Re: How to forward HTTP / HTTPS to different backend proxy servers
On Sun, Jul 2, 2017 at 7:30 PM, Michael Ezzellwrote: > > > On Jul 2, 2017 8:41 PM, "Daren Sefcik" wrote: > > yep, pretty much..I just need some help to figure out how to make it > work > > example log entries for https and http, you can see how the "443" goes to > one backenad and the regular http "GET" request goes to another..but this > is not consistent and I know there has to be a better way.. > > > use_backend HTPL_WEB_PROXY_http_ipvANY if { meth_connect } > > Or maybe... > > use_backend HTPL_WEB_PROXY_http_ipvANY if { meth_connect } !{ path_end > :80 } > > That should be all you need. > > HTTPS through an HTTP proxy via HAProxy isn't an SSL session that HAProxy > can see. It's an opaque tunnel, requested over HTTP, using CONNECT. > > If the browser asks for a tunnel, it should be because it's wanting to > speak HTTPS once the target is connected. > I think that was all I needed, thank you very much...!!
Re: How to forward HTTP / HTTPS to different backend proxy servers
On Jul 2, 2017 8:41 PM, "Daren Sefcik"wrote: yep, pretty much..I just need some help to figure out how to make it work example log entries for https and http, you can see how the "443" goes to one backenad and the regular http "GET" request goes to another..but this is not consistent and I know there has to be a better way.. use_backend HTPL_WEB_PROXY_http_ipvANY if { meth_connect } Or maybe... use_backend HTPL_WEB_PROXY_http_ipvANY if { meth_connect } !{ path_end :80 } That should be all you need. HTTPS through an HTTP proxy via HAProxy isn't an SSL session that HAProxy can see. It's an opaque tunnel, requested over HTTP, using CONNECT. If the browser asks for a tunnel, it should be because it's wanting to speak HTTPS once the target is connected.
Re: How to forward HTTP / HTTPS to different backend proxy servers
On Sun, Jul 2, 2017 at 6:10 PM, Igor Cicimovwrote: > > > On Mon, Jul 3, 2017 at 10:38 AM, Daren Sefcik > wrote: > >> >> On Sun, Jul 2, 2017 at 4:44 PM, Michael Ezzell >> wrote: >> >>> >>> >>> On Jul 2, 2017 19:15, "Daren Sefcik" wrote: >>> >>> >>> Most of the traffic is ssl, for example gmail, facebook, pandora all >>> force https. >>> >>> >>> I'm going to go out on a limb and suggest that *none* of the traffic is >>> SSL in any sense that is meaningful from HAProxy's perspective. >>> >>> What do the HTTPS requests look like in the HAProxy logs? Aren't they >>> CONNECT requests? >>> >>> >> yep, pretty much..I just need some help to figure out how to make it >> work >> >> example log entries for https and http, you can see how the "443" goes to >> one backenad and the regular http "GET" request goes to another..but this >> is not consistent and I know there has to be a better way.. >> >> HTPL_PROXY HTPL_SSL_PROXY_http_ipvANY/HTPL-PROXY-03_10.1.4.180 >> 0/0/0/22/10075 200 525 - - cD-- 124/124/103/103/0 0/0 "CONNECT >> caltopo.com:443 HTTP/1.1" >> >> HTPL_PROXY HTPL_WEB_PROXY_http_ipvANY/HTPL-PROXY-04_10.1.4.181 >> 92/0/0/1/93 403 4309 - - 126/126/10/11/0 0/0 "GET >> http://i2.wp.com/n4.nabble.com/images/avatar100.png HTTP/1.1" >> >> >> TIA for any help with this..! >> > > Is it possible that *some* of the clients have issues talking to the > haproxy over ssl? You say in case of ssl it is not 100% successful but what > does that mean? How does this manifest? Can you track the ssl request from > particular client ending up on the http backend? > All clients talk to haproxy 100% fine. What I mean by not 100% is that using that particular acl to try and determine if it is ssl traffic or not is not 100% in haproxy. Maybe 80% percent of the time haproxy sends the traffic to the intended backend and 20% of the time to the otherbut 100% of all traffic goes to one backend or the other. TIA...
