Re: Use haproxy behind Squid

2019-10-03 Thread Aleksandar Lazic 
Hi Nikita.
Am 03.10.19 um 12:02 schrieb Akhnin Nikita:
> Hello, Aleksandar!
> 
> Vice versa, actually: Client -> Haproxy -> Squid -> Internet
> 
> Here's the situation. Haproxy instance stands in a private network and 
> interacts with the Internet through Firewall that performs NAT. Current 
> schema looks like this:
> Client -> Haproxy -> FW (SNAT) -> Internet
> 
> The firewall performs traffic filtering in addition to NAT (security 
> reasons), and in its policies it operates by destination hosts IP-addresses, 
> not domain names. And the problem comes when backend server hostname changes 
> its IP-addresses (e.g. CDN). We must update Firewall configuration with new 
> IP-addresses, and there is service downtime before firewall guys will do it. 
> And we cannot just open network access from Haproxy to any host in the 
> Internet.
> 
> I'm looking for workaround for this. We have a Squid that can proxy HTTP 
> requests to the Internet bypassing the Firewall. Also it filters requests by 
> domain name. So I wonder if there is any way to proxy client requests to the 
> Internet through Squid transparently to client (no configuration on client 
> side). 
> Something like this, but with Haproxy instead of Httpd: 
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyremote 

I don't see any reason to use haproxy in this setup. Of course you can make a
listen like the snipplet below but why do you want to add haproxy into this 
setup?

```
global
  ...

defaults
  mode tcp
  ...

listen squid-gw
  bind ::3124
  server squid squid.local:3124 check
```

Isn't this a much easier setup?
Client -> Squid -> Internet

For client configs can you take a look into this page, there are several
possible solution described.

https://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

For client's ip address can you setup PROXY Protocol in squid and haproxy

http://www.squid-cache.org/Doc/config/proxy_protocol_access/
http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-send-proxy

Hth
Aleks

> -Original Message-
> From: Aleksandar Lazic  
> Sent: Wednesday, October 2, 2019 6:24 PM
> To: Ахнин Никита Андреевич ; haproxy@formilux.org
> Subject: Re: Use haproxy behind Squid
> 
> Am 02.10.19 um 13:10 schrieb Akhnin Nikita:
>> Hey there!
>>
>> Is it possible to use Haproxy behind HTTP proxy like Squid to proxy 
>> incoming requests to the Internet through it? It will be awesome if 
>> someone will share the configuration example.
> 
> Do you mean such a flow?
> 
> Internet -> squid -> haproxy -> Client
> 
> This statement confuses me a little bit.
> 
>> to proxy incoming requests to the Internet
> 
> From which point of view is incomming and outgoing?
> 
> Regards
> Aleks
>

RE: Use haproxy behind Squid

2019-10-03 Thread Akhnin Nikita 
Hello, Aleksandar!

Vice versa, actually: Client -> Haproxy -> Squid -> Internet

Here's the situation. Haproxy instance stands in a private network and 
interacts with the Internet through Firewall that performs NAT. Current schema 
looks like this:
Client -> Haproxy -> FW (SNAT) -> Internet

The firewall performs traffic filtering in addition to NAT (security reasons), 
and in its policies it operates by destination hosts IP-addresses, not domain 
names. And the problem comes when backend server hostname changes its 
IP-addresses (e.g. CDN). We must update Firewall configuration with new 
IP-addresses, and there is service downtime before firewall guys will do it. 
And we cannot just open network access from Haproxy to any host in the Internet.

I'm looking for workaround for this. We have a Squid that can proxy HTTP 
requests to the Internet bypassing the Firewall. Also it filters requests by 
domain name. So I wonder if there is any way to proxy client requests to the 
Internet through Squid transparently to client (no configuration on client 
side). 
Something like this, but with Haproxy instead of Httpd: 
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyremote 


-Original Message-
From: Aleksandar Lazic  
Sent: Wednesday, October 2, 2019 6:24 PM
To: Ахнин Никита Андреевич ; haproxy@formilux.org
Subject: Re: Use haproxy behind Squid

Am 02.10.19 um 13:10 schrieb Akhnin Nikita:
> Hey there!
> 
> Is it possible to use Haproxy behind HTTP proxy like Squid to proxy 
> incoming requests to the Internet through it? It will be awesome if 
> someone will share the configuration example.

Do you mean such a flow?

Internet -> squid -> haproxy -> Client

This statement confuses me a little bit.

> to proxy incoming requests to the Internet

From which point of view is incomming and outgoing?

Regards
Aleks

Re: Use haproxy behind Squid

2019-10-02 Thread Aleksandar Lazic 
Am 02.10.19 um 13:10 schrieb Akhnin Nikita:
> Hey there!
> 
> Is it possible to use Haproxy behind HTTP proxy like Squid to proxy incoming
> requests to the Internet through it? It will be awesome if someone will share
> the configuration example.

Do you mean such a flow?

Internet -> squid -> haproxy -> Client

This statement confuses me a little bit.

> to proxy incoming requests to the Internet

>From which point of view is incomming and outgoing?

Regards
Aleks