Hi.

Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
> Hi,
> 
>  
> 
> I don’t know how to use ssl in http mode. I have many site with many 
> certificate.
> 
> As you see:
> 
> …
> 
> bind 192.168.0.4:443   (I NAT port 443 from firewall to HAProxy IP 
> 192.168.0.4)
> 
> …
> 
> # Define hosts
> 
>         acl host_1 req.ssl_sni -i ebh.vn
> 
>         acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
> 
>         … (many acl like above)
> 
> 
>         use_backend eBH if host_1
> 
>        use_backend einvoice443 if host_2

You can use maps for this.
https://www.haproxy.com/blog/introduction-to-haproxy-maps/

The openshift router have a complex but usable solution. Don't get confused with
the golang template stuff in there.

https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180

https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198

Regards
Aleks

> *From:* Aleksandar Lazic <al-hapr...@none.at>
> *Sent:* Monday, January 14, 2019 8:45 AM
> *To:* haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL'
> <piba.nl....@gmail.com>
> *Subject:* RE: Get client IP
> 
>  
> 
> Hi.
> 
> As you use IIS I strongly suggest to terminate the https on haproxy and use 
> mode
> http instead of tcp.
> 
> Here is a blog post about basic setup of haproxy with ssl
> 
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> 
> I assume that haproxy have the client ip as the setup works in the http 
> config.
> 
> Best regards
> Aleks
> 
> --------------------------------------------------------------------------------
> 
> *Von:*"Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn>>
> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
> *An:* 'PiBa-NL' <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>>,
> 'Aleksandar Lazic' <al-hapr...@none.at <mailto:al-hapr...@none.at>>,
> haproxy@formilux.org <mailto:haproxy@formilux.org>
> *Betreff:* RE: Get client IP
> 
>  
> 
> Thanks for your help
> 
>  
> 
> I try config HAProxy with accept-proxy like this:
> 
> frontend ivan
> 
>  
> 
>         bind 192.168.0.4:443 accept-proxy
> 
>         mode tcp
> 
>         option tcplog
> 
>  
> 
> #option forwardfor
> 
>  
> 
>     reqadd X-Forwarded-Proto:\ https
> 
>  
> 
> then my website can not access.
> 
> I use IIS as webserver and I don’t know how to accept proxy, I only know 
> config
> X-Forwarded-For like this
> 
> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
> 
>  
> 
>  
> 
> *From:* PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>>
> *Sent:* Sunday, January 13, 2019 10:06 PM
> *To:* Aleksandar Lazic <al-hapr...@none.at <mailto:al-hapr...@none.at>>; Vũ 
> Xuân
> Học <ho...@thaison.vn <mailto:ho...@thaison.vn>>; haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Subject:* Re: Get client IP
> 
>  
> 
> Hi,
> 
> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
> 
>     Hi.
> 
>      
> 
>     Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
> 
>         Hi,
> 
>          
> 
>         Please help me to solve this problem.
> 
>          
> 
>         I use HAProxy version 1.5.18, SSL transparent mode and I can not get 
> client IP
> 
>         in my .net mvc website. With mode http, I can use option forwardfor 
> to catch
> 
>         client ip but with tcp mode, my web read X_Forwarded_For is null.
> 
>          
> 
>          
> 
>          
> 
>         My diagram:
> 
>          
> 
>         Client => Firewall => HAProxy => Web
> 
>          
> 
>          
> 
>          
> 
>         I read HAProxy document, try to use send-proxy. But when use 
> send-proxy, I can
> 
>         access my web.
> 
>          
> 
>         This is my config:
> 
>          
> 
>         frontend test2233
> 
>          
> 
>                 bind *:2233
> 
>          
> 
>                 option forwardfor
> 
>          
> 
>          
> 
>          
> 
>                 default_backend testecus
> 
>          
> 
>         backend testecus
> 
>          
> 
>                 mode http
> 
>          
> 
>                 server web1 192.168.0.151:2233 check
> 
>          
> 
>         Above config work, and I can get the client IP
> 
>      
> 
>     That's good as it's `mode http` therefore haproxy can see the http 
> traffic.
> 
> Indeed it can insert the http forwardfor header with 'mode http'.
> 
>      
> 
>      
> 
>         Config with SSL:
> 
>          
> 
>         frontend ivan
> 
>          
> 
>                 bind 192.168.0.4:443
> 
>                 mode tcp
> 
>                 option tcplog
> 
>          
> 
>         #option forwardfor
> 
>          
> 
>             reqadd X-Forwarded-Proto:\ https
> 
>      
> 
>     This can't work as you use `mode tcp` and therefore haproxy can't see the 
> http
> 
>     traffic.
> 
>      
> 
>     From my point of view have you now 2 options.
> 
>      
> 
>     * use https termination on haproxy. Then you can add this http header.
> 
> Thats one option indeed.
> 
>      
> 
>     * use accept-proxy in the bind line. This option requires that the 
> firewall is
> 
>     able to send the PROXY PROTOCOL header to haproxy.
> 
>     
> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy
> 
> I dont expect a firewall to send such a header. And if i understand correctly
> the 'webserver' would need to be configured to accept proxy-protocol.
> The modification to make in haproxy would be to configure 
> send-proxy[-v2-ssl-cn]
> http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy
> And how to configure it with for example nginx:
> https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx
> 
>      
> 
>      
> 
>     The different modes are described in the doc
> 
>     https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode
> 
>      
> 
>     Here is a blog post about basic setup of haproxy with ssl
> 
>     
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
> 
>      
> 
>             acl tls req.ssl_hello_type 1
> 
>          
> 
>             tcp-request inspect-delay 5s
> 
>          
> 
>             tcp-request content accept if tls
> 
>          
> 
>          
> 
>          
> 
>                 # Define hosts
> 
>          
> 
>                 acl host_1 req.ssl_sni -i ebh.vn
> 
>          
> 
>                 acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
> 
>          
> 
>             
> 
>          
> 
>                use_backend eBH if host_1
> 
>          
> 
>                use_backend einvoice443 if host_2
> 
>          
> 
>              
> 
>          
> 
>         backend eBH
> 
>          
> 
>                 mode tcp
> 
>          
> 
>                 balance roundrobin
> 
>          
> 
>                 option ssl-hello-chk
> 
>          
> 
>                server web1 192.168.0.153:443 maxconn 30000 check #cookie web1
> 
>          
> 
>                server web1 192.168.0.154:443 maxconn 30000 check #cookie web2
> 
>          
> 
>          
> 
>          
> 
>         Above config doesn’t work, and I can not get the client ip. I try 
> server web1
> 
>         192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 
> send-proxy-v2
> 
>         but I can’t access my web.
> 
>      
> 
>     This is expected as the Firewall does not send the PROXY PROTOCOL header 
> and the
> 
>     bind line is not configured for that.
> 
> Firewall's by themselves will never use proxy-protocol at all. That it doesn't
> work with send-proxy on the haproxy server line is likely because the 
> webservice
> that is receiving the traffic isn't configured to accept the proxy protocol. 
> How
> to configure a ".net mvc website" to accept that is something i don't know if 
> it
> is even possible at all..
> 
>      
> 
>      
> 
>         Many thanks,
> 
>      
> 
>     Best regards
> 
>     Aleks
> 
>      
> 
>         Thanks & Best Regards! 
> 
>         ****************************
> 
>         * VU XUAN HOC
> 
>          
> 
> Regards,
> PiBa-NL (Pieter)
> 


Reply via email to