Re: How to forward HTTP / HTTPS to different backend proxy servers
On Mon, Jul 3, 2017 at 9:44 AM, Michael Ezzellwrote: > > > On Jul 2, 2017 19:15, "Daren Sefcik" wrote: > > > Most of the traffic is ssl, for example gmail, facebook, pandora all force > https. > > > I'm going to go out on a limb and suggest that *none* of the traffic is > SSL in any sense that is meaningful from HAProxy's perspective. > > What do the HTTPS requests look like in the HAProxy logs? Aren't they > CONNECT requests? > I was going to go even further and ask for tcpdump capture on the haproxy port :-)
Re: How to forward HTTP / HTTPS to different backend proxy servers
I would like to ask why you have non ssl and ssl traffic on the same port? while it seems it is possible it is not the right way to do it. On 2 Jul 2017 23:37, "Igor Cicimov"wrote: On 3 Jul 2017 8:35 am, "Igor Cicimov" wrote: On 3 Jul 2017 6:47 am, "Daren Sefcik" wrote: On Sat, Jul 1, 2017 at 4:39 PM, Igor Cicimov wrote: > > > On 29 Jun 2017 2:46 am, "Daren Sefcik" wrote: > > On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet > wrote: > >> Hi, >> >> >> 2017-06-28 16:47 GMT+02:00 Daren Sefcik : >> >>> Hi, I have searched for an answer to this and tried several things but >>> cannot seem to figure it out so am hoping someone can point me in the right >>> direction. I have different backend proxy servers (squid) setup to handle >>> specifically HTTP and HTTPS traffic but cannot figure out how to tell >>> haproxy to tell the difference and send appropriately. >>> >>> For example, I have >>> >>> frontend proxy_servers >>> backend http_proxies >>> backend https_proxies >>> >>> how can I tell frontend to send all http traffic to backend http_proxies >>> and all https traffic to https_backend? I have tried using dst_port 443 and >>> the acl https ssl_fc but nothing seems to distinguish https traffic. >>> >> >> Well, it should work. Send a copy of your config to see what's wrong in >> it. >> >> Olivier >> >> >> >>> >>> TIA... >>> >> >> > Here is an example, it continues to direct all https traffic to the web > proxy and not the streaming media one. > > frontend HTPL_PROXY > bind10.1.4.105:8181 name 10.1.4.105:8181 > modehttp > log global > option http-server-close > option forwardfor > acl https ssl_fc > http-request set-header X-Forwarded-Proto http if !https > http-request set-header X-Forwarded-Proto https if https > maxconn 9 > timeout client 1 > option tcp-smart-accept > acl is_youtube hdr_sub(host) -i youtube.com > acl is_netflix hdr_sub(host) -i netflix.com > acl is_nflixvideo hdr_sub(host) -i nflxvideo.net > acl is_googlevideo hdr_sub(host) -i googlevideo.com > acl is_google hdr_sub(host) -i google.com > acl is_pandora hdr_sub(host) -i pandora.com > acl is_httpsdst_port eq 443 > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https > default_backend HTPL_WEB_PROXY_http_ipvANY > > Obviously dst_port 443 method can not work since you are listening on port > 8181. Since both protocols are on same port you can try in tcp mode: > > mode tcp > option tcplog > bind *:8181 > > tcp-request inspect-delay 5s > acl is_ssl req.ssl_hello_type 1 > > Thank you, I have tried that with the below config and it still sends all traffic to the default backend instead of my ssl backend, any other ideas? frontend HTPL_PROXY bind10.1.4.105:8181 name 10.1.4.105:8181 modetcp log global maxconn 9 timeout client 1 option tcp-smart-accept tcp-request inspect-delay 5s acl is_ssl req.ssl_hello_type 1 use_backend HTPL_SSL_PROXY_tcp_ipvANY if is_ssl default_backend HTPL_WEB_PROXY_tcp_ipvANY Only explenation i can see is that no ssl traffik is hitting haproxy at least not on port 8181 Or the ip it is bind to
Re: How to forward HTTP / HTTPS to different backend proxy servers
