Load balancing
Flows and outflows
Available since
- Outflows are available since ALOHA 16.0.
Use the Flows tab to configure flows and outflows. A flow or outflow can specify whether matching packets should be allowed, dropped, or routed according to a routing table. Matching criteria can include any combination of interface, protocol, IP address, and port. In addition, flows (not outflows) can also direct incoming traffic to an LVS load balancer (see LB Layer4 tab).
-
A flow defines match rules and a routing policy for incoming packets. Flows are particularly powerful because they can match on ranges of IP addresses and ports. This capability allows them to direct the matching traffic to an LVS load balancer, which would otherwise be limited to traffic from a single IP address and port.
-
An outflow defines match rules and a routing policy for outgoing packets. For example, you can use an outflow to specify a custom routing table that applies to a load balanced application’s return traffic. The ability to specify outflow matching is particularly important when you need to specify the gateway for outgoing packets.
Important
For a given TCP connection, the outgoing packets do not automatically use the same interface as the incoming packets. Instead, the outgoing packets use the gateway indicated in the main routing table. To control the route for outgoing packets, define an outflow and a custom routing table.
Policy-based routing
Beginning in HAProxy ALOHA 16.5, you can also use policy-based routing to accomplish custom routing.
Configuration file syntax Jump to heading
Define flows by including flow sections in the flowmgr configuration file. Flows are evaluated sequentially.
text
{ flow | outflow } <name> <policy><rule> [ [ not ] iface <name> ][ [ not ] proto { tcp | udp | icmp } ][ [ not ] src <ip>[/<mask>] ][ [ not ] dst <ip>[/<mask>] ][ [ not ] srcport <port>[:<port>] ][ [ not ] dstport <port>[:<port>] ][ [ not ] icmptype <icmptype> ] ][<rule>]...
text
{ flow | outflow } <name> <policy><rule> [ [ not ] iface <name> ][ [ not ] proto { tcp | udp | icmp } ][ [ not ] src <ip>[/<mask>] ][ [ not ] dst <ip>[/<mask>] ][ [ not ] srcport <port>[:<port>] ][ [ not ] dstport <port>[:<port>] ][ [ not ] icmptype <icmptype> ] ][<rule>]...
The terms are as follows.
Info
Where the term flow is used, the term outflow may be substituted except where indicated.
name Jump to heading
-
name
Unique identifier for this flow. Allowed characters are alphanumerics, hyphen (
-
), and underscore (_
). Maximum length is 27 characters.
policy Jump to heading
-
policy
Action to be applied. One of:
Policy Description permit
Matching packets are allowed. deny
Matching packets are dropped. director <director_name>
Matching packets are routed using the specified LVS director. Directors are defined in the LB Layer4 tab. Available for flows only, not outflows. skip
The flow is skipped and the next one is evaluated. This policy is useful for temporarily disabling a flow. This policy is the default action if no other policy is specified. table <id>
Matching packets are routed using the specified custom routing table instead of the default system routing table. Routing tables are defined in network
setup under the Services tab. Available since HAProxy ALOHA 12.5.
rule Jump to heading
-
rule
The
match
andignore
rules are evaluated sequentially.Rule Description match
If a packet matches the specified conditions, the defined policy is immediately applied. Otherwise, the next ignore
ormatch
rules of the current flow are evaluated. If there are no more rules, the packet is considered not part of the current flow and the next flow is evaluated.ignore
If a packet matches the specified conditions, the packet is considered not part of the current flow and the next flow is evaluated. Otherwise, the next ignore
ormatch
rules of the current flow are evaluated.
conditions Jump to heading
-
conditions
If no conditions are specified, all packets are considered a match. To negate the match, use the keyword
not
. Use the following terms to specify match conditions.Condition Description proto
IP protocol: tcp
,udp
oricmp
.iface
In a flow
(incoming packets): input network interface. In anoutflow
(outgoing packets): routing chosen output interface.src
Packet IP source address, or network mask. dst
Packet IP destination address, or network mask. srcport
Packet port source, or port range. Only available for udp
andtcp
protocols.dstport
Packet port destination, or port range. Only available for udp
andtcp
protocols.icmptype
Packet icmp
type code. Only available foricmp
protocol.
Important
To save a new flow or changes to an existing flow, save the HAProxy ALOHA configuration. Click on the Setup tab. In the Configuration section, click Save.
Examples Jump to heading
In this section, we demonstrate examples that use the Flows tab.
Allow access only to clients in a given network Jump to heading
This flow allows users to access a specific host using ssh
but only if they are on the same network as the host.
-
From the Flows tab, add the following lines:
haproxyflow ssh permitignore not src 192.168.0.0/24match proto tcp dst 192.168.0.1 dstport 22haproxyflow ssh permitignore not src 192.168.0.0/24match proto tcp dst 192.168.0.1 dstport 22where:
- We define a flow named
ssh
that will permit only traffic that matches the rules. - We ignore all traffic unless it comes from the
192.168.0.0/24
network, so that thepermit
policy applies only to it. - We match on TCP traffic targeting the IP/port
192.168.0.1:22
. - If the packet does not match these conditions, it is passed through to the next flow for processing.
- We define a flow named
-
Click OK, then Apply.
-
To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Match UDP packets Jump to heading
This flow allows UDP packets to go to a DNS server.
-
From the Flows tab, add the following lines:
haproxyflow dns permitmatch proto udp dst 192.168.0.1 dstport 53haproxyflow dns permitmatch proto udp dst 192.168.0.1 dstport 53where:
- We define a flow named
dns
that will permit only the traffic that matches the rules. - We match UDP traffic targeted for IP/port
192.168.0.1:53
. - If the packet does not match these conditions, it is passed through to the next flow for processing.
