[SR-Users] Kamailio behind HAProxy

Anthony Alba ascanio.alba7 at gmail.com
Tue Dec 1 08:53:35 CET 2020


Hi Joel,

1. kamailio will think that the UA src-ip/port is the incoming
connection from haproxy, is that what you want?

2. Is the real src-ip/port available to haproxy from the cloud SSL terminator?
Otherwise won't haproxy think the incoming src-ip/port is the leg from
the SSL terminator?

3. I have tried haproxy as a dumb(not PROXY protocol) SSL-terminator
proxying TLS to TCP/kamailio (without Path header).
It works as expected, all the Contact addresses are that of the
haproxy device. When the UA REGISTERs, some
are smart (too smart?), that their Contact address and Via are already
changed to the received/rport from the Via.

4. If I need the "real" address for logging, it is collected
separately. Also the first REGISTER from a UA usually has the
"real" src-ip/port as it hasn't cached the received/rport parameters yet.

Cheers
Anthony






On Thu, Nov 12, 2020 at 10:21 AM Joel Serrano <joel at textplus.com> wrote:
>
> In one case, it was to take advantage of the SSL offloading from the cloud provided load balancer (among other features, but that was the main one). I never got it fully working though..
>
> See: https://github.com/kamailio/kamailio/issues/2103 and the thread https://lists.kamailio.org/pipermail/sr-users/2019-November/107222.html
>
> So it could end up being useful for something like:
>
> UA <-> TCP load balancer (that *proxies* the connection but doesn't talk SIP) <-> Kamailio -> destination.
>
>
> I'm also curious to know if/how the rest are using it..
>
>
>
>
>
> On Wed, Nov 11, 2020 at 9:24 AM Alex Balashov <abalashov at evaristesys.com> wrote:
>>
>> The motive is still a bit of a mystery to me. Yes, it allows Kamailio to
>> discover the true source IP/port of a message, but given the function
>> performed by HAProxy for TCP connections, it seems generally useful to
>> think of HAProxy as the other endpoint of the connection? Moreover, it
>> makes it that much more complicated to send requests to reach the client
>> _via_ HAProxy (e.g. following a lookup()), since HAProxy isn't a SIP
>> proxy and doesn't add a Path hop.
>>
>> Am I missing something vital about the nature of HAProxy + Kamailio
>> deployments?
>>
>> -- Alex
>>
>> On 11/11/20 8:23 AM, Henning Westerholt wrote:
>> > Hello,
>> >
>> > bascially this allows Kamailio to understand the HAProxy protocol to be
>> > used behind this particular proxy. Some discussion can be found at the
>> > list and also at https://github.com/kamailio/kamailio/pull/1765
>> >
>> > Cheers,
>> >
>> > Henning
>> >
>> > --
>> >
>> > Henning Westerholt – https://skalatan.de/blog/
>> >
>> > Kamailio services – https://gilawa.com <https://gilawa.com/>
>> >
>> > *From:* sr-users <sr-users-bounces at lists.kamailio.org> *On Behalf Of
>> > *Joey Golan
>> > *Sent:* Wednesday, November 11, 2020 1:47 PM
>> > *To:* Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
>> > *Subject:* Re: [SR-Users] Kamailio behind HAProxy
>> >
>> > Thanks Sergey.
>> >
>> > Can anyone please explain how and why to use tcp_accept_haproxy?
>> >
>> > On 11 Nov 2020, 10:39 +0200, Sergey Safarov <s.safarov at gmail.com
>> > <mailto:s.safarov at gmail.com>>, wrote:
>> >
>> >     Now I not use pike.
>> >
>> >     On Wed, Nov 11, 2020 at 10:21 AM Joey Golan <joeygo at gmail.com
>> >     <mailto:joeygo at gmail.com>> wrote:
>> >
>> >         So on your AWS deployment are you working without ANTIFLOOD(pike)?
>> >
>> >         I still don’t  understand how and why to use tcp_accept_haproxy.
>> >
>> >         On 9 Nov 2020, 11:49 +0200, Sergey Safarov <s.safarov at gmail.com
>> >         <mailto:s.safarov at gmail.com>>, wrote:
>> >
>> >             In AWS I now use the network load balancer without enabled
>> >             HAproxy protocol.
>> >
>> >             On EC2 instances used two ENI.
>> >
>> >             First for traffic via NLB for Inbound traffic.
>> >
>> >             And second ENI for outbound traffic.
>> >
>> >             This works but, maybe complex to implement.
>> >
>> >             Now I looking to:
>> >
>> >             1) enable TCP + HAproxy protocol support in Kamailio;
>> >
>> >             2) add UDP + HAproxy protocol feature support;
>> >
>> >             3) add connection support "with" and "without" HAproxy protocol.
>> >
>> >             But I am not a developer and cannot say when it implemented.
>> >
>> >             If your usage case, is business requirements and need
>> >             extended HAproxy implementation in Kamailio, then your
>> >             company can hire devs from the community.
>> >
>> >             On Mon, Nov 9, 2020 at 11:22 AM Joey Golan <joeygo at gmail.com
>> >             <mailto:joeygo at gmail.com>> wrote:
>> >
>> >                 Maybe I miss understood you.
>> >                 For local installations you mean HAProxy with
>> >                 transparent mode?
>> >
>> >                 I have a functioning setup without proxy protocol
>> >                 enabled but without anitflood enabled because all
>> >                 traffic comes from same HAProxy address.
>> >
>> >                 I’m not sure I understand the purpose of
>> >                 tcp_accept_haproxy. When and how this parameter should
>> >                 be used?
>> >
>> >                 Thanks,
>> >                 Joey.
>> >
>> >                 On 9 Nov 2020, 0:27 +0200, Sergey Safarov
>> >                 <s.safarov at gmail.com <mailto:s.safarov at gmail.com>>, wrote:
>> >
>> >                     Why you cannot use this in the local installation?
>> >
>> >                     On AWS I have multiple kamailio servers behind ELB.
>> >
>> >                     Why you do not use a network load-balancer? NLB also
>> >                     offers HAproxy protocol support (TCP and UDP).
>> >
>> >                     In AWS installation you can use dedicated Kamailio