On 3 Jul 2017 8:35 am, "Igor Cicimov"wrote: On 3 Jul 2017 6:47 am, "Daren Sefcik" wrote: On Sat, Jul 1, 2017 at 4:39 PM, Igor Cicimov wrote: > > > On 29 Jun 2017 2:46 am, "Daren Sefcik" wrote: > > On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet > wrote: > >> Hi, >> >> >> 2017-06-28 16:47 GMT+02:00 Daren Sefcik : >> >>> Hi, I have searched for an answer to this and tried several things but >>> cannot seem to figure it out so am hoping someone can point me in the right >>> direction. I have different backend proxy servers (squid) setup to handle >>> specifically HTTP and HTTPS traffic but cannot figure out how to tell >>> haproxy to tell the difference and send appropriately. >>> >>> For example, I have >>> >>> frontend proxy_servers >>> backend http_proxies >>> backend https_proxies >>> >>> how can I tell frontend to send all http traffic to backend http_proxies >>> and all https traffic to https_backend? I have tried using dst_port 443 and >>> the acl https ssl_fc but nothing seems to distinguish https traffic. >>> >> >> Well, it should work. Send a copy of your config to see what's wrong in >> it. >> >> Olivier >> >> >> >>> >>> TIA... >>> >> >> > Here is an example, it continues to direct all https traffic to the web > proxy and not the streaming media one. > > frontend HTPL_PROXY > bind10.1.4.105:8181 name 10.1.4.105:8181 > modehttp > log global > option http-server-close > option forwardfor > acl https ssl_fc > http-request set-header X-Forwarded-Proto http if !https > http-request set-header X-Forwarded-Proto https if https > maxconn 9 > timeout client 1 > option tcp-smart-accept > acl is_youtube hdr_sub(host) -i youtube.com > acl is_netflix hdr_sub(host) -i netflix.com > acl is_nflixvideo hdr_sub(host) -i nflxvideo.net > acl is_googlevideo hdr_sub(host) -i googlevideo.com > acl is_google hdr_sub(host) -i google.com > acl is_pandora hdr_sub(host) -i pandora.com > acl is_httpsdst_port eq 443 > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https > default_backend HTPL_WEB_PROXY_http_ipvANY > > Obviously dst_port 443 method can not work since you are listening on port > 8181. Since both protocols are on same port you can try in tcp mode: > > mode tcp > option tcplog > bind *:8181 > > tcp-request inspect-delay 5s > acl is_ssl req.ssl_hello_type 1 > > Thank you, I have tried that with the below config and it still sends all traffic to the default backend instead of my ssl backend, any other ideas? frontend HTPL_PROXY bind10.1.4.105:8181 name 10.1.4.105:8181 modetcp log global maxconn 9 timeout client 1 option tcp-smart-accept tcp-request inspect-delay 5s acl is_ssl req.ssl_hello_type 1 use_backend HTPL_SSL_PROXY_tcp_ipvANY if is_ssl default_backend HTPL_WEB_PROXY_tcp_ipvANY Only explenation i can see is that no ssl traffik is hitting haproxy at least not on port 8181 Or the ip it is bind to
Re: How to forward HTTP / HTTPS to different backend proxy servers
On 3 Jul 2017 6:47 am, "Daren Sefcik"wrote: On Sat, Jul 1, 2017 at 4:39 PM, Igor Cicimov wrote: > > > On 29 Jun 2017 2:46 am, "Daren Sefcik" wrote: > > On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet > wrote: > >> Hi, >> >> >> 2017-06-28 16:47 GMT+02:00 Daren Sefcik : >> >>> Hi, I have searched for an answer to this and tried several things but >>> cannot seem to figure it out so am hoping someone can point me in the right >>> direction. I have different backend proxy servers (squid) setup to handle >>> specifically HTTP and HTTPS traffic but cannot figure out how to tell >>> haproxy to tell the difference and send appropriately. >>> >>> For example, I have >>> >>> frontend proxy_servers >>> backend http_proxies >>> backend https_proxies >>> >>> how can I tell frontend to send all http traffic to backend http_proxies >>> and all https traffic to https_backend? I have tried using dst_port 443 and >>> the acl https ssl_fc but nothing seems to distinguish https traffic. >>> >> >> Well, it should work. Send a