- We define a flow named
-
Click OK, then Apply.
-
To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Match ICMP messages Jump to heading
This flow allows echo
replies to reach a specific host, regardless of where they originate. It also allows other types of ICMP packets to reach the host but only if they originate on the same network as the destination host.
-
From the Flows tab, add the following lines:
haproxyflow ping permitmatch proto icmp dst 192.168.0.1 icmptype 0ignore not src 192.168.0.0/24match proto icmp dst 192.168.0.1haproxyflow ping permitmatch proto icmp dst 192.168.0.1 icmptype 0ignore not src 192.168.0.0/24match proto icmp dst 192.168.0.1where:
- We define a flow named
ping
that will permit only the traffic that matches the rules. - We match ICMP traffic targeted for IP 192.168.0.1 with an
icmptype
value of0
. If the packet does not match these conditions, it is passed to the next rule for processing. - Any packet not originating on the
192.168.0.0/24
network is ignored by this flow but is passed through to the next flow for processing. If the packet does originate on the192.168.0.0/24
network, it is passed to the next rule for processing. - Any ICMP packet targeted for IP
192.168.0.1
is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.
- We define a flow named
-
Click OK, then Apply.
-
To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Route traffic to LVS Jump to heading
You can define a flow to direct traffic to a Layer 4 LVS load balancer. This configuration is particularly useful because an LVS load balancer, by itself, can bind to only one IP address and port. Using a flow, you can direct traffic from multiple IP addresses and ports to the LVS load balancer. In this flow, mail traffic targeted at ports 110
, 143
, and 25
are all routed to an LVS load balancer named maildirect
.
-
From the Flows tab, add the following lines:
haproxyflow mail director maildirectmatch proto tcp dst 192.168.0.2 dstport 110match proto tcp dst 192.168.0.2 dstport 143match proto tcp dst 192.168.0.2 dstport 25haproxyflow mail director maildirectmatch proto tcp dst 192.168.0.2 dstport 110match proto tcp dst 192.168.0.2 dstport 143match proto tcp dst 192.168.0.2 dstport 25where:
- We define a flow named
mail
that will direct only the traffic that matches the rules. Directed traffic goes to the Level 4 LVS load balancer namedmaildirect
. - We match TCP traffic targeted for IP/port
192.168.0.2:110
and send it to LVS directormaildirect
. If the packet does not match these conditions, it is passed through to the next rule for processing. - We match TCP traffic targeted for IP/port
192.168.0.2:143
and send it to LVS directormaildirect
. If the packet does not match these conditions, it is passed through to the next rule for processing. - We match TCP traffic targeted for IP/port
192.168.0.2:25
and send it to LVS directormaildirect
. If the packet does not match these conditions, it is passed through to the next flow for processing.
- We define a flow named
-
Click OK, then Apply.
-
To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Direct outgoing traffic to a gateway Jump to heading
Normally, traffic returns to the client via the default gateway defined in the main routing table. When you have multiple network interfaces, however, you may want to route traffic through a different gateway, for example, the one that it arrived through. This example shows how to create a custom routing table and a flow that sets a policy to use that routing table.
-
In the Services tab, click network instance setup next to the network interface that is on the network with the desired gateway. For example, if you have a second interface named
eth1
, add the following:service network eth1 ip address 192.168.161.10/255.255.255.0 ip route default 192.168.161.1 table 200
service network eth1 ip address 192.168.161.10/255.255.255.0 ip route default 192.168.161.1 table 200
where:
- The
ip address
line sets a static IP address of192.168.161.10
for the interface. - The
ip route
line sets a default route of192.168.161.1
and assigns it to a custom routing table with the ID200
. Because we’re using a custom routing table, traffic will not use this route until we define an outflow for it.
- The
-
Click OK and Close to return to the Services tab.
-
Restart the
network
service.Version > 16.0
In versions greater than 16.0, instead of manually restarting the
network
service, click the Apply new configuration button on the interface to apply the changes and automatically restart the network interface service. -
From the Flows tab, add the following lines:
outflow return-eth1 table 200 match proto tcp src 192.168.161.0/24 srcport 80
outflow return-eth1 table 200 match proto tcp src 192.168.161.0/24 srcport 80
where:
- We define an outflow named
return-eth1
that will use the custom routing table with ID200
if the following rules match. - We match on TCP traffic that has a source IP address within the
192.168.161.0/24
network and a source port of80
. Here, source means a VIP on the HAProxy ALOHA. Note that you can assign a single IP address by leaving off the CIDR/24
.
Alternatively, you could match on the VIP’s interface by using the
iface
argument:outflow return-eth1 table 200 match iface eth1
outflow return-eth1 table 200 match iface eth1
- We define an outflow named
-
Click OK, then Apply.
-
To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Block unpermitted traffic Jump to heading
For security purposes, you may want to deny all traffic not explicitly permitted or routed in other flows.
-
From the Flows tab, add the following lines:
haproxyflow alltherest denymatchhaproxyflow alltherest denymatchwhere:
- We define a flow named
alltherest
that will deny the traffic that matches the rules. - We match all packets. This flow is useful for placing at the end of the flowmgr configuration to block all traffic not explicitly permitted in preceding flows.
- We define a flow named
-
Click OK, then Apply.
-
To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.
Do you have any suggestions on how we can improve the content of this page?