Hi,
I've found the haproxy transparent proxying tutorials (most based directly on http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/) lacking one weird trick.
With one additional step you can do it without destroying the global default gateway on the backend. Here's what you do:
1. Get an additional IP $BK_IP intended for proxied services (This is a real good idea anyway - your VM is called vminfraXX.example.com, and your backends are at svc-bk-XX.example.com, with different IPs)
2. Make a new routing table and route connections on the backend via that IP:
echo "101 proxytraffic" | sudo tee /etc/iproute2/rt_tables -a
sudo ip rule add from $BK_IP table proxytraffic
sudo ip route add default table proxytraffic via $FT_IP
What this does is create a new routing table called proxytraffic, makes all packets coming from the backend IP use that routing table, and sets the default gateway on that routing table to your frontend (where haproxy runs in transparent proxy mode as described in the blog post).
If you cannot get an extra IP (I get it, IPv4 addresses are expensive these days), you can still force the packets to use the special routing table using iptables. This is explained here: http://serverfault.com/a/225295
Might it be possible to add this to the ol' blogpost?
Best,
Luke
I've found the haproxy transparent proxying tutorials (most based directly on http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/) lacking one weird trick.
With one additional step you can do it without destroying the global default gateway on the backend. Here's what you do:
1. Get an additional IP $BK_IP intended for proxied services (This is a real good idea anyway - your VM is called vminfraXX.example.com, and your backends are at svc-bk-XX.example.com, with different IPs)
2. Make a new routing table and route connections on the backend via that IP:
echo "101 proxytraffic" | sudo tee /etc/iproute2/rt_tables -a
sudo ip rule add from $BK_IP table proxytraffic
sudo ip route add default table proxytraffic via $FT_IP
What this does is create a new routing table called proxytraffic, makes all packets coming from the backend IP use that routing table, and sets the default gateway on that routing table to your frontend (where haproxy runs in transparent proxy mode as described in the blog post).
If you cannot get an extra IP (I get it, IPv4 addresses are expensive these days), you can still force the packets to use the special routing table using iptables. This is explained here: http://serverfault.com/a/225295
Might it be possible to add this to the ol' blogpost?
Best,
Luke