Hi Igor,
Not 100% sure what you mean here with the redirect to the proxy bind on
that port? What will the rest
of the bind look like on the front-end config in haproxy?
Cheers
Jonathan
On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <ig...@encompasscorporation.com>
wrote:
>
>
> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>> Hi Jonathan,
>>
>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>>
>> One option that comes to mind achiving the same without iptables is using
>> whitelist file and two backends: one tcp backend that will just pass
>> through the ssl connection to the SSL server and one in http mode that will
>> do SSL offloading. Something like:
>>
>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>> default_backend be_passthrough
>>
>> or vice-versa depending on your implementation and which list would be
>> shorter :-)
>>
>>
> Another idea:
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT 127.0.2.1:443
>
> then in haproxy:
>
> bind 127.0.2.1:443
>
>
