Haproxy implements fully transparent exchange proxy service

I. background

The company recently used the exchange mail system to build a highly available mail system architecture. Front-End Server Load balancer uses Microsoft's NLB to achieve CAS load balancing. However, some problems have also been found in the solution implementation project. using NLB to generate a large number of broadcast reports in the network causes serious packet loss problems. Then we use haproxy to replace NLB to achieve CAS load balancing, but this also leads to a problem, the most obvious difference is that after users access the mail system through haproxy, the addresses that truly reach the mail system are all haproxy addresses. In the case of spam filtering, IP-based filtering cannot be implemented, and cannot record IP address information. In order to solve this problem, I have many Google solutions. I can use hardware load, and the hardware load can implement transparent proxy so that the backend mail server can obtain the real IP address of the user, another solution is haproxy's transparent proxy. Next, we will introduce the deployment of haproxy's transparent proxy.

Ii. Experiment topology 650) This. width = 650; "style =" width: 654px; Height: 329px; "src =" http://s3.51cto.com/wyfs02/M00/4D/3A/wKioL1RN8OHSVpI-AACrWcQn-14479.jpg "Title =" haproxy.jpg "alt =" wKioL1RN8OHSVpI-AACrWcQn-14479.jpg "border =" 0 "Height =" 329 "hspace =" 0 "vspace =" 0 "width =" 654 "/>

Iii. Solution deployment

Configure haproxy

2. #! /Bin/bashwget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.25.tar.gztar zxvf haproxy-1.4.25.tar.gzcd haproxy-1.4.25yum install GCC gcc-C ++ Autoconf automake-ymake target = linux2628 arch = x86_64 use_linux_tproxy = 1 # focus use_linux_tproxy = 1 for compiling support for tptoxymake installmkdir/etc /haproxycp examples/haproxy. CFG/etc/haproxycp examples/haproxy. init/etc/init. d/haproxychmod + x/etc/init. d/haproxycp haproxy/usr/sbin/

3. 修改配置文件/etc/haproxy/haproxy.cfgglobal        log 127.0.0.1   local0        maxconn 409600        chroot /usr/local/share     #   uid 501     #   gid 501        daemon        nbproc 1        pidfile /usr/local/haproxy/logs/haproxy.pid     #   debugdefaults        log global        maxconn 100000        contimeout 500000        clitimeout 3600000        srvtimeout 3600000        option redispatch        retries 6frontend mail.domain.com        mode http        bind 0.0.0.0:80        log global        option tcplogredirect location https://mail.domain.com/owafrontend owa_443        mode tcp        bind 0.0.0.0:443        default_backend pool_443        log global        option tcplogbackend  pool_443        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240msource 0.0.0.0  usesrc clientip #重点,TPROXY需要加上这行。        server cas01 10.130.170.130:443 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:443 check inter 5000 weight 1 rise 2 fall 3frontend smtp_25        mode tcp        bind 0.0.0.0:25        default_backend pool_smtp        log global        option tcplogbackend pool_smtp        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240msource 0.0.0.0  usesrc clientip #重点,TPROXY需要加上这行。        server cas01 10.130.170.130:25 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:25 check inter 5000 weight 1 rise 2 fall 3frontend pop_995        mode tcp        bind 0.0.0.0:995        default_backend pool_pop        log global        option tcplogbackend pool_pop        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240m        server cas01 10.130.170.130:995 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:995 check inter 5000 weight 1 rise 2 fall 3frontend pop_993        mode tcp        bind 0.0.0.0:993        default_backend pool_993        log global        option tcplogbackend pool_993        balance source      #  option forwardfor      #  option originalto        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240m        server cas01 10.130.170.130:993 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:993 check inter 5000 weight 1 rise 2 fall 3frontend pop_135        mode tcp        bind 0.0.0.0:135        default_backend pool_135        log global        option tcplogbackend pool_135        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240m        server cas01 10.130.170.130:135 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:135 check inter 5000 weight 1 rise 2 fall 3frontend pop_593        mode tcp        bind 0.0.0.0:593        default_backend pool_593        log global        option tcplogbackend pool_593        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240m        server cas01 10.130.170.130:593 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:593 check inter 5000 weight 1 rise 2 fall 3frontend pop_60001        mode tcp        bind 0.0.0.0:60001        default_backend pool_60001        log global        option tcplogbackend pool_60001        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240m          server cas02 10.130.170.130:60001 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:60001 check inter 5000 weight 1 rise 2 fall 3frontend pop_55000        mode tcp        bind 0.0.0.0:55000        default_backend pool_55000        log global        option tcplogbackend pool_55000        balance source        option redispatch        option abortonclose        option persist        stick on src        stick-table type ip size 10240k expire 240m        server cas02 10.130.170.130:55000 check inter 5000 weight 1 rise 2 fall 3        server cas02 10.130.170.131:55000 check inter 5000 weight 1 rise 2 fall 3frontend vs_stats :8081        mode http        log global        option httplog        default_backend stats_backendbackend stats_backend        mode http        stats enable        stats uri /stats        stats auth admin:admin

5. Because the exchangerpc port is a dynamic port, haproxy must use a fixed port. I have changed it to 60001 and 55000. Modify the registry.

7. The code for configuring tproxy is as follows: VI iptables. Sh
   
   

   #! /Bin/bash/sbin/iptables-F/sbin/iptables-T mangle-N divert/sbin/iptables-T mangle-A prerouting-p tcp-M socket-J divert/ sbin/iptables-T mangle-A divert-J mark -- Set-mark 1/sbin/iptables-T mangle-A divert-J accept/sbin/IP rule add fwmark 1 lookup 100 /sbin/IP Route add local 0.0.0.0/0 Dev lo table 100

   The above Code aims to mark all the packages that enter the NIC's mangle table, and then add a routing rule to send the marked packets to the local loopback interface for processing.

   
   

9. Chmod + x iptables. Sh./iptables. Sh

11. Modify/etc/sysctl. confnet. ipv4.ip _ forward = 1net. ipv4.conf. default. rp_filter = 2net. ipv4.conf. all. rp_filter = 2net. ipv4.conf. eth0.rp _ filter = 0net. ipv4.conf. all. send_redirects = 1net. ipv4.conf. default. send_redirects = 1

13. So far, the tproxy-based haproxy transparent proxy is complete. For real high availability, haproxy is also a single point of failure, and keepalived is not described here.
    Then, change the gateways of the Two CAS servers to the haproxy IP address. You can now view the IP address of the spam.
    650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4D/3B/wKioL1RN-JOyEYRPAADGeqDOzqY466.jpg "Title =" exchange.png "alt =" wKioL1RN-JOyEYRPAADGeqDOzqY466.jpg "/>
    

Haproxy implements fully transparent exchange proxy service