Haproxy implements fully transparent Exchange proxy service
I. background
The company recently used the Exchange mail system to build a highly available mail system architecture. Front-End Server Load balancer uses Microsoft's NLB to achieve cas load balancing. However, some problems have also been found in the solution implementation project. using NLB to generate a large number of broadcast reports in the network causes serious packet loss problems. Then we use haproxy to replace NLB to achieve cas load balancing, but this also leads to a problem, the most obvious difference is that after users access the mail system through Haproxy, the addresses that truly reach the mail system are all Haproxy addresses. In the case of spam filtering, IP-based filtering cannot be implemented, and cannot record IP address information. I have implemented many google solutions to solve this problem. I can use hardware load, and the hardware load can implement transparent proxy so that the backend mail server can obtain the real IP address of the user, another solution is Haproxy's transparent proxy. Next, we will introduce the deployment of Haproxy's transparent proxy.
Haproxy + Keepalived build Weblogic high-availability server Load balancer Cluster
Keepalived + HAProxy configure high-availability Load Balancing
Haproxy + Keepalived + Apache configuration notes in CentOS 6.3
Haproxy + KeepAlived WEB Cluster on CentOS 6
Haproxy + Keepalived build high-availability Load Balancing
Ii. Experiment Topology
Iii. Solution deployment
Configure Haproxy
#! /Bin/bash
Wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.25.tar.gz
Tar zxvf haproxy-1.4.25.tar.gz
Cd haproxy-1.4.25
Yum install gcc-c ++ autoconf automake-y
Make TARGET = linux2628 arch = x86_64 USE_LINUX_TPROXY = 1 # key USE_LINUX_TPROXY = 1 for compilation and support for TPTOXY
Make install
Mkdir/etc/haproxy
Cp examples/haproxy. cfg/etc/haproxy
Cp examples/haproxy. init/etc/init. d/haproxy
Chmod + x/etc/init. d/haproxy
Cp haproxy/usr/sbin/
Modify the configuration file/etc/haproxy. cfg
Global
Log 127.0.0.1 local0
Maxconn 409600
Chroot/usr/local/share
# Uid 501
# Gid 501
Daemon
Nbproc 1
Pidfile/usr/local/haproxy/logs/haproxy. pid
# Debug
Ults
Log global
Maxconn 100000
Contimeout 500000
Clitimeout 3600000
Srvtimeout 3600000
Option redispatch
Retries 6
Frontend mail.domain.com
Mode http
Bind 0.0.0.0: 80
Log global
Option tcplog
Redirect location https://mail.domain.com/owa
Frontend owa_443
Mode tcp
Bind 0.0.0.0: 443
Default_backend pool_443
Log global
Option tcplog
Backend pool_443
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Source 0.0.0.0 usesrc clientip # key, TPROXY needs to add this line.
Server cas01 10.130.170.130: 443 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 443 check inter 5000 weight 1 rise 2 fall 3
Frontend smtp_25
Mode tcp
Bind 0.0.0.0: 25
Default_backend pool_smtp
Log global
Option tcplog
Backend pool_smtp
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Source 0.0.0.0 usesrc clientip # key, TPROXY needs to add this line.
Server cas01 10.130.170.130: 25 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 25 check inter 5000 weight 1 rise 2 fall 3
Frontend pop_995
Mode tcp
Bind 0.0.0.0: 995
Default_backend pool_pop
Log global
Option tcplog
Backend pool_pop
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Server cas01 10.130.170.130: 995 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 995 check inter 5000 weight 1 rise 2 fall 3
Frontend pop_993
Mode tcp
Bind 0.0.0.0: 993
Default_backend pool_993
Log global
Option tcplog
Backend pool_993
Balance source
# Option forwardfor
# Option originalto
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Server cas01 10.130.170.130: 993 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 993 check inter 5000 weight 1 rise 2 fall 3
Frontend pop_135
Mode tcp
Bind 0.0.0.0: 135
Default_backend pool_135
Log global
Option tcplog
Backend pool_135
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Server cas01 10.130.170.130: 135 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 135 check inter 5000 weight 1 rise 2 fall 3
Frontend pop_593
Mode tcp
Bind 0.0.0.0: 593
Default_backend pool_593
Log global
Option tcplog
Backend pool_593
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Server cas01 10.130.170.130: 593 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 593 check inter 5000 weight 1 rise 2 fall 3
Frontend pop_60001
Mode tcp
Bind 0.0.0.0: 60001
Default_backend pool_60001
Log global
Option tcplog
Backend pool_60001
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Server cas02 10.130.170.130: 60001 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 60001 check inter 5000 weight 1 rise 2 fall 3
Frontend pop_55000
Mode tcp
Bind 0.0.0.0: 55000
Default_backend pool_55000
Log global
Option tcplog
Backend pool_55000
Balance source
Option redispatch
Option abortonclose
Option persist
Stick on src
Stick-table type ip size 10240 k expire 240 m
Server cas02 10.130.170.130: 55000 check inter 5000 weight 1 rise 2 fall 3
Server cas02 10.130.170.131: 55000 check inter 5000 weight 1 rise 2 fall 3
Frontend vs_stats: 8081
Mode http
Log global
Option httplog
Default_backend stats_backend
Backend stats_backend
Mode http
Stats enable
Stats uri/stats
Stats auth admin: admin
3. Because the ExchangeRPC port is a dynamic port, haproxy must use a fixed port. I have changed it to 60001 and 55000. Modify the registry.
4. Configure the TProxy Code as follows: vi iptables. sh
#! /Bin/bash
/Sbin/iptables-F
/Sbin/iptables-t mangle-N DIVERT
/Sbin/iptables-t mangle-a prerouting-p tcp-m socket-j DIVERT
/Sbin/iptables-t mangle-a divert-j MARK -- set-mark 1
/Sbin/iptables-t mangle-a divert-j ACCEPT
/Sbin/ip rule add fwmark 1 lookup 100
/Sbin/ip route add local 0.0.0.0/0 dev lo table 100
The above Code aims to mark all the packages that enter the NIC's mangle table, and then add a routing rule to send the marked packets to the local loopback interface for processing.
Chmod + x iptables. sh
./Iptables. sh
Modify/etc/sysctl. conf
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. default. rp_filter = 2
Net. ipv4.conf. all. rp_filter = 2
Net. ipv4.conf. eth0.rp _ filter = 0
Net. ipv4.conf. all. send_redirects = 1
Net. ipv4.conf. default. send_redirects = 1
7. Now the TProxy-based Haproxy transparent proxy is complete. For real high availability, haproxy is also a single point of failure, and keepalived is not described here.
Then, change the gateways of the Two cas servers to the haproxy ip address. You can now view the ip address of the spam.
For details about HAproxy, click here
HAproxy: click here
This article permanently updates the link address:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
