On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:
> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Another idea:
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT 127.0.2.1:443
then in haproxy:
bind 127.0.2.1:443
