Re: proper https interception

2016-07-17 Thread Brendan Kearney 

On 07/17/2016 04:59 PM, Evgeniy Sudyr wrote:

Brendan,

I'm also interesting for this topic as our company is preparing for
switching most traffic to be SSL enabled soon.

What I found so far are these quite informative articles:

1) 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
2) 
http://loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy

Also you did not posted your iptables config, routing rules on backend
servers (as they need reply to "spoofed" IP's back to Haproxy servers
(tcp mode, right?) all are very important for tproxy config to be
working.

Let me know your results if you will get first.

Btw, I will be glad to see working configs from other community
members. Thank you all in advance!

--
Evgeniy

On Sun, Jul 17, 2016 at 10:19 PM, Brendan Kearney  wrote:

i have iptables configured to redirect outbound HTTP to HAProxy, and then
load balance to a couple of squid instances.  the below works well:

backend tproxy
 acl https ssl_fc
 http-request set-uri http://%[req.hdr(Host)]%[path]?%[query] unless
https
 ...

i have tried to perform HTTPS interception using the below, in addition to
the redirect of HTTPS traffic to the HAProxy VIP:

 http-request set-method CONNECT if https
 http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if
https

this does not seem to work as expected.  where can i find more info on
performing HTTPS interception, for transparent proxying?  any help would be
appreciated.

thanks,

brendan




HAProxy does not need the kernel to have nonlocal binding turned on, as 
i am performing DNAT with IPTables:


# Rule 5 (NAT)
#
echo "Rule 5 (NAT)"
#
$IPTABLES -t nat -N Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp  -s 192.168.1.4 
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp  -s 192.168.1.5 
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp  -s 192.168.1.200 
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp  -s 192.168.24.1 
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp  -s 192.168.24.2 
--dport 80 -j Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp  -s 192.168.24.4 
--dport 80 -j Cid130089X1041.0

$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.1.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.24.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.88.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.100.1  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.120.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.152.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.184.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.185.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.216.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.248.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -p tcp -m tcp   --dport 80 -j 
DNAT --to-destination 192.168.120.1:3129


i use FWBuilder to create my iptables policy, and the above takes 
traffic from some sources and DNATs their outbound traffic on port 80 to 
my proxy VIP on port 3129.  this load balances to squid, which satisfies 
the request.  i am not doing full transparent proxying because my load 
balancer is also my router/firewall, and out-of-state or asynchronous 
routing will be dropped by the firewall.  this means that i am setting 
and using the X-Forwarded-For header, and in squid i digest that header 
for the client IP.


the squid servers see the routers local interface as the source of the 
connection, and reply back to it.  the DNAT is unraveled/undone on the 
return trip to the client, from the router.  because of this, there is 
no special routing needed on the servers, and only their default route 
is required.


what i need is the know-how to intercept the HTTPS.  this requires a 
change to the METHOD, and the URI.  i am not sure how to go about that, 
and am looking for more reading material on the subject.

Re: proper https interception

2016-07-17 Thread Evgeniy Sudyr 
Brendan,

I'm also interesting for this topic as our company is preparing for
switching most traffic to be SSL enabled soon.

What I found so far are these quite informative articles:

1) 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
2) 
http://loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy

Also you did not posted your iptables config, routing rules on backend
servers (as they need reply to "spoofed" IP's back to Haproxy servers
(tcp mode, right?) all are very important for tproxy config to be
working.

Let me know your results if you will get first.

Btw, I will be glad to see working configs from other community
members. Thank you all in advance!

--
Evgeniy

On Sun, Jul 17, 2016 at 10:19 PM, Brendan Kearney  wrote:
> i have iptables configured to redirect outbound HTTP to HAProxy, and then
> load balance to a couple of squid instances.  the below works well:
>
> backend tproxy
> acl https ssl_fc
> http-request set-uri http://%[req.hdr(Host)]%[path]?%[query] unless
> https
> ...
>
> i have tried to perform HTTPS interception using the below, in addition to
> the redirect of HTTPS traffic to the HAProxy VIP:
>
> http-request set-method CONNECT if https
> http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if
> https
>
> this does not seem to work as expected.  where can i find more info on
> performing HTTPS interception, for transparent proxying?  any help would be
> appreciated.
>
> thanks,
>
> brendan
>



-- 
--
With regards,
Eugene Sudyr

proper https interception

2016-07-17 Thread Brendan Kearney 
i have iptables configured to redirect outbound HTTP to HAProxy, and 
then load balance to a couple of squid instances.  the below works well:


backend tproxy
acl https ssl_fc
http-request set-uri http://%[req.hdr(Host)]%[path]?%[query] 
unless https

...

i have tried to perform HTTPS interception using the below, in addition 
to the redirect of HTTPS traffic to the HAProxy VIP:


http-request set-method CONNECT if https
http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] 
if https


this does not seem to work as expected.  where can i find more info on 
performing HTTPS interception, for transparent proxying?  any help would 
be appreciated.


thanks,

brendan