Hi.

cipriancraciun, nutinshell and I discussed in the issue above some Socks use 
cases.

Let me summarize the thread here.

cipriancraciun suggest to handle socks similar to proxy protocol.
https://github.com/haproxy/haproxy/issues/82#issuecomment-498004333

I don't think that socks could be handled in such simple way
https://github.com/haproxy/haproxy/issues/82#issuecomment-498023780

nutinshell have another use case which is a `socks4-redirect`
https://github.com/haproxy/haproxy/issues/82#issuecomment-498007739

I thought that a new action for tcp-request content could be a solution.
https://github.com/haproxy/haproxy/issues/82#issuecomment-498051143


I see at least this use cases from this thread.

* client with explicit SOCKS support -> HAProxy SOCKS frontend -> normal backend
/ servers -- useful for routing only specific domains through HAProxy

The suggestion here is to handle socks in the same way as proxy protocol. As
mentioned above I don't think that's that easy as the socks protocol is a
request response system which proxy protocol isn't.
There are also not only "the" socks protocol as there is socks4,socks4a and
socks5 with different feature sets and requirements. From what I seen in the
thread is only socks4 with command **connect** expected. This means that the
client sends the destination ip and port therefore haproxy does not need to
resolve the destination.

>From my point of view it is at least a similar option like `accept-proxy`
required for example `accept-socks(4|4a|5)`

One of the question which is open is make `accept-proxy` and
`accept-socks(4|4a|5)` sense?

@cipriancraciun and others opinions?

* client (with / without) SOCKS support -> HAProxy frontend -> SOCKS enabled
server -- useful for traffic filtering, and redirection to a proper SOCKS proxy;

The reason why the patch from alec isn't enough is that answer

```
>From what I read @alec-liu implemented SOCKS4 in the backend only as a way to
submit requests for to a "fixed" server IP through a "fixed" SOCKS4 proxy 
server.
```

* socks4-redirect "here we want tcp go directly to socks."

I though it could be handled with a new action in `tcp-request content ..` but
I'm not sure.

``` for example
tcp-request content redirect %[src,map(src2dest.txt)] [{if | unless} 
<condition>]
```

It would be nice to see how the redsocks2 server handle this redirect as what I
have seen from the code are some firewall tools used for the solution. I had
never such a requirement.

Src: https://github.com/semigodking/redsocks/blob/master/base.c#L306-L318

@nutinshell It would be very helpful to understand what this `socks4-redirect`
do on tcp/socks level.

I think this feature would be nice in HAProxy but I also think it's a huge
amount of work and increases the complexity to debug any errors.

Please feel free to correct me if I'm wrong at any statement.

Opinions, suggestions, patches?

Best regards
Aleks

Reply via email to