NAT for transparent Solved
-
Hi,
I was wondering if someone could assist me on the issue im having, currently have HAproxy with the checkbox transparent and it works but the issue is that internally i cannot access my website because the client contacts the firewall directly which therefore it does not know how to map it. So then i thought about the NAT on hybrid mode but could not get it working. this is what i tried so far (see picture) the 192.168.3.130 is my website
Thank you
-
@killmasta93
Im thinking that maybe you should not use nat for this, but tell haproxy the client-ip to use? when the source is the local lan.?. Adding nat rules might not fly properly with the ipfw rules that are needed to capture reply traffic..Something like this in the backend advanced pass tru setting perhaps?:
http-request set-src str(192.168.1.1) if { src 192.168.1.0/24 } -
Thanks for the reply, i also forgot to mention i have
Server Name Indication TLS extension matches:i tried
http-request set-src str(192.168.3.254) if { src 192.168.3.0/24 }but dont think it would work because im using TLS instead of http
-
@killmasta93
Perhaps try the 'tcp' variant then?:tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }I think the above might work.. looking at the haproxy documentation..
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#4.2-tcp-request%20connection -
Thanks for the reply so after putting
tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }im getting this
Errors found while starting haproxy [ALERT] 241/183319 (37674) : parsing [/var/etc/haproxy_test/haproxy.cfg:65] : tcp-request connection is not allowed because backend Backend1_https_ipv4 is not a frontend [ALERT] 241/183319 (37674) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] 241/183319 (37674) : Fatal errors found in configurationthis is my config
# Automaticaly generated, dont edit manually. # Generated on: 2018-08-30 18:35 global maxconn 500 stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend SharedFrontend-merged bind 200.116.xx.xx:443 name 200.116.xx.xx:443 mode tcp log global timeout client 30000 tcp-request inspect-delay 5s acl cloud req.ssl_sni -i cloud.mydomain.com acl web req.ssl_sni -i mydomain.com acl mail req.ssl_sni -i mail.mydomain.com tcp-request content accept if { req.ssl_hello_type 1 } use_backend Backend2_https_ipvANY if cloud use_backend Backend1_https_ipv4 if web use_backend Backend3_https_ipvANY if mail frontend HTTP bind 200.116.1xx.xx:80 name 200.116.xx.xx:80 mode http log global option http-keep-alive timeout client 30000 acl cloud hdr(host) -i cloud.mydomain.com acl web hdr(host) -i tirescue.com acl web2 hdr_beg(host) -i www http-request redirect scheme https if cloud http-request redirect scheme https if web http-request redirect prefix https://mydomain.com if web2 backend Backend2_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 server cloud 192.168.3.200:443 check inter 1000 backend Backend1_https_ipv4 mode tcp log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip server website 192.168.3.130:443 check inter 1000 backend Backend3_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 server mail 192.168.3.150:443 check inter 1000i have a shared frontend then the 3 sites which share it
Thank you
-
@killmasta93
So when you read a backend is not a frontend, have you tried putting the setting in the frontend instead.? -
Thanks that did the trick on the shared frontend had to add that and on the redirect to HTTPS sections Thank you so much