Re: haproxy 1.8.30 lots of CD-- errors

2021-05-19 Thread Jonathan Opperman 
Hi All,

I've had to remove h2 from all my front-ends, the issue seems to be gone
after doing this, any ideas? I saw a similar
post from a previous release of haproxy, but in all my
troubleshooting/searching I can not find where I was reading it.

Regards,
Jonathan

On Thu, May 20, 2021 at 12:36 AM Jonathan Opperman 
wrote:

> Hi All,
>
> I am hoping someone can help, we upgraded our haproxy in our PROD
> environment
> on Saturday and since then we've been seeing a lot of these errors in the
> logs, prior to
> the upgrade (from 1.8.8) we never had these issues.
>
> /var/log/haproxy.log.2.gz:May 18 01:23:48 localhost haproxy[18368]:
> 82.147.15.84:11504 [18/May/2021:01:23:33.146] ft_https~
> bk_https/AUMELL122VHTTPS 0/0/2/-1/15300 -1 0 - - CD--
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 35/6/1/1/0 0/0 "POST
> /nt/3wm/nontradeexceptions/searchDocumentsByType/export HTTP/1.1"
>
> This only seems to be happening when the user is doing a long search
> within the portal but
> this never happened before the upgrade?
>
> I am not sure where to start looking? I do not want to roll back to 1.8.8
> but I have no
> idea how to start troubleshooting as the only thing changed was the
> haproxy version.
>
> Any help/advice would be appreciated.
>
> Regards,
> Jonathan
>

haproxy 1.8.30 lots of CD-- errors

2021-05-19 Thread Jonathan Opperman 
Hi All,

I am hoping someone can help, we upgraded our haproxy in our PROD
environment
on Saturday and since then we've been seeing a lot of these errors in the
logs, prior to
the upgrade (from 1.8.8) we never had these issues.

/var/log/haproxy.log.2.gz:May 18 01:23:48 localhost haproxy[18368]:
82.147.15.84:11504 [18/May/2021:01:23:33.146] ft_https~
bk_https/AUMELL122VHTTPS 0/0/2/-1/15300 -1 0 - - CD--
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 35/6/1/1/0 0/0 "POST
/nt/3wm/nontradeexceptions/searchDocumentsByType/export HTTP/1.1"

This only seems to be happening when the user is doing a long search within
the portal but
this never happened before the upgrade?

I am not sure where to start looking? I do not want to roll back to 1.8.8
but I have no
idea how to start troubleshooting as the only thing changed was the haproxy
version.

Any help/advice would be appreciated.

Regards,
Jonathan

Re: [*EXT*] Re: haproxy hiding url/minio

2020-12-25 Thread Jonathan Opperman 
Hi All,

On Fri, Dec 25, 2020 at 6:37 PM Willy Tarreau  wrote:

> On Thu, Dec 24, 2020 at 06:04:05PM +0500,  ??? wrote:
> > as far as I recall, AWS4 uses digitally signed several headers. if you
> > change some of those headers, security is broken so you get 401.
> > I'm not sure it allows to change URL on the fly or not.
> >
> > but I recall proxying S3 pretty complicated task.
> >
> > should we document best practices how to reverse proxy S3 ?
>
> Probably. Another useful thing to put into the wiki.
>

Thanks for all the info, url gave me issues, using path fixed it. Thanks
again for your replies
here, it's really appreciated.

Have a good day, and Merry Christmas.

Cheers
Jonathan


>
> Willy
>

Re: haproxy hiding url/minio

2020-12-23 Thread Jonathan Opperman 
Hi Chad,

On Thu, Dec 24, 2020 at 2:46 PM Jonathan Opperman 
wrote:

> Hi Chad,
>
> On Thu, Dec 24, 2020 at 2:04 PM Chad Lavoie  wrote:
>
>> Greetings,
>>
>> On 12/23/2020 7:10 PM, Jonathan Opperman wrote:
>> >
>> > Works perfectly fine, what is the best way to hide /minio so it will
>> > rather say /storage so externally
>> > I hide the fact that we are using minio?
>>
>> You can do that by using 'http-request set-path
>> %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees
>> from what the client sent.
>>
>
> Thank you for the quick response, appreciate it. Tried to add it but got:
>
> parsing [/etc/haproxy/haproxy.cfg:172] : error detected in frontend
> 'ft_https' while parsing 'http-request set-path' rule : failed to parse
> sample expression  : unknown fetch method
> 'regsub'.
>
> Should it be:
>
> http-request set-path %[url,regsub(^/storage,/minio)]
>
> ?
>
> Cheers
> Jonathan
>

Answering myself here, it is, and it works :)

Thanks for that, appreciate it.

