i am trying to setup a transparent or intercepting proxy, that works with HTTPS, and have hit a bit of a wall.

i am using IPTables to intercept the port 80 and 443 traffic, and DNAT'ing the traffic to a HAProxy VIP.


i have the front end configured as such:

frontend tproxy
        bind 192.168.120.1:3129
        option httplog
        option http-server-close
        option forwardfor except 127.0.0.0/8
        default_backend tproxy

the backend is where i have problems.

backend tproxy
        acl https ssl_fc

http-request set-uri http://%[req.hdr(Host)]%[path]?%[query] unless https

        http-request set-method CONNECT if https
        http-request set-uri https://%[ssl_fc_sni] if https

        server proxy1 192.168.88.1:3129 check inter 10000
        server proxy2 192.168.88.2:3129 check inter 10000

right now, HTTP interception works without issue. as i understand things having read through some docs, the acl will never match HTTPS traffic that is to be proxied, because the front end bind statement does not have the "ssl" option. subsequently, the rewrites of the method and uri will never happen. i also believe the rewrite of the uri will not work because ssl_fc_sni requires the "ssl" option be present on the bind line for the front end. that leads me to wonder how i differentiate between HTTP and HTTPS in a transparent proxy scenario. would req.proto_http be appropriate? being that the match does not occur until the request is complete, i am not sure.

once i am properly differentiating between HTTP and HTTPS traffic, what would the correct way to rewrite the uri? i think req.ssl_sni is the value i need to use, instead of ssl_fc_sni.

any insight is appreciated.

thank you,

brendan

Reply via email to