# # This is an example of how to configure HAProxy to be used as a 'full transparent proxy' for a single backend server. # # Note that to actually make this work extra firewall/nat rules are required. # Also HAProxy needs to be compiled with support for this, in HAProxy1.5-dev19 you can check if this is the case with "haproxy -vv". # global defaults timeout client 30s timeout server 30s timeout connect 30s frontend MyFrontend bind 192.168.1.22:80 default_backend TransparentBack_http backend TransparentBack_http mode http source 0.0.0.0 usesrc client server MyWebServer 192.168.0.40:80 # # To create the the nat rules perform the following: # # ### (FreeBSD 8) ### # --- Step 1 --- # ipfw is needed to get 'reply traffic' back to the HAProxy process, this can be achieved by configuring a rule like this: # fwd localhost tcp from 192.168.0.40 80 to any in recv em0 # # The following would be even better but this did not seam to work on the pfSense2.1 distribution of FreeBSD 8.3: # fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid} # # If only 'pf' is currently used some aditional steps are needed to load and configure ipfw: # You need to configure this to always run on startup: # # /sbin/kldload ipfw # /sbin/sysctl net.inet.ip.pfil.inbound="pf" net.inet6.ip6.pfil.inbound="pf" net.inet.ip.pfil.outbound="pf" net.inet6.ip6.pfil.outbound="pf" # /sbin/sysctl net.link.ether.ipfw=1 # ipfw add 10 fwd localhost tcp from 192.168.0.40 80 to any in recv em0 # # the above does the following: # - load the ipfw kernal module # - set pf as the outer firewall to keep control of routing packets for example to route them to a non-default gateway # - enable ipfw # - set a rule to catches reply traffic on em0 coming from the webserver # # --- Step 2 --- # To also make the client connection transparent its possible to redirect incomming requests to HAProxy with a pf rule: # rdr on em1 proto tcp from any to 192.168.0.40 port 80 -> 192.168.1.22 # here em1 is the interface that faces the clients, and traffic that is originally send straight to the webserver is redirected to HAProxy # # ### (FreeBSD 9) (OpenBSD 4.4) ### # pf supports "divert-reply" which is probably better suited for the job above then ipfw.. #