On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote:
> Hi Jonathan, > > On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com> > wrote: > >> Hi All, >> >> I am hoping someone can give me some tips and pointers on getting >> something working >> in haproxy that could do the following: >> >> I have installed haproxy and put a web server behind it, the proxy has 2 >> interfaces, >> eth0 (public) and eth1 (proxy internal) >> >> I've got a requirement where I want to only proxy some source ip >> addresses based on >> their source address so we can gradually add or customers to haproxy so >> that we can >> support TLS1.2 and strong ciphers >> >> I have added an iptables rule and can then bypass haproxy with: >> >> for ip in $INBOUNDEXCLUSIONS ; do >> ipset -N inboundexclusions iphash >> ipset -A inboundexclusions $ip >> done >> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >> >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d >> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443 >> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >> >> Testing was done and I was happy with the solution, I then had a >> requirement >> to have a proxy with multiple IP address on eth0 (So created eth0:1 >> eth0:2) etc >> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent >> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy >> is running, if I stop haproxy the traffic gets dnatted fine. >> >> I am not sure if I am being very clear in here but basically wanted to >> know if there is >> a way to do selective ssl offloading on the haproxy or bypass >> ssl offloading on the >> server that sits behind the proxy? This is required so that customers >> that do not support >> TLS1.2 and strong ciphers we can still let them connect so actually >> bypassing >> the ssl offloading on the proxy. >> >> Thanks very much for your time reading this. >> >> Regards, >> Jonathan >> >> > One option that comes to mind achiving the same without iptables is using > whitelist file and two backends: one tcp backend that will just pass > through the ssl connection to the SSL server and one in http mode that will > do SSL offloading. Something like: > > use_backend be_offload if { src -f /etc/haproxy/whitelist.lst } > default_backend be_passthrough > > or vice-versa depending on your implementation and which list would be > shorter :-) > > Another idea: $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443 $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j REDIRECT 127.0.2.1:443 then in haproxy: bind 127.0.2.1:443