So, here is my setup:
Haproxy 1
Interface with IP 192.168.1.2 for incoming traffic
Interface with IP 192.168.1.4 for outgoing traffic
Haproxy 2
Interface with IP 192.168.1.3 for incoming traffic
Interface with IP 192.168.1.5 for outgoing traffic
I’m having a PFsense box that is the default gateway. It forwards packets (NAT) to the haproxy machine.
I’m doing HTTPS termination and re-encryption (that’s why I have two HAProxy machines running). Between Proxy 1 outgoing and Proxy 2 incoming (and vice versa), the traffic is unencrypted so I can mirror this to a machine performing full packet capture. When I look into this traffic, the source and destination will always be 192.168.1.4 and 192.168.1.3, obviously. I had this set up with forwardfor, but because I’m NAT forwarding it via a Pfsense firewall to my proxy, the X-Forwarded-For will see the firewall’s IP only. However, I would like to see the real client’s IP.
So, that’s how I found this blog/tutorial: Transparent Proxying & Binding with HAProxy & ALOHA Load Balancer
But, I don’t get a part of that. How do I, without configuring something on the clients machine, that the traffic is forwarded to the first proxy from the client and the response from the server back to the client goes via HAproxy. If I bind my HAproxy frontend/listener to a non-existing address (nonlocal bind), how does the traffic get there? Especially this part:
This is where transparent binding comes in: HAProxy can be configured to catch traffic on the fly even if the destination IP address is not configured on the server.
These IP addresses will never be pingable, but they’ll deliver the services configured in HAProxy
What does this mean?
Also, what does this configuration snippet say:
[…]
frontend ft_application
bind 1.1.1.1:80 transparent
[…]
Whats 1.1.1.1? Does 1.1.1.1:80 represent a physical IP address or is this an IP like 0.0.0.0 (anywhere) and thus related to nonlocalbind?