Regards,
Jonathan


>
>
>> - Chad
>>
>>

Re: haproxy hiding url/minio

2020-12-23 Thread Jonathan Opperman 
Hi Chad,

On Thu, Dec 24, 2020 at 2:04 PM Chad Lavoie  wrote:

> Greetings,
>
> On 12/23/2020 7:10 PM, Jonathan Opperman wrote:
> >
> > Works perfectly fine, what is the best way to hide /minio so it will
> > rather say /storage so externally
> > I hide the fact that we are using minio?
>
> You can do that by using 'http-request set-path
> %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees
> from what the client sent.
>

Thank you for the quick response, appreciate it. Tried to add it but got:

parsing [/etc/haproxy/haproxy.cfg:172] : error detected in frontend
'ft_https' while parsing 'http-request set-path' rule : failed to parse
sample expression  : unknown fetch method
'regsub'.

Should it be:

http-request set-path %[url,regsub(^/storage,/minio)]

?

Cheers
Jonathan


> - Chad
>
>

haproxy hiding url/minio

2020-12-23 Thread Jonathan Opperman 
Hi All,

Wanted to get some advice if this is even possible? Want to route
https://www.portal.example/minio to a minio instance in the backend.

Running haproxy 1.8

configured an acl

acl PATH_minio path_beg -i /minio

then using backend:

use_backend bk_minio_portal if portal PATH_minio

backend bk_minio_portal
source 0.0.0.0
server 10.11.0.33 10.11.0.33:9000

Works perfectly fine, what is the best way to hide /minio so it will rather
say /storage so externally
I hide the fact that we are using minio?

Thanks in advance for your suggestions :)

Cheers
Jonathan

Re: HaProxy question

2018-08-13 Thread Jonathan Opperman 
On Mon, Aug 13, 2018 at 12:55 AM Igor Cicimov <
ig...@encompasscorporation.com> wrote:

> Hi Jonathan,
>
> I'll keep bottom posting otherwise the thread will become a real mess and
> very hard to follow historically.
>
> On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman 
> wrote:
>
>> Hi Igor,
>>
>> Not 100% sure what you mean here with the redirect to the proxy bind on
>> that port? What will the rest
>> of the bind look like on the front-end config in haproxy?
>>
>> Cheers
>> Jonathan
>>
>> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
>> ig...@encompasscorporation.com> wrote:
>>
>>>
>>>
>>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>>> ig...@encompasscorporation.com> wrote:
>>>
>>>> Hi Jonathan,
>>>>
>>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman 
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I am hoping someone can give me some tips and pointers on getting
>>>>> something working
>>>>> in haproxy that could do the following:
>>>>>
>>>>> I have installed haproxy and put a web server behind it, the proxy has
>>>>> 2 interfaces,
>>>>> eth0 (public) and eth1 (proxy internal)
>>>>>
>>>>> I've got a requirement where I want to only proxy some source ip
>>>>> addresses based on
>>>>> their source address so we can gradually add or customers to haproxy
>>>>> so that we can
>>>>> support TLS1.2 and strong ciphers
>>>>>
>>>>> I have added an iptables rule and can then bypass haproxy with:
>>>>>
>>>>> for ip in $INBOUNDEXCLUSIONS ; do
>>>>> ipset -N inboundexclusions iphash
>>>>> ipset -A inboundexclusions $ip
>>>>> done
>>>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>>>
>>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j 
>>>>> HTTPSINBOUNDBYPASS
>>>>>
>>>>> Testing was done and I was happy with the solution, I then had a
>>>>> requirement
>>>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>>>> eth0:2) etc
>>>>> and changed my haproxy frontend config from  bind 0.0.0.0:443
>>>>> transparent
>>>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>>>> haproxy
>>>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>>>
>>>>> I am not sure if I am being very clear in here but basically wanted to
>>>>> know if there is
>>>>> a way to do selective ssl offloading on the haproxy or bypass
>>>>> ssl offloading on the
>>>>> server that sits behind the proxy? This is required so that customers
>>>>> that do not support
>>>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>>>> bypassing
>>>>> the ssl offloading on the proxy.
>>>>>
>>>>> Thanks very much for your time reading this.
>>>>>
>>>>> Regards,
>>>>> Jonathan
>>>>>
>>>>>
>>>> One option that comes to mind achiving the same without iptables is
>>>> using whitelist file and two backends: one tcp backend that will just pass
>>>> through the ssl connection to the SSL server and one in http mode that will
>>>> do SSL offloading. Something like:
>>>>
>>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>>>> default_backend be_passthrough
>>>>
>>>> or vice-versa depending on your implementation and which list would be
>>>> shorter :-)
>>>>
>>>>
>>> Another idea:
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS

