Hi Jonathan, On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com> wrote:
> Hi All, > > I am hoping someone can give me some tips and pointers on getting > something working > in haproxy that could do the following: > > I have installed haproxy and put a web server behind it, the proxy has 2 > interfaces, > eth0 (public) and eth1 (proxy internal) > > I've got a requirement where I want to only proxy some source ip addresses > based on > their source address so we can gradually add or customers to haproxy so > that we can > support TLS1.2 and strong ciphers > > I have added an iptables rule and can then bypass haproxy with: > > for ip in $INBOUNDEXCLUSIONS ; do > ipset -N inboundexclusions iphash > ipset -A inboundexclusions $ip > done > $IPTABLES -t nat -N HTTPSINBOUNDBYPASS > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG > --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" > > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d > 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443 > $IPTABLES -t nat -A PREROUTING -m set ! --match-set > inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS > > Testing was done and I was happy with the solution, I then had a > requirement > to have a proxy with multiple IP address on eth0 (So created eth0:1 > eth0:2) etc > and changed my haproxy frontend config from bind 0.0.0.0:443 transparent > to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy > is running, if I stop haproxy the traffic gets dnatted fine. > > I am not sure if I am being very clear in here but basically wanted to > know if there is > a way to do selective ssl offloading on the haproxy or bypass > ssl offloading on the > server that sits behind the proxy? This is required so that customers that > do not support > TLS1.2 and strong ciphers we can still let them connect so actually > bypassing > the ssl offloading on the proxy. > > Thanks very much for your time reading this. > > Regards, > Jonathan > > One option that comes to mind achiving the same without iptables is using whitelist file and two backends: one tcp backend that will just pass through the ssl connection to the SSL server and one in http mode that will do SSL offloading. Something like: use_backend be_offload if { src -f /etc/haproxy/whitelist.lst } default_backend be_passthrough or vice-versa depending on your implementation and which list would be shorter :-)