Hi Jonathan,
On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com>
wrote:
> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has 2
> interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip addresses
> based on
> their source address so we can gradually add or customers to haproxy so
> that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers that
> do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
One option that comes to mind achiving the same without iptables is using
whitelist file and two backends: one tcp backend that will just pass
through the ssl connection to the SSL server and one in http mode that will
do SSL offloading. Something like:
use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
default_backend be_passthrough
or vice-versa depending on your implementation and which list would be
shorter :-)