>> >                     groups for inbound connections and SIP clients with
>> >                     registration.
>> >
>> >                     And use other Kamailio group for outbound
>> >                     connections like carriers.
>> >
>> >
>> >                     Sergey
>> >
>> >                     On Sun, Nov 8, 2020 at 9:07 PM Joey Golan
>> >                     <joeygo at gmail.com <mailto:joeygo at gmail.com>> wrote:
>> >
>> >                         It doesn’t make much sense to me.
>> >                         On local installations (on-premise) I have 1
>> >                         HAProxy and multiple kamailio servers.
>> >                         On AWS I have multiple kamailio servers behind ELB.
>> >
>> >                         On 8 Nov 2020, 19:45 +0200, Sergey Safarov
>> >                         <s.safarov at gmail.com
>> >                         <mailto:s.safarov at gmail.com>>, wrote:
>> >
>> >                             you can try place haproxy + NAT on your own
>> >                             Linux router.
>> >
>> >                             In this case inbound connections with be
>> >                             delivered via HAproxy.
>> >                             Outbound connections will be NAT-ed on the
>> >                             same host, to the same IP.
>> >
>> >                             On Sun, Nov 8, 2020 at 6:31 PM Joey Golan
>> >                             <joeygo at gmail.com <mailto:joeygo at gmail.com>>
>> >                             wrote:
>> >
>> >                                 Hello,
>> >                                 I have a kamailio server running behind
>> >                                 HAProxy with proxy protocol v2 enabled.
>> >                                 In Kamailio I have set the parameter
>> >                                 tcp_accept_haproxy=yes and loaded tcpops
>> >                                 module.
>> >                                 UEs are registered using TLS and
>> >                                 kamailio sees that the message has
>> >                                 received from their real ip address +
>> >                                 port and not HAProxy ip + port.
>> >                                 When UE A calls UE B, kamailio is trying
>> >                                 to reach UE B using his real ip address
>> >                                 and port instead of HAProxy IP address +
>> >                                 port.
>> >
>> >                                 I know I can get the tcp ip and port of
>> >                                 HAProxy using $tcp(c_si) and $tcp(c_sp)
>> >                                 but I can’t make it work.
>> >                                 What is the right way to do this? How
>> >                                 should I use these variables properly in
>> >                                 order to establish the call successfully?
>> >
>> >                                 Thanks,
>> >                                 Joey.
>> >
>> >                                 _______________________________________________
>> >                                 Kamailio (SER) - Users Mailing List
>> >                                 sr-users at lists.kamailio.org
>> >                                 <mailto:sr-users at lists.kamailio.org>
>> >                                 https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >                             _______________________________________________
>> >                             Kamailio (SER) - Users Mailing List
>> >                             sr-users at lists.kamailio.org
>> >                             <mailto:sr-users at lists.kamailio.org>
>> >                             https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >                         _______________________________________________
>> >                         Kamailio (SER) - Users Mailing List
>> >                         sr-users at lists.kamailio.org
>> >                         <mailto:sr-users at lists.kamailio.org>
>> >                         https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >                     _______________________________________________
>> >                     Kamailio (SER) - Users Mailing List
>> >                     sr-users at lists.kamailio.org
>> >                     <mailto:sr-users at lists.kamailio.org>
>> >                     https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >                 _______________________________________________
>> >                 Kamailio (SER) - Users Mailing List
>> >                 sr-users at lists.kamailio.org
>> >                 <mailto:sr-users at lists.kamailio.org>
>> >                 https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >             _______________________________________________
>> >             Kamailio (SER) - Users Mailing List
>> >             sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> >             https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >         _______________________________________________
>> >         Kamailio (SER) - Users Mailing List
>> >         sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> >         https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >     _______________________________________________
>> >     Kamailio (SER) - Users Mailing List
>> >     sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> >     https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>> >
>> > _______________________________________________
>> > Kamailio (SER) - Users Mailing List
>> > sr-users at lists.kamailio.org
>> > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> >
>>
>> --
>> Alex Balashov | Principal | Evariste Systems LLC
>>
>> Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
>> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



More information about the sr-users mailing list