blob: b514ae3b2eef2687e7a52bbed7b09fa780f41e9c [file] [log] [blame]
Pieter Baauw06da4df2013-05-11 08:00:53 +02001#
2# This is an example of how to configure HAProxy to be used as a 'full transparent proxy' for a single backend server.
3#
4# Note that to actually make this work extra firewall/nat rules are required.
5# Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 you can check if this is the case with "haproxy -vv".
6#
7
8global
Willy Tarreau29e7aca2015-10-13 15:46:50 +02009defaults
10 timeout client 30s
11 timeout server 30s
12 timeout connect 30s
13
Pieter Baauw06da4df2013-05-11 08:00:53 +020014frontend MyFrontend
15 bind 192.168.1.22:80
16 default_backend TransparentBack_http
17
18backend TransparentBack_http
19 mode http
20 source 0.0.0.0 usesrc client
21 server MyWebServer 192.168.0.40:80
22
23#
24# To create the the nat rules perform the following:
25#
26# ### (FreeBSD 8) ###
27# --- Step 1 ---
28# ipfw is needed to get 'reply traffic' back to the HAProxy process, this can be achieved by configuring a rule like this:
29# fwd localhost tcp from 192.168.0.40 80 to any in recv em0
30#
31# The following would be even better but this did not seam to work on the pfSense2.1 distribution of FreeBSD 8.3:
32# fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid}
33#
34# If only 'pf' is currently used some aditional steps are needed to load and configure ipfw:
35# You need to configure this to always run on startup:
36#
37# /sbin/kldload ipfw
38# /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf"
39# /sbin/sysctl net.link.ether.ipfw=1
40# ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0
41#
Joseph Herlant63c23f32018-11-13 20:01:24 -080042# the above does the following:
Pieter Baauw06da4df2013-05-11 08:00:53 +020043# - load the ipfw kernal module
44# - set pf as the outer firewall to keep control of routing packets for example to route them to a non-default gateway
45# - enable ipfw
Joseph Herlant63c23f32018-11-13 20:01:24 -080046# - set a rule to catches reply traffic on em0 coming from the webserver
Pieter Baauw06da4df2013-05-11 08:00:53 +020047#
48# --- Step 2 ---
49# To also make the client connection transparent its possible to redirect incomming requests to HAProxy with a pf rule:
50# rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22
51# here em1 is the interface that faces the clients, and traffic that is originally send straight to the webserver is redirected to HAProxy
52#
53# ### (FreeBSD 9) (OpenBSD 4.4) ###
54# pf supports "divert-reply" which is probably better suited for the job above then ipfw..
55#