On Mon, Aug 13, 2018 at 12:55 AM Igor Cicimov < [email protected]> wrote:
> Hi Jonathan, > > I'll keep bottom posting otherwise the thread will become a real mess and > very hard to follow historically. > > On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman <[email protected]> > wrote: > >> Hi Igor, >> >> Not 100% sure what you mean here with the redirect to the proxy bind on >> that port? What will the rest >> of the bind look like on the front-end config in haproxy? >> >> Cheers >> Jonathan >> >> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov < >> [email protected]> wrote: >> >>> >>> >>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov < >>> [email protected]> wrote: >>> >>>> Hi Jonathan, >>>> >>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I am hoping someone can give me some tips and pointers on getting >>>>> something working >>>>> in haproxy that could do the following: >>>>> >>>>> I have installed haproxy and put a web server behind it, the proxy has >>>>> 2 interfaces, >>>>> eth0 (public) and eth1 (proxy internal) >>>>> >>>>> I've got a requirement where I want to only proxy some source ip >>>>> addresses based on >>>>> their source address so we can gradually add or customers to haproxy >>>>> so that we can >>>>> support TLS1.2 and strong ciphers >>>>> >>>>> I have added an iptables rule and can then bypass haproxy with: >>>>> >>>>> for ip in $INBOUNDEXCLUSIONS ; do >>>>> ipset -N inboundexclusions iphash >>>>> ipset -A inboundexclusions $ip >>>>> done >>>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >>>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >>>>> >>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d >>>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443 >>>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >>>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j >>>>> HTTPSINBOUNDBYPASS >>>>> >>>>> Testing was done and I was happy with the solution, I then had a >>>>> requirement >>>>> to have a proxy with multiple IP address on eth0 (So created eth0:1 >>>>> eth0:2) etc >>>>> and changed my haproxy frontend config from bind 0.0.0.0:443 >>>>> transparent >>>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if >>>>> haproxy >>>>> is running, if I stop haproxy the traffic gets dnatted fine. >>>>> >>>>> I am not sure if I am being very clear in here but basically wanted to >>>>> know if there is >>>>> a way to do selective ssl offloading on the haproxy or bypass >>>>> ssl offloading on the >>>>> server that sits behind the proxy? This is required so that customers >>>>> that do not support >>>>> TLS1.2 and strong ciphers we can still let them connect so actually >>>>> bypassing >>>>> the ssl offloading on the proxy. >>>>> >>>>> Thanks very much for your time reading this. >>>>> >>>>> Regards, >>>>> Jonathan >>>>> >>>>> >>>> One option that comes to mind achiving the same without iptables is >>>> using whitelist file and two backends: one tcp backend that will just pass >>>> through the ssl connection to the SSL server and one in http mode that will >>>> do SSL offloading. Something like: >>>> >>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst } >>>> default_backend be_passthrough >>>> >>>> or vice-versa depending on your implementation and which list would be >>>> shorter :-) >>>> >>>> >>> Another idea: >>> >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG >>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443 >>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions >>> src -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 >>> -j REDIRECT 127.0.2.1:443 >>> >>> then in haproxy: >>> >>> bind 127.0.2.1:443 >>> >>> > Well, the last 2 rules with a slight correction for the REDIRECT action: > > $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src > -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS > $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j > REDIRECT --to-ports 4433 > <http://127.0.2.1:443> > > would mean that the first rule will catch all packets for connections > coming to 10.0.0.92 from clients that are NOT on the ip list and will be > sent to the SSL backend directly bypassing haproxy. The ones that don't > match that rule will be sent to the primary IP, lets say it is still > 10.0.0.92, but port 4433. This is where you set your SSL termination proxy > to listen, so same as before just different port. > > The point being you can set your haproxy frontend to listen on what ever > port you like for ssl connections, and redirect to that port via iptables. > If you want to change the IP too you can go with DNAT: > > $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j > DNAT --to-destination 127.0.2.1:4433 > > Just trying to solve the problem of haproxy binding to 10.0.0.92:443 and > making the dnat rule fail. Hope it is more clear now, otherwise would mean > I'm really bad in explanation :-) > Thanks Igor, will give it a try. Appreciate your time and suggestion. will provide some feedback as soon as i've tried it. Cheers Jonathan
