bschelst/ August 4, 2017/ Linux/ 0 comments

If you configure HAProxy by default, the backends will receive the IP address of the HAProxy as incoming IP address.
Some applications (or people) don’t want that.
It is possible to configure haproxy as transparent proxy, so that the IP of the client is being used.
First of all you need to ensure that you have a Linux kernel with the netfilter_tproxy module enabled.
If you use for example Centos 7, which will be used in in this example, that will be the case already.
If you use another disitribution or older version, ensure that netfilter_tproxy kernel module is available.


Ensure that you enabled forwarding and nonlocal bind in the sysctl.conf:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind

You can save that in /etc/sysctl.conf for future usage. (after reboot)


Iptables rules need to be configured:

iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT


IP rules

#ip rule add fwmark 1 lookup 100 #ip route add local dev lo table 100


HAProxy configuration can be done by adding ‘transparent’ to the bind option.

frontend application           bind transparent           mode tcp
Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

eleven − eight =