Haproxy gateway settings - client and server are on the same subnetwork
I'm trying to setup a haproxy gateway between server and client for full transparent proxy like below diagram. My main aim is to provide load balancing.
There is a simple application that listens port 25 in the server side. The client tries to connect port 25 on the gateway machine, and haproxy on the gateway chooses an avaliable server then redirects the connection to the server.
Network analysis of this approach produces tcp flow like diagram: The client resets the connection at the end since it doesn't send a syn packet to the server.
Is this haproxy usage true and my problem related configuation? Or should the client connect to the server directly (This doesn't make much sense to me but I'm not sure actually. If this is true then how haproxy will intervene the connection and make load balancing)?
EDIT:
I've started to think this problem is related to routing and NAT on the gateway. All of these three machines are in same subnetwork but I've added routes to the gateway for both client and server. Also rules on the gateway are:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TPROXY \
--tproxy-mark 0x1/0x1 --on-port 10025
ip route flush table 100
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Now the question is what should I do in the gateway to change "syn-ack (src: S, dst: C)" to "syn-ack (src: GW, dst: C)"?
Here is the definition of my situation.
Here comes the transparent proxy mode: HAProxy can be configured to spoof the client IP address when establishing the TCP connection to the server. That way, the server thinks the connection comes from the client directly (of course, the server must answer back to HAProxy and not to the client, otherwise it can’t work: the client will get an acknowledge from the server IP while it has established the connection on HAProxy‘s IP).
And the answer is to set ip_nonlocal_bind system control.
- How to get visitors remote IP behind a load balancer and Cloudflare and have the remote IP also available to Apache
- Load balancer on Nginx give 502 Bad Gateway
- Optimizing solution for "Simple Load Balancing" problem on Codingame
- Load balancing with layer 7 or layer 4
- What is the difference between the internal and External load balancer in AWS?
- ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 0
- You may not specify a referenced group id for an existing IPv4 CIDR rule. prompt when editing the Inbound rule in AWS Security Group
- GCP - HTTP(S) Load Balancer L7 Backend Bucket Issue
- Npgsql uneven load balancing during round-robin
- 504 Gateway Timeout - Two EC2 instances with load balancer
- GCP Global load balancer health checks fail for k8s cluster autoscaling group
- Umbraco Examine File Locking Azure App Service
- Amazon Cognito with NLB
- Least Connection Load balancing using Grpc
- Network load balancer security group doesn't seem to work to restrict access to only another security group
- How to enable max connection to be allowed on TCP Google cloud Load balancer to backend Instances
- How can I create a custom load balancer?
- Setting up LoadBlancer for direct access to SQL Server with Minikube
- Elastic Beanstalk without Elastic Load Balancer
- Google Compute Engine load balancing keep session
- What is pass-through load balancer? How is it different from proxy load balancer?
- While Adding GCP managed certificate to Application load balancer ingress only shows port 80
- Removing prefixes for NEG paths in GCP Load Balancer
- Is there any logs for cloud run container from idle to shutting/stopped?
- Why my nginx handles requests sequentially and not in parallel?
- Can I use AWS API Gateway instead of an application load balancer?
- Apache proxy load balancing backend server failure detection
- Service-to-Service Communication in Kubernetes
- AWS : How to troubleshoot unhealthy registered target in target group
- How to configure google load balancer to route to cloud run service using url mask but strip service from url