Re: HaProxy question

2018-08-12 Thread Jonathan Opperman 
Hi Igor,

Not 100% sure what you mean here with the redirect to the proxy bind on
that port? What will the rest
of the bind look like on the front-end config in haproxy?

Cheers
Jonathan

On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov 
wrote:

>
>
> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>> Hi Jonathan,
>>
>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman 
>> wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from  bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>>
>> One option that comes to mind achiving the same without iptables is using
>> whitelist file and two backends: one tcp backend that will just pass
>> through the ssl connection to the SSL server and one in http mode that will
>> do SSL offloading. Something like:
>>
>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>> default_backend be_passthrough
>>
>> or vice-versa depending on your implementation and which list would be
>> shorter :-)
>>
>>
> Another idea:
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT 127.0.2.1:443
>
> then in haproxy:
>
> bind 127.0.2.1:443
>
>

Re: HaProxy question

2018-08-12 Thread Jonathan Opperman 
Hi Igor,

Thanks for the suggestion, only saw your reply now as gmail decided to
route emails to the spam folder.

Tried this and got:

Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : http frontend 'ft_https_demo' (/etc/haproxy/haproxy.cfg:86) tries
to use incompatible tcp backend 'bk_https_demo_passthrough'
(/etc/haproxy/haproxy.
Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : Fatal errors found in configuration.

need a bit of fine tuning on my front-end/back-end config.

Cheers
Jonathan

On Tue, Aug 7, 2018 at 12:53 PM Igor Cicimov 
wrote:

> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman 
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from  bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>

Re: HaProxy question

2018-08-12 Thread Jonathan Opperman 
Hi Jonathan,

Thanks for the pointer, correcto mode, found the replies in my spam folder.
Appreciate it..

Cheers
Jono

On Sat, 11 Aug 2018, 17:44 Jonathan Matthews, 
wrote:

> Did you miss the two mails from Igor containing suggestions?
>
> Like this email, they went both to the list and directly to yourself.
> Maybe check your spam folder.
>
> J
>
> On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman 
> wrote:
>
>> *bump*
>>
>> Anyone?
>>
>> On Tue, 7 Aug 2018, 11:43 Jonathan Opperman,  wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp
>>> --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from  bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>> --
> Jonathan Matthews
> London, UK
> http://www.jpluscplusm.com/contact.html
>

Re: HaProxy question

2018-08-10 Thread Jonathan Opperman 
*bump*

Anyone?

On Tue, 7 Aug 2018, 11:43 Jonathan Opperman,  wrote:

> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has 2
> interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip addresses
> based on
> their source address so we can gradually add or customers to haproxy so
> that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport
> 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from  bind 0.0.0.0:443 transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers that
> do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>

HaProxy question

2018-08-06 Thread Jonathan Opperman 
Hi All,

I am hoping someone can give me some tips and pointers on getting something
working
in haproxy that could do the following:

I have installed haproxy and put a web server behind it, the proxy has 2
interfaces,
eth0 (public) and eth1 (proxy internal)

I've got a requirement where I want to only proxy some source ip addresses
based on
their source address so we can gradually add or customers to haproxy so
that we can
support TLS1.2 and strong ciphers

I have added an iptables rule and can then bypass haproxy with:

for ip in $INBOUNDEXCLUSIONS ; do
ipset -N inboundexclusions iphash
ipset -A inboundexclusions $ip
done
$IPTABLES -t nat -N HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport
443 -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set
inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS

Testing was done and I was happy with the solution, I then had a requirement
to have a proxy with multiple IP address on eth0 (So created eth0:1 eth0:2)
etc
and changed my haproxy frontend config from  bind 0.0.0.0:443 transparent
to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
is running, if I stop haproxy the traffic gets dnatted fine.

I am not sure if I am being very clear in here but basically wanted to know
if there is
a way to do selective ssl offloading on the haproxy or bypass
ssl offloading on the
server that sits behind the proxy? This is required so that customers that
do not support
TLS1.2 and strong ciphers we can still let them connect so actually
bypassing
the ssl offloading on the proxy.

