Op 14-9-2015 om 14:32 schreef Martin Schmid:
Hello list
I'm quite new to haproxy, and I've managed to use it with SSL passthru
and as SSL termination.
I've also startet looking into the code to find the answers or
solutions to what I want to achieve.
I have OpenVPN and HTTPS running on the same port. This can be done
with several setups whereof using the openvpn port sharing feature is
the easiest.
But now I need to know the remote IP addresses in order to be able to
lock out abusive access to the web server. Https used to be unharmed
by exploitative access, but now it's getting a problem. With http, I
can reduce the traffic by locking out ip adresses using fail2ban. With
https, I cannot see the ip address, so there is no way to lock them
out selectively.
Any tool that does the backend switching cannot add an x-forwarded-for
http header and be the SSL end point at the same time. Haproxy seems
to be the only tool that might be able to handle both.
Looking at the code of haproxy, it seems to me that once I configure a
bind with ssl, it just drops all connections that do not begin wih a
SSL handshake.
However, it seems to be feasible to alter the code in order to fall
back to a non-ssl connection if the hadshake fails.
Has someone of you already tried to accomplish such, or am I missing a
detail that makes this impossible?
Regards
Martin
Hi Martin,
Not sure if this will work with openvpn, but you could try it..
This mail might interest you:
http://marc.info/?l=haproxy&m=132375969032305&w=2
First split out TCP traffic to different backends depending on data send
from the client.
Then possibly feed it from a backend server back to a second frontend
where you handle the ssl-offloading if desired, while using proxy
protocol to keep client-ip information, and namespaces or unixsockets
for the connection between the two.
Again, i have not tested it, but this seems like it could be a way to
configure it with current options..
Regards,
PiBa-NL