Greetings,
I'm dealing with an existing client application that connects to a
port (doing TLS) and makes a specific http request (e.g. "GET /tn
HTTP/1.0\r\n\r\n") to request a layer-4 tunnel. Also, this client
doesn't expect (and can't presently deal with) an http response to that
request. It just expects the downstream server to which I will be
forwarding the connection, to immediately start its non-http protocol.
At the same time, I'm configuring haproxy to forward all other http
requests to a downstream http server.
I'll also be doing http header insertion on both these http and non-http
requests. I am in control of the downstream non-http server, and I'll
need to have haproxy insert some http headers to communicate several
pieces of information (e.g. remote address:port, etc) to the downstream
non-http server. This extra information doesn't have to be in http
headers, but that seemed to be the only way to get ha proxy to insert
information.
I have an haproxy configuration that is close to working, but isn't
quite right yet. It creates an http frontend and two http backends named
http and non-http. It uses an acl to match on the incoming request that
this non-http client sends. The non-http backend uses the http-tunnel
option and connects to the downstream non-http server, and inserts the
necessary extra headers.
The problem is that if the downstream non-http server doesn't respond
first with an http-response, then haproxy issues a 502 Bad Gateway error
to the client. But if I make the downstream non-http server return an
http response, this does make haproxy happy and layer 4 tunnelling then
begins, but the client breaks because it doesn't expect that response.
So, I figure I have a couple of options:
1) Have haproxy delete the response before it goes back to the client.
I tried using rspdel to delete the response. It seems to be able to
remove headers, but it can't remove the status line in the response
(though the documentation seems to indicate that it should). And the
blank line that terminates the http header is another matter I haven't
looked into. Is this possible?
2) Alter haproxy to not require that first http response before starting
layer4 tunnelling. I looked at the code a bit, but it's complex. I was
hoping I could spot somewhere in the code where it finishes parsing the
first response, and then decides to go into just a layer4 mode. My plan
was just to make it enter that state at the end of the first request
rather than the end of the first response. Unfortunately I haven't had
much success yet. Any pointers there would be appreciated?
So, in case anything above is unclear, let me try to diagram the
expected protocol here:
client haproxy non-http
server
====== ========= ===============
connect()
SSL-handshake
---------------------------------------------------->
<----------------------------------------------------
"GET /tn HTTP/1.0\r\n\r\n"
---------------------------------------------------->
"GET /tn HTTP/1.0\r\n<extra-hdrs>\r\n"
-------------------------------------------->
<layer 4
tunnelling begins>
SSL Plain-text
<----------------------------------------------------------><----------------------------------------------->
So any ideas on how to get haproxy to handle this scenario? Commercial
support is an option for us, but I didn't see custom development as an
offered service.
Thanks,
Davy
