If you configure HAProxy by default, the backends will receive the IP address of the HAProxy as incoming IP address.
Some applications (or people) don't want that.
It is possible to configure haproxy as transparent proxy, so that the IP of the client is being used.
First of all you need to ensure that you have a Linux kernel with the netfilter_tproxy module enabled.
If you use for example Centos 7, which will be used in in this example, that will be the case already.
If you use another disitribution or older version, ensure that netfilter_tproxy kernel module is available.


Ensure that you enabled forwarding and nonlocal bind in the sysctl.conf:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind

You can save that in /etc/sysctl.conf for future usage. (after reboot)



Iptables rules need to be configured:

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT



IP rules

#ip rule add fwmark 1 lookup 100
#ip route add local dev lo table 100




HAProxy configuration can be done by adding 'transparent' to the bind option.


frontend application
          bind transparent
          mode tcp



Pin It

Who is Online

We have 248 guests and no members online