Hi All,
I am hoping someone can give me some tips and pointers on getting something
working
in haproxy that could do the following:
I have installed haproxy and put a web server behind it, the proxy has 2
interfaces,
eth0 (public) and eth1 (proxy internal)
I've got a requirement where I want to only proxy some source ip addresses
based on
their source address so we can gradually add or customers to haproxy so
that we can
support TLS1.2 and strong ciphers
I have added an iptables rule and can then bypass haproxy with:
for ip in $INBOUNDEXCLUSIONS ; do
ipset -N inboundexclusions iphash
ipset -A inboundexclusions $ip
done
$IPTABLES -t nat -N HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport
443 -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set
inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
Testing was done and I was happy with the solution, I then had a requirement
to have a proxy with multiple IP address on eth0 (So created eth0:1 eth0:2)
etc
and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
is running, if I stop haproxy the traffic gets dnatted fine.
I am not sure if I am being very clear in here but basically wanted to know
if there is
a way to do selective ssl offloading on the haproxy or bypass
ssl offloading on the
server that sits behind the proxy? This is required so that customers that
do not support
TLS1.2 and strong ciphers we can still let them connect so actually
bypassing
the ssl offloading on the proxy.
Thanks very much for your time reading this.
Regards,
Jonathan
