diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:18:05 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:18:05 +0000 |
| commit | b46aad6df449445a9fc4aa7b32bd40005438e3f7 (patch) | |
| tree | 751aa858ca01f35de800164516b298887382919d /examples/transparent_proxy.cfg | |
| parent | Initial commit. (diff) | |
| download | haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.tar.xz haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.zip | |
Adding upstream version 2.9.5.upstream/2.9.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'examples/transparent_proxy.cfg')
| -rw-r--r-- | examples/transparent_proxy.cfg | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/examples/transparent_proxy.cfg b/examples/transparent_proxy.cfg new file mode 100644 index 0000000..a8cf6d9 --- /dev/null +++ b/examples/transparent_proxy.cfg @@ -0,0 +1,55 @@ +# +# This is an example of how to configure HAProxy to be used as a 'full transparent proxy' for a single backend server. +# +# Note that to actually make this work extra firewall/nat rules are required. +# Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 you can check if this is the case with "haproxy -vv". +# + +global +defaults + timeout client 30s + timeout server 30s + timeout connect 30s + +frontend MyFrontend + bind 192.168.1.22:80 + default_backend TransparentBack_http + +backend TransparentBack_http + mode http + source 0.0.0.0 usesrc client + server MyWebServer 192.168.0.40:80 + +# +# To create the the nat rules perform the following: +# +# ### (FreeBSD 8) ### +# --- Step 1 --- +# ipfw is needed to get 'reply traffic' back to the HAProxy process, this can be achieved by configuring a rule like this: +# fwd localhost tcp from 192.168.0.40 80 to any in recv em0 +# +# The following would be even better but this did not seam to work on the pfSense2.1 distribution of FreeBSD 8.3: +# fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid} +# +# If only 'pf' is currently used some additional steps are needed to load and configure ipfw: +# You need to configure this to always run on startup: +# +# /sbin/kldload ipfw +# /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf" +# /sbin/sysctl net.link.ether.ipfw=1 +# ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0 +# +# the above does the following: +# - load the ipfw kernel module +# - set pf as the outer firewall to keep control of routing packets for example to route them to a non-default gateway +# - enable ipfw +# - set a rule to catches reply traffic on em0 coming from the webserver +# +# --- Step 2 --- +# To also make the client connection transparent its possible to redirect incoming requests to HAProxy with a pf rule: +# rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22 +# here em1 is the interface that faces the clients, and traffic that is originally send straight to the webserver is redirected to HAProxy +# +# ### (FreeBSD 9) (OpenBSD 4.4) ### +# pf supports "divert-reply" which is probably better suited for the job above then ipfw.. +# |