If you configure HAProxy by default, the backends will receive the IP address of the HAProxy as incoming IP address.
Some applications (or people) don’t want that.
It is possible to configure haproxy as transparent proxy, so that the IP of the client is being used.
First of all you need to ensure that you have a Linux kernel with the netfilter_tproxy module enabled.
If you use for example Centos 7, which will be used in in this example, that will be the case already.
If you use another disitribution or older version, ensure that netfilter_tproxy kernel module is available.
1)
Ensure that you enabled forwarding and nonlocal bind in the sysctl.conf:
# echo 1 > /proc/sys/net/ipv4/ip_forward # echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
You can save that in /etc/sysctl.conf for future usage. (after reboot)
2)
Iptables rules need to be configured:
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
3)
IP rules
#ip rule add fwmark 1 lookup 100 #ip route add local 0.0.0.0/0 dev lo table 100
4)
HAProxy configuration can be done by adding ‘transparent’ to the bind option.
frontend application bind 192.168.1.1:80 transparent mode tcp