copy of your config to see what's wrong in >> it. >> >> Olivier >> >> >> >>> >>> TIA... >>> >> >> > Here is an example, it continues to direct all https traffic to the web > proxy and not the streaming media one. > > frontend HTPL_PROXY > bind10.1.4.105:8181 name 10.1.4.105:8181 > modehttp > log global > option http-server-close > option forwardfor > acl https ssl_fc > http-request set-header X-Forwarded-Proto http if !https > http-request set-header X-Forwarded-Proto https if https > maxconn 9 > timeout client 1 > option tcp-smart-accept > acl is_youtube hdr_sub(host) -i youtube.com > acl is_netflix hdr_sub(host) -i netflix.com > acl is_nflixvideo hdr_sub(host) -i nflxvideo.net > acl is_googlevideo hdr_sub(host) -i googlevideo.com > acl is_google hdr_sub(host) -i google.com > acl is_pandora hdr_sub(host) -i pandora.com > acl is_httpsdst_port eq 443 > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https > default_backend HTPL_WEB_PROXY_http_ipvANY > > Obviously dst_port 443 method can not work since you are listening on port > 8181. Since both protocols are on same port you can try in tcp mode: > > mode tcp > option tcplog > bind *:8181 > > tcp-request inspect-delay 5s > acl is_ssl req.ssl_hello_type 1 > > Thank you, I have tried that with the below config and it still sends all traffic to the default backend instead of my ssl backend, any other ideas? frontend HTPL_PROXY bind10.1.4.105:8181 name 10.1.4.105:8181 modetcp log global maxconn 9 timeout client 1 option tcp-smart-accept tcp-request inspect-delay 5s acl is_ssl req.ssl_hello_type 1 use_backend HTPL_SSL_PROXY_tcp_ipvANY if is_ssl default_backend HTPL_WEB_PROXY_tcp_ipvANY Only explenation i can see is that no ssl traffik is hitting haproxy at least not on port 8181
Re: How to forward HTTP / HTTPS to different backend proxy servers
On Sat, Jul 1, 2017 at 4:39 PM, Igor Cicimovwrote: > > > On 29 Jun 2017 2:46 am, "Daren Sefcik" wrote: > > On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet > wrote: > >> Hi, >> >> >> 2017-06-28 16:47 GMT+02:00 Daren Sefcik : >> >>> Hi, I have searched for an answer to this and tried several things but >>> cannot seem to figure it out so am hoping someone can point me in the right >>> direction. I have different backend proxy servers (squid) setup to handle >>> specifically HTTP and HTTPS traffic but cannot figure out how to tell >>> haproxy to tell the difference and send appropriately. >>> >>> For example, I have >>> >>> frontend proxy_servers >>> backend http_proxies >>> backend https_proxies >>> >>> how can I tell frontend to send all http traffic to backend http_proxies >>> and all https traffic to https_backend? I have tried using dst_port 443 and >>> the acl https ssl_fc but nothing seems to distinguish https traffic. >>> >> >> Well, it should work. Send a copy of your config to see what's wrong in >> it. >> >> Olivier >> >> >> >>> >>> TIA... >>> >> >> > Here is an example, it continues to direct all https traffic to the web > proxy and not the streaming media one. > > frontend HTPL_PROXY > bind10.1.4.105:8181 name 10.1.4.105:8181 > modehttp > log global > option http-server-close > option forwardfor > acl https ssl_fc > http-request set-header X-Forwarded-Proto http if !https > http-request set-header X-Forwarded-Proto https if https > maxconn 9 > timeout client 1 > option tcp-smart-accept > acl is_youtube hdr_sub(host) -i youtube.com > acl is_netflix hdr_sub(host) -i netflix.com > acl is_nflixvideo hdr_sub(host) -i nflxvideo.net > acl is_googlevideo hdr_sub(host) -i googlevideo.com > acl is_google hdr_sub(host) -i google.com > acl is_pandora hdr_sub(host) -i pandora.com > acl is_httpsdst_port eq 443 > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https > default_backend HTPL_WEB_PROXY_http_ipvANY > > Obviously dst_port 443 method can not work since you are listening on port > 