Re: Sharing SSL information via PROXY protocol or HAProxy internally
Hi,
For this specific case of http to https redirect I use the
X-Forwarded-Proto header. In the ssl frontend I do this:
http-request set-header X-Forwarded-Proto https
and in the plain http frontend I do this:
http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto)
https }
The problem here is that one could set that in a plain http request as
well and would avoid some redirects and whatnot, depending on what you
do based on what decision. You may also want the other SSL data, cipher,
version etc. Since 1.6 you can set variables, ok, but somehow passing
that kind of information could be really useful I guess.
I'd like to note that protecting headers like X-Forwarded-Proto from
being sent by clients is a typical task for any kind of setup like this,
especially in webservers.
What has to be done is simply to make sure that the
component/backend/system that is supposed to receive and interpret the
X-Forwarded-Proto header is *only* reachable from frontends, and that
all of these frontends either set the header, make sure the header is
not present, or do something with the request other than forwarding it
to the backend (like rejecting the request outright).
Best regards,
Luke
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Sharing SSL information via PROXY protocol or HAProxy internally
I too am interested in this functionality. Looking at the proxy protocol
documentation
(http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt), it seems
that the requisite information is present in the PP2 header: " The
PP2_CLIENT_SSL flag indicates that the client connected over SSL/TLS.".
Looking through the source it seems haproxy adds this when sending PP2,
but not when receiving it.
-Patrick
On 2016/4/16 04:57, Christian Ruppert wrote:
> Hi Dennis,
>
> On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote:
>> On 15.04.2016 16:01, Christian Ruppert wrote:
>>> Hi,
>>>
>>> would it be possible to inherit the SSL information from a SSL
>>> listener/frontend via PROXY protocol?
>>> So for example:
>>>
>>> listen ssl-relay
>>> mode tcp
>>>
>>> ...
>>>
>>> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>>>
>>> listen ssl-rsa_ecc
>>> mode tcp
>>>
>>> ...
>>>
>>> bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
>>> SSl-RSA.PEM user haproxy
>>>
>>> frontend http_https
>>> bind :80 # http
>>> bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy #
>>> https
>>>
>>> redirect scheme https code 301 if !{ssl_fc}
>>>
>>>
>>> Here the ssl_fc and other SSL related ACLs do not work because the
>>> actual SSL termination has been done in the above ssl-rsa_ecc listener.
>>> Sharing that either internally or via the PROXY protocol would be
>>> really
>>> handy, if that's possible.
>>> For now we use the bind "id" to check whether it's the proxy connection
>>> or not but the above would be much easier/better IMHO.
>>
>> For this specific case of http to https redirect I use the
>> X-Forwarded-Proto header. In the ssl frontend I do this:
>>
>> http-request set-header X-Forwarded-Proto https
>>
>> and in the plain http frontend I do this:
>>
>> http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto)
>> https }
>
> The problem here is that one could set that in a plain http request as
> well and would avoid some redirects and whatnot, depending on what you
> do based on what decision. You may also want the other SSL data,
> cipher, version etc. Since 1.6 you can set variables, ok, but somehow
> passing that kind of information could be really useful I guess.
>
>>
>> You usually need to set this header anyway so the application knows it
>> needs to generate https URLs in the generated HTML.
>>
>> Regards,
>> Dennis
>
Re: Sharing SSL information via PROXY protocol or HAProxy internally
Hi Dennis,
On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote:
On 15.04.2016 16:01, Christian Ruppert wrote:
Hi,
would it be possible to inherit the SSL information from a SSL
listener/frontend via PROXY protocol?
So for example:
listen ssl-relay
mode tcp
...
server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
listen ssl-rsa_ecc
mode tcp
...
bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
SSl-RSA.PEM user haproxy
frontend http_https
bind :80 # http
bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy #
https
redirect scheme https code 301 if !{ssl_fc}
Here the ssl_fc and other SSL related ACLs do not work because the
actual SSL termination has been done in the above ssl-rsa_ecc
listener.
Sharing that either internally or via the PROXY protocol would be
really
handy, if that's possible.
For now we use the bind "id" to check whether it's the proxy
connection
or not but the above would be much easier/better IMHO.
For this specific case of http to https redirect I use the
X-Forwarded-Proto header. In the ssl frontend I do this:
http-request set-header X-Forwarded-Proto https
and in the plain http frontend I do this:
http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto)
https }
The problem here is that one could set that in a plain http request as
well and would avoid some redirects and whatnot, depending on what you
do based on what decision. You may also want the other SSL data, cipher,
version etc. Since 1.6 you can set variables, ok, but somehow passing
that kind of information could be really useful I guess.
You usually need to set this header anyway so the application knows it
needs to generate https URLs in the generated HTML.
Regards,
Dennis
--
Regards,
Christian Ruppert
Re: Sharing SSL information via PROXY protocol or HAProxy internally
On 15.04.2016 16:01, Christian Ruppert wrote:
> Hi,
>
> would it be possible to inherit the SSL information from a SSL
> listener/frontend via PROXY protocol?
> So for example:
>
> listen ssl-relay
> mode tcp
>
> ...
>
> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>
> listen ssl-rsa_ecc
> mode tcp
>
> ...
>
> bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
> SSl-RSA.PEM user haproxy
>
> frontend http_https
> bind :80 # http
> bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # https
>
> redirect scheme https code 301 if !{ssl_fc}
>
>
> Here the ssl_fc and other SSL related ACLs do not work because the
> actual SSL termination has been done in the above ssl-rsa_ecc listener.
> Sharing that either internally or via the PROXY protocol would be really
> handy, if that's possible.
> For now we use the bind "id" to check whether it's the proxy connection
> or not but the above would be much easier/better IMHO.
For this specific case of http to https redirect I use the
X-Forwarded-Proto header. In the ssl frontend I do this:
http-request set-header X-Forwarded-Proto https
and in the plain http frontend I do this:
http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https }
You usually need to set this header anyway so the application knows it
needs to generate https URLs in the generated HTML.
Regards,
Dennis
Sharing SSL information via PROXY protocol or HAProxy internally
Hi,
would it be possible to inherit the SSL information from a SSL
listener/frontend via PROXY protocol?
So for example:
listen ssl-relay
mode tcp
...
server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
listen ssl-rsa_ecc
mode tcp
...
bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
SSl-RSA.PEM user haproxy
frontend http_https
bind :80 # http
bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy #
https
redirect scheme https code 301 if !{ssl_fc}
Here the ssl_fc and other SSL related ACLs do not work because the
actual SSL termination has been done in the above ssl-rsa_ecc listener.
Sharing that either internally or via the PROXY protocol would be really
handy, if that's possible.
For now we use the bind "id" to check whether it's the proxy connection
or not but the above would be much easier/better IMHO.
--
Regards,
Christian Ruppert
