Re: Sharing SSL information via PROXY protocol or HAProxy internally
Hi, For this specific case of http to https redirect I use the X-Forwarded-Proto header. In the ssl frontend I do this: http-request set-header X-Forwarded-Proto https and in the plain http frontend I do this: http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https } The problem here is that one could set that in a plain http request as well and would avoid some redirects and whatnot, depending on what you do based on what decision. You may also want the other SSL data, cipher, version etc. Since 1.6 you can set variables, ok, but somehow passing that kind of information could be really useful I guess. I'd like to note that protecting headers like X-Forwarded-Proto from being sent by clients is a typical task for any kind of setup like this, especially in webservers. What has to be done is simply to make sure that the component/backend/system that is supposed to receive and interpret the X-Forwarded-Proto header is *only* reachable from frontends, and that all of these frontends either set the header, make sure the header is not present, or do something with the request other than forwarding it to the backend (like rejecting the request outright). Best regards, Luke smime.p7s Description: S/MIME Cryptographic Signature
Re: Sharing SSL information via PROXY protocol or HAProxy internally
I too am interested in this functionality. Looking at the proxy protocol documentation (http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt), it seems that the requisite information is present in the PP2 header: " The PP2_CLIENT_SSL flag indicates that the client connected over SSL/TLS.". Looking through the source it seems haproxy adds this when sending PP2, but not when receiving it. -Patrick On 2016/4/16 04:57, Christian Ruppert wrote: > Hi Dennis, > > On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote: >> On 15.04.2016 16:01, Christian Ruppert wrote: >>> Hi, >>> >>> would it be possible to inherit the SSL information from a SSL >>> listener/frontend via PROXY protocol? >>> So for example: >>> >>> listen ssl-relay >>> mode tcp >>> >>> ... >>> >>> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 >>> >>> listen ssl-rsa_ecc >>> mode tcp >>> >>> ... >>> >>> bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt >>> SSl-RSA.PEM user haproxy >>> >>> frontend http_https >>> bind :80 # http >>> bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # >>> https >>> >>> redirect scheme https code 301 if !{ssl_fc} >>> >>> >>> Here the ssl_fc and other SSL related ACLs do not work because the >>> actual SSL termination has been done in the above ssl-rsa_ecc listener. >>> Sharing that either internally or via the PROXY protocol would be >>> really >>> handy, if that's possible. >>> For now we use the bind "id" to check whether it's the proxy connection >>> or not but the above would be much easier/better IMHO. >> >> For this specific case of http to https redirect I use the >> X-Forwarded-Proto header. In the ssl frontend I do this: >> >> http-request set-header X-Forwarded-Proto https >> >> and in the plain http frontend I do this: >> >> http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) >> https } > > The problem here is that one could set that in a plain http request as > well and would avoid some redirects and whatnot, depending on what you > do based on what decision. You may also want the other SSL data, > cipher, version etc. Since 1.6 you can set variables, ok, but somehow > passing that kind of information could be really useful I guess. > >> >> You usually need to set this header anyway so the application knows it >> needs to generate https URLs in the generated HTML. >> >> Regards, >> Dennis >
Re: Sharing SSL information via PROXY protocol or HAProxy internally
Hi Dennis, On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote: On 15.04.2016 16:01, Christian Ruppert wrote: Hi, would it be possible to inherit the SSL information from a SSL listener/frontend via PROXY protocol? So for example: listen ssl-relay mode tcp ... server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 listen ssl-rsa_ecc mode tcp ... bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt SSl-RSA.PEM user haproxy frontend http_https bind :80 # http bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # https redirect scheme https code 301 if !{ssl_fc} Here the ssl_fc and other SSL related ACLs do not work because the actual SSL termination has been done in the above ssl-rsa_ecc listener. Sharing that either internally or via the PROXY protocol would be really handy, if that's possible. For now we use the bind "id" to check whether it's the proxy connection or not but the above would be much easier/better IMHO. For this specific case of http to https redirect I use the X-Forwarded-Proto header. In the ssl frontend I do this: http-request set-header X-Forwarded-Proto https and in the plain http frontend I do this: http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https } The problem here is that one could set that in a plain http request as well and would avoid some redirects and whatnot, depending on what you do based on what decision. You may also want the other SSL data, cipher, version etc. Since 1.6 you can set variables, ok, but somehow passing that kind of information could be really useful I guess. You usually need to set this header anyway so the application knows it needs to generate https URLs in the generated HTML. Regards, Dennis -- Regards, Christian Ruppert
Re: Sharing SSL information via PROXY protocol or HAProxy internally
On 15.04.2016 16:01, Christian Ruppert wrote: > Hi, > > would it be possible to inherit the SSL information from a SSL > listener/frontend via PROXY protocol? > So for example: > > listen ssl-relay > mode tcp > > ... > > server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 > > listen ssl-rsa_ecc > mode tcp > > ... > > bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt > SSl-RSA.PEM user haproxy > > frontend http_https > bind :80 # http > bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # https > > redirect scheme https code 301 if !{ssl_fc} > > > Here the ssl_fc and other SSL related ACLs do not work because the > actual SSL termination has been done in the above ssl-rsa_ecc listener. > Sharing that either internally or via the PROXY protocol would be really > handy, if that's possible. > For now we use the bind "id" to check whether it's the proxy connection > or not but the above would be much easier/better IMHO. For this specific case of http to https redirect I use the X-Forwarded-Proto header. In the ssl frontend I do this: http-request set-header X-Forwarded-Proto https and in the plain http frontend I do this: http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https } You usually need to set this header anyway so the application knows it needs to generate https URLs in the generated HTML. Regards, Dennis