Thanks very much for your time reading this.

Regards,
Jonathan

Re: [ANNOUNCE] haproxy-1.7.0

2016-11-25 Thread Jonathan Opperman 
On 26/11/2016 11:06, "Willy Tarreau" <w...@1wt.eu> wrote:
>
> On Sat, Nov 26, 2016 at 10:14:57AM +1300, Jonathan Opperman wrote:
> > On 26/11/2016 10:11, "Baptiste" <bed...@gmail.com> wrote:
> > >
> > > Congrats all 
> > >
> > > Baptiste
> >
> > High 5 guys, haproxy is an awesome product. Congratulations to all
> > involved. What's the best way to get involved with helping with the
> > development of haproxy?
>
> Test it, help others when you can, report issues, read patches posted
here,
> test them, comment, review them, and at some point you'll figure you're
able
> to propose your own and to improve it yourself. We all started like this
:-)
>
> Cheers,
> Willy

Thanks Willy, I will do this. These days it's so easy to fire up test
environments and do some testing especially with lxc/lxd.

Thanks again to all for haproxy's existence. :)

Cheers
Jono

Re: [ANNOUNCE] haproxy-1.7.0

2016-11-25 Thread Jonathan Opperman 
On 26/11/2016 10:11, "Baptiste"  wrote:
>
> Congrats all 
>
> Baptiste

High 5 guys, haproxy is an awesome product. Congratulations to all
involved. What's the best way to get involved with helping with the
development of haproxy?

Re: rewrite and redirect with haproxy

2016-11-23 Thread Jonathan Opperman 
On 24/11/2016 16:47, "Michael Ezzell" <mich...@ezzell.net> wrote:
>
> On Nov 23, 2016 22:21, "Jonathan Opperman" <jonoi...@gmail.com> wrote:
>
> > https://www.test.1.example.com/ --> https://www-test-1.example.com/
> >
> > doesn't work in the browser, is http-request only applicable for and
http
> > request and hot https?
>
> No.  The http-request directives are the same for either.  The problem is
that wildcard certificates simply don't work that way.  The * cannot match
a dot in the hostname, for wildcard certs.  The browser validates the cert
*before* HAProxy becomes aware of the address.
>
> > In curl it works, but in Chrome/Chromium it comes up with a warning
> > Your connection is not private
> > As the wilcard cert *.example.com does match
https://www.test.1.example.com/ as
> > the redrict is not working in the browser to
https://www-test-1.example.com/
> > to match the wilcard cert.
>
> You'd have to bypass the browser's security warning, and after that, the
redirect will work as expected.  Sorry if I gave you the impression that
you would magically be able to avoid the security warning, in the previous
message, with a direct https request with the extra dots.  I assumed you
were aware of the limitations of wildcard certs yet wanted https requests
to redirect anyway, if they did come through because the user bypassed the
validation.
>
> The browser behavior is correct, curl is incorrect if it allows these
requests.
>
> Not helpful, perhaps, but hopefully informative.

Very much so, thanks very much for your help, would have taken me way
longer to get this working.

Appreciate it very much, if you were here I would owe you a beera
virtual beer is just not the same.

Re: rewrite and redirect with haproxy

2016-11-23 Thread Jonathan Opperman 
On Thu, Nov 24, 2016 at 3:59 PM, Jonathan Opperman <jonoi...@gmail.com>
wrote:

