On Sun, Jul 2, 2017 at 3:54 PM, Andrew Smalley <[email protected]> wrote:
> I would like to ask why you have non ssl and ssl traffic on the same port? > while it seems it is possible it is not the right way to do it. > > > On 2 Jul 2017 23:37, "Igor Cicimov" <[email protected]> > wrote: > > > > On 3 Jul 2017 8:35 am, "Igor Cicimov" <[email protected]> > wrote: > > > > On 3 Jul 2017 6:47 am, "Daren Sefcik" <[email protected]> wrote: > > On Sat, Jul 1, 2017 at 4:39 PM, Igor Cicimov < > [email protected]> wrote: > >> >> >> On 29 Jun 2017 2:46 am, "Daren Sefcik" <[email protected]> wrote: >> >> On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet <[email protected]> >> wrote: >> >>> Hi, >>> >>> >>> 2017-06-28 16:47 GMT+02:00 Daren Sefcik <[email protected]>: >>> >>>> Hi, I have searched for an answer to this and tried several things but >>>> cannot seem to figure it out so am hoping someone can point me in the right >>>> direction. I have different backend proxy servers (squid) setup to handle >>>> specifically HTTP and HTTPS traffic but cannot figure out how to tell >>>> haproxy to tell the difference and send appropriately. >>>> >>>> For example, I have >>>> >>>> frontend proxy_servers >>>> backend http_proxies >>>> backend https_proxies >>>> >>>> how can I tell frontend to send all http traffic to backend >>>> http_proxies and all https traffic to https_backend? I have tried using >>>> dst_port 443 and the acl https ssl_fc but nothing seems to distinguish >>>> https traffic. >>>> >>> >>> Well, it should work. Send a copy of your config to see what's wrong in >>> it. >>> >>> Olivier >>> >>> >>> >>>> >>>> TIA... >>>> >>> >>> >> Here is an example, it continues to direct all https traffic to the web >> proxy and not the streaming media one. >> >> frontend HTPL_PROXY >> bind 10.1.4.105:8181 name 10.1.4.105:8181 >> mode http >> log global >> option http-server-close >> option forwardfor >> acl https ssl_fc >> http-request set-header X-Forwarded-Proto http if !https >> http-request set-header X-Forwarded-Proto https if https >> maxconn 90000 >> timeout client 10000 >> option tcp-smart-accept >> acl is_youtube hdr_sub(host) -i youtube.com >> acl is_netflix hdr_sub(host) -i netflix.com >> acl is_nflixvideo hdr_sub(host) -i nflxvideo.net >> acl is_googlevideo hdr_sub(host) -i googlevideo.com >> acl is_google hdr_sub(host) -i google.com >> acl is_pandora hdr_sub(host) -i pandora.com >> acl is_https dst_port eq 443 >> use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube >> use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix >> use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo >> use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo >> use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora >> use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https >> default_backend HTPL_WEB_PROXY_http_ipvANY >> >> Obviously dst_port 443 method can not work since you are listening on >> port 8181. Since both protocols are on same port you can try in tcp mode: >> >> mode tcp >> option tcplog >> bind *:8181 >> >> tcp-request inspect-delay 5s >> acl is_ssl req.ssl_hello_type 1 >> >> > > Thank you, I have tried that with the below config and it still sends all > traffic to the default backend instead of my ssl backend, any other ideas? > > frontend HTPL_PROXY > bind 10.1.4.105:8181 name 10.1.4.105:8181 > > mode tcp > log global > maxconn 90000 > timeout client 10000 > option tcp-smart-accept > tcp-request inspect-delay 5s > acl is_ssl req.ssl_hello_type 1 > use_backend HTPL_SSL_PROXY_tcp_ipvANY if is_ssl > default_backend HTPL_WEB_PROXY_tcp_ipvANY > > Only explenation i can see is that no ssl traffik is hitting haproxy at > least not on port 8181 > > Or the ip it is bind to > > > > Most of the traffic is ssl, for example gmail, facebook, pandora all force https. The frontend IP:PORT is configured on the clients browser as the proxy address to use and in turn haproxy serves the client a squid proxy from the backend. I have different proxies configured specifically for non ssl caching and some for specific ssl no caching. I am not trying to do ssl termination or anything like that. What I want to do is serve the client browser ssl trafffic from specific squid proxies and non ssl traffic from other squid proxies configured for aggressive caching. Maybe I need to be doing this somehow in the backend?? The below configurations seems to catch the majority of ssl traffic and divert it correctly but not all....I know there has to be a way to do it but no matter what I try it just doesn't seem to work 100%. TIA frontend HTPL_PROXY bind 10.1.4.105:8181 name 10.1.4.105:8181 mode http log global option http-server-close option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 90000 timeout client 10000 option tcp-smart-accept acl is_ssl hdr_end(host) -i 443 use_backend HTPL_SSL_PROXY_http_ipvANY if is_ssl default_backend HTPL_WEB_PROXY_http_ipvANY
