On 07/17/2016 04:59 PM, Evgeniy Sudyr wrote:
Brendan,

I'm also interesting for this topic as our company is preparing for
switching most traffic to be SSL enabled soon.

What I found so far are these quite informative articles:

1) 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
2) 
http://loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy

Also you did not posted your iptables config, routing rules on backend
servers (as they need reply to "spoofed" IP's back to Haproxy servers
(tcp mode, right?) all are very important for tproxy config to be
working.

Let me know your results if you will get first.

Btw, I will be glad to see working configs from other community
members. Thank you all in advance!

--
Evgeniy

On Sun, Jul 17, 2016 at 10:19 PM, Brendan Kearney <bpk...@gmail.com> wrote:
i have iptables configured to redirect outbound HTTP to HAProxy, and then
load balance to a couple of squid instances.  the below works well:

backend tproxy
         acl https ssl_fc
         http-request set-uri http://%[req.hdr(Host)]%[path]?%[query] unless
https
         ...

i have tried to perform HTTPS interception using the below, in addition to
the redirect of HTTPS traffic to the HAProxy VIP:

         http-request set-method CONNECT if https
         http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if
https

this does not seem to work as expected.  where can i find more info on
performing HTTPS interception, for transparent proxying?  any help would be
appreciated.

thanks,

brendan



HAProxy does not need the kernel to have nonlocal binding turned on, as i am performing DNAT with IPTables:

    # Rule 5 (NAT)
    #
    echo "Rule 5 (NAT)"
    #
    $IPTABLES -t nat -N Cid130089X1041.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.4 --dport 80 -j Cid130089X1041.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.5 --dport 80 -j Cid130089X1041.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.200 --dport 80 -j Cid130089X1041.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.24.1 --dport 80 -j Cid130089X1041.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.24.2 --dport 80 -j Cid130089X1041.0 $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.24.4 --dport 80 -j Cid130089X1041.0
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.1.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.24.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.88.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.100.1  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.120.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.152.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.184.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.185.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.216.0/24  -j RETURN
    $IPTABLES -t nat -A Cid130089X1041.0  -d 192.168.248.0/24  -j RETURN
$IPTABLES -t nat -A Cid130089X1041.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.120.1:3129

i use FWBuilder to create my iptables policy, and the above takes traffic from some sources and DNATs their outbound traffic on port 80 to my proxy VIP on port 3129. this load balances to squid, which satisfies the request. i am not doing full transparent proxying because my load balancer is also my router/firewall, and out-of-state or asynchronous routing will be dropped by the firewall. this means that i am setting and using the X-Forwarded-For header, and in squid i digest that header for the client IP.

the squid servers see the routers local interface as the source of the connection, and reply back to it. the DNAT is unraveled/undone on the return trip to the client, from the router. because of this, there is no special routing needed on the servers, and only their default route is required.

what i need is the know-how to intercept the HTTPS. this requires a change to the METHOD, and the URI. i am not sure how to go about that, and am looking for more reading material on the subject.

Reply via email to