>
> On Thu, Nov 24, 2016 at 3:28 PM, Michael Ezzell <mich...@ezzell.net>
> wrote:
>
>> On Nov 23, 2016 20:16, "Jonathan Opperman" <jonoi...@gmail.com> wrote:
>>
>> >> my.site.example.net/example.com -> my-site-example-net.example com
>> >
>> >
>> > This, is this do-able? It will be different domains, and different
>> level sub domains
>> > but they will utimately end up with using *.example.com *.example2.com
>> > certificates that terminate on the haproxy server.
>> >
>> > http://my.site.example.com/example.com --> http://my-site.example.com
>> > http://my.other.site.example.com/example.com --> http://my-o
>> ther-site.example.com
>>
>> This can also be done, though it's a little trickier, because you'd need
>> to match with path_beg or path_reg and then munge the uri with regsub to
>> remove that and potentially the initial leading slash along with the host
>> header parts.
>>
> Sounds tricky :), wish there was some examples on some haproxy
> configurations. It would be great if the manual included some
> more 'tricky' examples like this.
>
>> > Thanks for this, i've tested and mine for some reason looks like the
>> one you suggest
>> > on the other hand:
>> >
>> > * Rebuilt URL to: www.test.1.example.com/
>>
>> > < Location: https://www-test-1-example.com.example.com/
>>
>> Take a look at my setup again.
>>
>> http-request redirect location https://%[hdr(host),regsub(\.e
>> xample\.com$,),regsub(\.,-,g)].example.com%[capture.req.uri] if {
>> hdr_reg(host) -i .+\..+\.example\.com$ }
>>
>> I believe your problem is here:
>>
>> hdr(host),regsub(\.example\.com$,)
>>
>> This first regsub needs to match .example.com at the end of the original
>> host header, and strip it out completely by replacing it with the empty
>> string that is hiding between , and ) at the end.
>>
>> If it doesn't match correctly, it would leave the .example.com in place
>> and fail in much the way your output illustrates.
>>
> You are 100% correct, I had my escape at the wrong place in the domain
> name, fixed that and works as per your example. Thanks
> again.
>
>
This only works if I access http

http://www.test.1.example.com/  --> https://www-test-1.example.com/

Fo entering

https://www.test.1.example.com/ --> https://www-test-1.example.com/

doesn't work in the browser, is http-request only applicable for and http
request and hot https?

In curl it works, but in Chrome/Chromium it comes up with a warning
Your connection is not private
As the wilcard cert *.example.com does match https://www.test.1.example.com/
as
the redrict is not working in the browser to https://www-test-1.example.com/
to match the wilcard cert.

Re: rewrite and redirect with haproxy

2016-11-23 Thread Jonathan Opperman 
On Thu, Nov 24, 2016 at 3:28 PM, Michael Ezzell <mich...@ezzell.net> wrote:

> On Nov 23, 2016 20:16, "Jonathan Opperman" <jonoi...@gmail.com> wrote:
>
> >> my.site.example.net/example.com -> my-site-example-net.example com
> >
> >
> > This, is this do-able? It will be different domains, and different level
> sub domains
> > but they will utimately end up with using *.example.com *.example2.com
> > certificates that terminate on the haproxy server.
> >
> > http://my.site.example.com/example.com --> http://my-site.example.com
> > http://my.other.site.example.com/example.com --> http://my-
> other-site.example.com
>
> This can also be done, though it's a little trickier, because you'd need
> to match with path_beg or path_reg and then munge the uri with regsub to
> remove that and potentially the initial leading slash along with the host
> header parts.
>
Sounds tricky :), wish there was some examples on some haproxy
configurations. It would be great if the manual included some
more 'tricky' examples like this.

> > Thanks for this, i've tested and mine for some reason looks like the one
> you suggest
> > on the other hand:
> >
> > * Rebuilt URL to: www.test.1.example.com/
>
> > < Location: https://www-test-1-example.com.example.com/
>
> Take a look at my setup again.
>
> http-request redirect location https://%[hdr(host),regsub(\.
> example\.com$,),regsub(\.,-,g)].example.com%[capture.req.uri] if {
> hdr_reg(host) -i .+\..+\.example\.com$ }
>
> I believe your problem is here:
>
> hdr(host),regsub(\.example\.com$,)
>
> This first regsub needs to match .example.com at the end of the original
> host header, and strip it out completely by replacing it with the empty
> string that is hiding between , and ) at the end.
>
> If it doesn't match correctly, it would leave the .example.com in place
> and fail in much the way your output illustrates.
>
You are 100% correct, I had my escape at the wrong place in the domain
name, fixed that and works as per your example. Thanks
again.

rewrite and redirect with haproxy

2016-11-22 Thread Jonathan Opperman 
Hi Guys,

We have a tough url rewrite we are struggling with:

I want http://foo.bar.bin/ blah.com to
redirect to http://foo-bar-bin. 
blah.com

I want that last dash-domain to also redirect to SSL.

The order is important. Browsers recently started doing their SSL check
BEFORE the redirects, so we are getting security warnings.

So now we need the dot-to-dash translation and then the SSL redirect.

If folks come in on SSL directly like https://foo.bin.bar
.blah.com, should be redirected to
the SSL dashed domain instead.

Anyone have some information if this is possible with haproxy 1.5.x , if
not maybe 1.6.x.

Thanks in advance for you reading this.

Cheers
Jono