On 07/17/2016 04:59 PM, Evgeniy Sudyr wrote:
Brendan,
I'm also interesting for this topic as our company is preparing for
switching most traffic to be SSL enabled soon.
What I found so far are these quite informative articles:
1)
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
2)
http://loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy
Also you did not posted your iptables config, routing rules on backend
servers (as they need reply to "spoofed" IP's back to Haproxy servers
(tcp mode, right?) all are very important for tproxy config to be
working.
Let me know your results if you will get first.
Btw, I will be glad to see working configs from other community
members. Thank you all in advance!
--
Evgeniy
On Sun, Jul 17, 2016 at 10:19 PM, Brendan Kearney <bpk...@gmail.com> wrote:
i have iptables configured to redirect outbound HTTP to HAProxy, and then
load balance to a couple of squid instances. the below works well:
backend tproxy
acl https ssl_fc
http-request set-uri http://%[req.hdr(Host)]%[path]?%[query] unless
https
...
i have tried to perform HTTPS interception using the below, in addition to
the redirect of HTTPS traffic to the HAProxy VIP:
http-request set-method CONNECT if https
http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if
https
this does not seem to work as expected. where can i find more info on
performing HTTPS interception, for transparent proxying? any help would be
appreciated.
thanks,
brendan
HAProxy does not need the kernel to have nonlocal binding turned on, as
i am performing DNAT with IPTables:
# Rule 5 (NAT)
#
echo "Rule 5 (NAT)"
#
$IPTABLES -t nat -N Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.4
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.5
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.200
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.24.1
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.24.2
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.24.4
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.24.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.88.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.100.1 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.120.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.152.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.184.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.185.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.216.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -d 192.168.248.0/24 -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 192.168.120.1:3129
i use FWBuilder to create my iptables policy, and the above takes
traffic from some sources and DNATs their outbound traffic on port 80 to
my proxy VIP on port 3129. this load balances to squid, which satisfies
the request. i am not doing full transparent proxying because my load
balancer is also my router/firewall, and out-of-state or asynchronous
routing will be dropped by the firewall. this means that i am setting
and using the X-Forwarded-For header, and in squid i digest that header
for the client IP.
the squid servers see the routers local interface as the source of the
connection, and reply back to it. the DNAT is unraveled/undone on the
return trip to the client, from the router. because of this, there is
no special routing needed on the servers, and only their default route
is required.
what i need is the know-how to intercept the HTTPS. this requires a
change to the METHOD, and the URI. i am not sure how to go about that,
and am looking for more reading material on the subject.