8181. Since both protocols are on same port you can try in tcp mode: > > mode tcp > option tcplog > bind *:8181 > > tcp-request inspect-delay 5s > acl is_ssl req.ssl_hello_type 1 > > Thank you, I have tried that with the below config and it still sends all traffic to the default backend instead of my ssl backend, any other ideas? frontend HTPL_PROXY bind10.1.4.105:8181 name 10.1.4.105:8181 modetcp log global maxconn 9 timeout client 1 option tcp-smart-accept tcp-request inspect-delay 5s acl is_ssl req.ssl_hello_type 1 use_backend HTPL_SSL_PROXY_tcp_ipvANY if is_ssl default_backend HTPL_WEB_PROXY_tcp_ipvANY
Re: How to forward HTTP / HTTPS to different backend proxy servers
On 29 Jun 2017 2:46 am, "Daren Sefcik"wrote: On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet wrote: > Hi, > > > 2017-06-28 16:47 GMT+02:00 Daren Sefcik : > >> Hi, I have searched for an answer to this and tried several things but >> cannot seem to figure it out so am hoping someone can point me in the right >> direction. I have different backend proxy servers (squid) setup to handle >> specifically HTTP and HTTPS traffic but cannot figure out how to tell >> haproxy to tell the difference and send appropriately. >> >> For example, I have >> >> frontend proxy_servers >> backend http_proxies >> backend https_proxies >> >> how can I tell frontend to send all http traffic to backend http_proxies >> and all https traffic to https_backend? I have tried using dst_port 443 and >> the acl https ssl_fc but nothing seems to distinguish https traffic. >> > > Well, it should work. Send a copy of your config to see what's wrong in > it. > > Olivier > > > >> >> TIA... >> > > Here is an example, it continues to direct all https traffic to the web proxy and not the streaming media one. frontend HTPL_PROXY bind10.1.4.105:8181 name 10.1.4.105:8181 modehttp log global option http-server-close option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 9 timeout client 1 option tcp-smart-accept acl is_youtube hdr_sub(host) -i youtube.com acl is_netflix hdr_sub(host) -i netflix.com acl is_nflixvideo hdr_sub(host) -i nflxvideo.net acl is_googlevideo hdr_sub(host) -i googlevideo.com acl is_google hdr_sub(host) -i google.com acl is_pandora hdr_sub(host) -i pandora.com acl is_httpsdst_port eq 443 use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https default_backend HTPL_WEB_PROXY_http_ipvANY Obviously dst_port 443 method can not work since you are listening on port 8181. Since both protocols are on same port you can try in tcp mode: mode tcp option tcplog bind *:8181 tcp-request inspect-delay 5s acl is_ssl req.ssl_hello_type 1
Re: How to forward HTTP / HTTPS to different backend proxy servers
Would anybody here on the list be able to offer some pointers too how I can make this work? TIA... On Wed, Jun 28, 2017 at 9:43 AM, Daren Sefcikwrote: > On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucet > wrote: > >> Hi, >> >> >> 2017-06-28 16:47 GMT+02:00 Daren Sefcik : >> >>> Hi, I have searched for an answer to this and tried several things but >>> cannot seem to figure it out so am hoping someone can point me in the right >>> direction. I have different backend proxy servers (squid) setup to handle >>> specifically HTTP and HTTPS traffic but cannot figure out how to tell >>> haproxy to tell the difference and send appropriately. >>> >>> For example, I have >>> >>> frontend proxy_servers >>> backend http_proxies >>> backend https_proxies >>> >>> how can I tell frontend to send all http traffic to backend http_proxies >>> and all https traffic to https_backend? I have tried using dst_port 443 and >>> the acl https ssl_fc but nothing seems to distinguish https traffic. >>> >> >> Well, it should work. Send a copy of your config to see what's wrong in >> it. >> >> Olivier >> >> >> >>> >>> TIA... >>> >> >> > Here is an example, it