxconn 1000000
        bind 0.0.0.0:8081
        stats enable
        mode http
        stats realm Haproxy\ Statistics  # Title text for popup window
        stats uri /stats  # Stats URI
        stats auth stats:stats  # Authentication credentials

frontend local
        bind *:1900
        bind *:443
        tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/proxies.lst }
        mode tcp
        default_backend nodes

backend backnodes
        mode tcp
        balance roundrobin
        source 0.0.0.0 usesrc clientip
        server one 10.10.10.10:1900 check

proxies.lst has a single line 1.1.1.1

Clients are unable to connect, if I check logs I see the following line,

Jun 11 10:46:39 udasddg0 haproxy[16981]: 1.1.1.1:51000 [11/Jun/2018:10:43:19.855] local backnodes/one 1/-1/+200005 +0 sC 31/31/30/30/3 0/0

From what I understand:

sC means server timed out and client reset the connection after that
also looks like Tc= -1 which means that the actual server did not respond to the proxy.

If I follow tcp stream in wireshark on the proxy server I see that we are receiving the proxy info:

PROXY TCP4 2.2.2.2 3.3.3.3 53889 1900

Not sure why the connections are failing. Any suggestions would be appreciated.


#2

Hi,

When you enable “source 0.0.0.0 usesrc clientip”, HAProxy will spoof the client IP to get connected to the server.

In your case, the server wants to answer to the client directly, and might be using it’s default gateway. So the kernel below haproxy never gets the SYN/ACK packet, hence HAProxy reports the Connection could not be established to the server.


#3

Thanks for the reply Baptiste. I figured that out with some captures. That was the problem!