NAT for transparent Solved

  • Hi,
    I was wondering if someone could assist me on the issue im having, currently have HAproxy with the checkbox transparent and it works but the issue is that internally i cannot access my website because the client contacts the firewall directly which therefore it does not know how to map it. So then i thought about the NAT on hybrid mode but could not get it working. this is what i tried so far (see picture) the is my website


    Thank you

  • @killmasta93
    Im thinking that maybe you should not use nat for this, but tell haproxy the client-ip to use? when the source is the local lan.?. Adding nat rules might not fly properly with the ipfw rules that are needed to capture reply traffic..

    Something like this in the backend advanced pass tru setting perhaps?:

    http-request set-src str( if { src }

  • Thanks for the reply, i also forgot to mention i have

    Server Name Indication TLS extension matches:

    i tried

    http-request set-src str( if { src }

    but dont think it would work because im using TLS instead of http

  • @killmasta93
    Perhaps try the 'tcp' variant then?:

    tcp-request connection set-src str( if { src }

    I think the above might work.. looking at the haproxy documentation.. connection

  • Thanks for the reply so after putting

    tcp-request connection set-src str( if { src }

    im getting this

    Errors found while starting haproxy
    [ALERT] 241/183319 (37674) : parsing [/var/etc/haproxy_test/haproxy.cfg:65] : tcp-request connection is not allowed because backend Backend1_https_ipv4 is not a frontend
    [ALERT] 241/183319 (37674) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
    [ALERT] 241/183319 (37674) : Fatal errors found in configuration

    this is my config

    # Automaticaly generated, dont edit manually.
    # Generated on: 2018-08-30 18:35
    	maxconn			500
    	stats socket /tmp/haproxy.socket level admin
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	server-state-file /tmp/haproxy_server_state
    listen HAProxyLocalStats
    	bind name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    frontend SharedFrontend-merged
    	bind			200.116.xx.xx:443 name 200.116.xx.xx:443   
    	mode			tcp
    	log			global
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			cloud	req.ssl_sni -i
    	acl			web	req.ssl_sni -i
    	acl			mail	req.ssl_sni -i
    	tcp-request content accept if { req.ssl_hello_type 1 }
    	use_backend Backend2_https_ipvANY  if  cloud 
    	use_backend Backend1_https_ipv4  if  web 
    	use_backend Backend3_https_ipvANY  if  mail 
    frontend HTTP
    	bind			200.116.1xx.xx:80 name 200.116.xx.xx:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			cloud	hdr(host) -i
    	acl			web	hdr(host) -i
    	acl			web2	hdr_beg(host) -i www
    	http-request redirect scheme https  if  cloud 
    	http-request redirect scheme https  if  web 
    	http-request redirect prefix  if  web2 
    backend Backend2_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			cloud check inter 1000  
    backend Backend1_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			website check inter 1000  
    backend Backend3_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			mail check inter 1000

    i have a shared frontend then the 3 sites which share it

    1_1535672234546_Clipboarder.2018.08.30-005.png 0_1535672234546_Clipboarder.2018.08.30-004.png

    Thank you

  • @killmasta93
    So when you read a backend is not a frontend, have you tried putting the setting in the frontend instead.?

  • Thanks that did the trick on the shared frontend had to add that and on the redirect to HTTPS sections Thank you so much

Log in to reply