i am trying to setup a transparent or intercepting proxy, that works
with HTTPS, and have hit a bit of a wall.
i am using IPTables to intercept the port 80 and 443 traffic, and
DNAT'ing the traffic to a HAProxy VIP.
i have the front end configured as such:
frontend tproxy
bind 192.168.120.1:3129
option httplog
option http-server-close
option forwardfor except 127.0.0.0/8
default_backend tproxy
the backend is where i have problems.
backend tproxy
acl https ssl_fc
http-request set-uri http://%[req.hdr(Host)]%[path]?%[query]
unless https
http-request set-method CONNECT if https
http-request set-uri https://%[ssl_fc_sni] if https
server proxy1 192.168.88.1:3129 check inter 10000
server proxy2 192.168.88.2:3129 check inter 10000
right now, HTTP interception works without issue. as i understand
things having read through some docs, the acl will never match HTTPS
traffic that is to be proxied, because the front end bind statement does
not have the "ssl" option. subsequently, the rewrites of the method and
uri will never happen. i also believe the rewrite of the uri will not
work because ssl_fc_sni requires the "ssl" option be present on the bind
line for the front end. that leads me to wonder how i differentiate
between HTTP and HTTPS in a transparent proxy scenario. would
req.proto_http be appropriate? being that the match does not occur
until the request is complete, i am not sure.
once i am properly differentiating between HTTP and HTTPS traffic, what
would the correct way to rewrite the uri? i think req.ssl_sni is the
value i need to use, instead of ssl_fc_sni.
any insight is appreciated.
thank you,
brendan