Hello piba, hello list
I am just overwhelmed by the possibilities that haproxy is offering!
If someone else needs a protocol switch as described, look at the
appended documentation.
Following piba's idea and since apache does not provide native support
for the proxy-protocol (unfortunately), I implemented a tcp protocol
switch that directs openvpn connections to the server port 10443 and the
SSL connection to the second frontend listening to SSL on port 60443.
The proxy protocol is used between protocol switch and SSL termination,
configured by send-proxy and accept-proxy, respectively. Thus, the
client's IP can be added later using the x-forwarded-for header via the
http backend.
Maybe this could be improved more but all this is working perfectly now.
Thank you very much!
--
global
maxconn 4096
tune.ssl.default-dh-param 2048
debug
daemon
log 127.0.0.1local0
defaults
modehttp
option httplog
log global
timeout connect 5000ms
timeout client 5ms
timeout server 5ms
frontend unsecured
bind 0.0.0.0:50080
timeout client 24h
reqadd X-Forwarded-Proto:\ http
default_backend www_backend
frontend ssl_terminal
mode tcp
option tcplog
bind /var/run/haproxy_ssl.sock ssl crt ssl.pem accept-proxy
timeout client 24h
default_backend www_backend
frontend switch
mode tcp
option tcplog
bind 0.0.0.0:443
tcp-request inspect-delay 5s
acl traffic_is_ssl req_ssl_ver gt 0
acl enough_non_ssl_bytes req_len ge 22
tcp-request content accept if traffic_is_ssl # accept SSL
tcp-request content accept if enough_non_ssl_bytes # accept non-SSL
# at this point we have something valid in the buffer
use_backend ssl_backend if traffic_is_ssl
default_backend ovpn_backend
backend ssl_backend
mode tcp
option tcplog
server httpsd /var/run/haproxy_ssl.sock send-proxy
backend www_backend
reqadd X-Forwarded-Proto:\ https
mode http
option httplog
option forwardfor
server httpd :80
backend ovpn_backend
mode tcp
option tcplog
server ovpnd :10443
listen stats *:20078
stats enable
stats uri /
Am 14.09.2015 um 15:31 schrieb PiBa-NL:
Op 14-9-2015 om 14:32 schreef Martin Schmid:
Hello list
I'm quite new to haproxy, and I've managed to use it with SSL
passthru and as SSL termination.
I've also startet looking into the code to find the answers or
solutions to what I want to achieve.
I have OpenVPN and HTTPS running on the same port. This can be done
with several setups whereof using the openvpn port sharing feature is
the easiest.
But now I need to know the remote IP addresses in order to be able to
lock out abusive access to the web server. Https used to be unharmed
by exploitative access, but now it's getting a problem. With http, I
can reduce the traffic by locking out ip adresses using fail2ban.
With https, I cannot see the ip address, so there is no way to lock
them out selectively.
Any tool that does the backend switching cannot add an
x-forwarded-for http header and be the SSL end point at the same
time. Haproxy seems to be the only tool that might be able to handle
both.
Looking at the code of haproxy, it seems to me that once I configure
a bind with ssl, it just drops all connections that do not begin wih
a SSL handshake.
However, it seems to be feasible to alter the code in order to fall
back to a non-ssl connection if the hadshake fails.
Has someone of you already tried to accomplish such, or am I missing
a detail that makes this impossible?
Regards
Martin
Hi Martin,
Not sure if this will work with openvpn, but you could try it..
This mail might interest you:
http://marc.info/?l=haproxy=132375969032305=2
First split out TCP traffic to different backends depending on data
send from the client.
Then possibly feed it from a backend server back to a second frontend
where you handle the ssl-offloading if desired, while using proxy
protocol to keep client-ip information, and namespaces or unixsockets
for the connection between the two.
Again, i have not tested it, but this seems like it could be a way to
configure it with current options..
Regards,
PiBa-NL