continues to direct all https traffic to the web > proxy and not the streaming media one. > > frontend HTPL_PROXY > bind10.1.4.105:8181 name 10.1.4.105:8181 > modehttp > log global > option http-server-close > option forwardfor > acl https ssl_fc > http-request set-header X-Forwarded-Proto http if !https > http-request set-header X-Forwarded-Proto https if https > maxconn 9 > timeout client 1 > option tcp-smart-accept > acl is_youtube hdr_sub(host) -i youtube.com > acl is_netflix hdr_sub(host) -i netflix.com > acl is_nflixvideo hdr_sub(host) -i nflxvideo.net > acl is_googlevideo hdr_sub(host) -i googlevideo.com > acl is_google hdr_sub(host) -i google.com > acl is_pandora hdr_sub(host) -i pandora.com > acl is_httpsdst_port eq 443 > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora > use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https > default_backend HTPL_WEB_PROXY_http_ipvANY > >
Re: How to forward HTTP / HTTPS to different backend proxy servers
On Wed, Jun 28, 2017 at 8:12 AM, Olivier Doucetwrote: > Hi, > > > 2017-06-28 16:47 GMT+02:00 Daren Sefcik : > >> Hi, I have searched for an answer to this and tried several things but >> cannot seem to figure it out so am hoping someone can point me in the right >> direction. I have different backend proxy servers (squid) setup to handle >> specifically HTTP and HTTPS traffic but cannot figure out how to tell >> haproxy to tell the difference and send appropriately. >> >> For example, I have >> >> frontend proxy_servers >> backend http_proxies >> backend https_proxies >> >> how can I tell frontend to send all http traffic to backend http_proxies >> and all https traffic to https_backend? I have tried using dst_port 443 and >> the acl https ssl_fc but nothing seems to distinguish https traffic. >> > > Well, it should work. Send a copy of your config to see what's wrong in > it. > > Olivier > > > >> >> TIA... >> > > Here is an example, it continues to direct all https traffic to the web proxy and not the streaming media one. frontend HTPL_PROXY bind10.1.4.105:8181 name 10.1.4.105:8181 modehttp log global option http-server-close option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 9 timeout client 1 option tcp-smart-accept acl is_youtube hdr_sub(host) -i youtube.com acl is_netflix hdr_sub(host) -i netflix.com acl is_nflixvideo hdr_sub(host) -i nflxvideo.net acl is_googlevideo hdr_sub(host) -i googlevideo.com acl is_google hdr_sub(host) -i google.com acl is_pandora hdr_sub(host) -i pandora.com acl is_httpsdst_port eq 443 use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_youtube use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_netflix use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_nflixvideo use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_googlevideo use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_pandora use_backend HTPL_STREAMING_MEDIA_PROXY_http_ipvANY if is_https default_backend HTPL_WEB_PROXY_http_ipvANY
Re: How to forward HTTP / HTTPS to different backend proxy servers
Hi, 2017-06-28 16:47 GMT+02:00 Daren Sefcik: > Hi, I have searched for an answer to this and tried several things but > cannot seem to figure it out so am hoping someone can point me in the right > direction. I have different backend proxy servers (squid) setup to handle > specifically HTTP and HTTPS traffic but cannot figure out how to tell > haproxy to tell the difference and send appropriately. > > For example, I have > > frontend proxy_servers > backend http_proxies > backend https_proxies > > how can I tell frontend to send all http traffic to backend http_proxies > and all https traffic to https_backend? I have tried using dst_port 443 and > the acl https ssl_fc but nothing seems to distinguish https traffic. > Well, it should work. Send a copy of your config to see what's wrong in it. Olivier > > TIA... >