Hello, I 'm using for many years an explicit web proxy solution based on HAProxy in transparent mode in combination with a pair of linux load balancers (keepalived) and some Squid servers behind it. The Squid servers have the VRRP IP address as default gateway. All users have defined in browser a PAC file that contains the VRRP IP and the port 3128.All squid proxies behind this solution are now seeing the real client IP and this helps me to identify and define web policies.(squidguard)I run SSL inspection on Squid, having a root authority pushed via GPO. For every site that needs to be accessed directly without going via proxy, I have defined a SNAT rule in firewall and a static exception in PAC file for direct outbound Internet access.
I'd like to take this solution to a higher level and make a complete transparent web proxy solution without being necessary to define a PAC file in browser. In order to do that, I want to make the routing/ filtering directly on HAProxy servers. I've configured a PBR to send the traffic from local PCs for ports 80 and 443 to VRRP IP. I see now all traffic from clients on HAProxy servers. this is part of haproxy config frontend fe_frontend_pool_proxy_3128 timeout client 30m mode tcp bind 172.17.232.232:3128 transparent # VRRP IP default_backend bk_pool_proxy_3128 backend bk_pool_proxy_3128 timeout server 30m timeout connect 5s mode tcp balance leastconn stick-table type ip size 20k stick on src default-server inter 5s fall 3 rise 2 on-marked-down shutdown-sessions source 0.0.0.0 usesrc clientip server proxy1 172.17.232.229:3128 check port 3128 inter 3s rise 3 fall 3 server proxy2 172.17.232.230:3128 check port 3128 inter 3s rise 3 fall 3 And now the question comes: Is there a way to redirect the incoming clients traffic to 172.17.232.232:3128 and all of that without affecting the web traffic from clients point of view? Any help is highly appreciated. Thanks in advance, --Marius M
