Hi Nikita.
Am 03.10.19 um 12:02 schrieb Akhnin Nikita:
> Hello, Aleksandar!
> 
> Vice versa, actually: Client -> Haproxy -> Squid -> Internet
> 
> Here's the situation. Haproxy instance stands in a private network and 
> interacts with the Internet through Firewall that performs NAT. Current 
> schema looks like this:
> Client -> Haproxy -> FW (SNAT) -> Internet
> 
> The firewall performs traffic filtering in addition to NAT (security 
> reasons), and in its policies it operates by destination hosts IP-addresses, 
> not domain names. And the problem comes when backend server hostname changes 
> its IP-addresses (e.g. CDN). We must update Firewall configuration with new 
> IP-addresses, and there is service downtime before firewall guys will do it. 
> And we cannot just open network access from Haproxy to any host in the 
> Internet.
> 
> I'm looking for workaround for this. We have a Squid that can proxy HTTP 
> requests to the Internet bypassing the Firewall. Also it filters requests by 
> domain name. So I wonder if there is any way to proxy client requests to the 
> Internet through Squid transparently to client (no configuration on client 
> side). 
> Something like this, but with Haproxy instead of Httpd: 
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyremote 

I don't see any reason to use haproxy in this setup. Of course you can make a
listen like the snipplet below but why do you want to add haproxy into this 
setup?

```
global
  ...

defaults
  mode tcp
  ...

listen squid-gw
  bind ::3124
  server squid squid.local:3124 check
```

Isn't this a much easier setup?
Client -> Squid -> Internet

For client configs can you take a look into this page, there are several
possible solution described.

https://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

For client's ip address can you setup PROXY Protocol in squid and haproxy

http://www.squid-cache.org/Doc/config/proxy_protocol_access/
http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-send-proxy

Hth
Aleks

> -----Original Message-----
> From: Aleksandar Lazic <al-hapr...@none.at> 
> Sent: Wednesday, October 2, 2019 6:24 PM
> To: Ахнин Никита Андреевич <n.akh...@cft.ru>; haproxy@formilux.org
> Subject: Re: Use haproxy behind Squid
> 
> Am 02.10.19 um 13:10 schrieb Akhnin Nikita:
>> Hey there!
>>
>> Is it possible to use Haproxy behind HTTP proxy like Squid to proxy 
>> incoming requests to the Internet through it? It will be awesome if 
>> someone will share the configuration example.
> 
> Do you mean such a flow?
> 
> Internet -> squid -> haproxy -> Client
> 
> This statement confuses me a little bit.
> 
>> to proxy incoming requests to the Internet
> 
> From which point of view is incomming and outgoing?
> 
> Regards
> Aleks
> 


Reply via email to