Hello,
I am attempting to setup a pair of HAProxy servers running CentOS 7 to load balance 2 Exchange 2016 servers transparently. We have logging requirements so the client IP address must be logged on the Exchange side. I have non-transparent setup functioning with layer 7. I followed the instructions here: http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ however when I have ‘source 0.0.0.0 usesrc clientip’ defined in the backends my pages do not load I also do not see errors logged in /var/log/haproxy.log.
I have verified the tproxy module is loaded:
lsmod | grep -ie tproxy
xt_TPROXY 17327 0
nf_defrag_ipv6 35104 3 xt_socket,xt_TPROXY,nf_conntrack_ipv6
nf_defrag_ipv4 12729 3 xt_socket,xt_TPROXY,nf_conntrack_ipv4
I replaced firewalld with iptables to allow me to follow the documentation.
All servers are in the same subnet: 192.168.5.0/24
keepalived VIP 192.168.5.205
HAProxy-01: 192.168.5.206
HAProxy-01: 192.168.5.207
Ex2016-01: 192.168.5.181
Ex2016-01: 192.168.5.182
I am testing from a different subnet: 192.168.6.0/24
I feel like I am missing something but do not know what.
Here is my config:
global
log 127.0.0.1 local0 info
maxconn 10000
chroot /var/lib/haproxy
daemon
quiet
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 30000ms
timeout client 30000ms
timeout server 60000ms
timeout check 60000ms
listen stats
bind 192.168.5.206:8181
mode http
log global
maxconn 10
clitimeout 100s
srvtimeout 100s
contimeout 100s
timeout queue 100s
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:
stats uri /haproxy?stats
frontend fe_ex2016
mode http
bind 192.168.5.205:80 transparent
bind 192.168.5.205:443 transparent ssl crt /etc/ssl/certs/ssl_cert.pem
redirect scheme https code 301 if !{ ssl_fc }
acl autodiscover url_beg /Autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl eas url_beg /microsoft-server-activesync
acl ecp url_beg /ecp
acl ews url_beg /ews
acl oab url_beg /oab
use_backend be_ex2016_autodiscover if autodiscover
use_backend be_ex2016_mapi if mapi
use_backend be_ex2016_rpc if rpc
use_backend be_ex2016_owa if owa
use_backend be_ex2016_eas if eas
use_backend be_ex2016_ecp if ecp
use_backend be_ex2016_ews if ews
use_backend be_ex2016_oab if oab
default_backend be_ex2016
backend be_ex2016_autodiscover
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_mapi
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_rpc
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_owa
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_eas
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_ecp
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /ecp/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_ews
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016_oab
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
backend be_ex2016
mode http
source 0.0.0.0 usesrc clientip
balance roundrobin
server vm-ex2016-01 192.168.5.181:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
server vm-ex2016-02 192.168.5.182:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt
listen smtp
bind 192.168.5.206:25 transparent
mode tcp
source 0.0.0.0 usesrc clientip
option tcplog
balance roundrobin
option smtpchk EHLO mail.mydomain.net
server vm-ex2016-01 192.168.5.181:25 check
server vm-ex2016-02 192.168.5.182:25 check