*bump* Anyone?
On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, <jonoi...@gmail.com> wrote: > Hi All, > > I am hoping someone can give me some tips and pointers on getting > something working > in haproxy that could do the following: > > I have installed haproxy and put a web server behind it, the proxy has 2 > interfaces, > eth0 (public) and eth1 (proxy internal) > > I've got a requirement where I want to only proxy some source ip addresses > based on > their source address so we can gradually add or customers to haproxy so > that we can > support TLS1.2 and strong ciphers > > I have added an iptables rule and can then bypass haproxy with: > > for ip in $INBOUNDEXCLUSIONS ; do > ipset -N inboundexclusions iphash > ipset -A inboundexclusions $ip > done > $IPTABLES -t nat -N HTTPSINBOUNDBYPASS > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG > --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport > 443 -j DNAT --to $JONODEMO1:443 > $IPTABLES -t nat -A PREROUTING -m set ! --match-set > inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS > > Testing was done and I was happy with the solution, I then had a > requirement > to have a proxy with multiple IP address on eth0 (So created eth0:1 > eth0:2) etc > and changed my haproxy frontend config from bind 0.0.0.0:443 transparent > to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy > is running, if I stop haproxy the traffic gets dnatted fine. > > I am not sure if I am being very clear in here but basically wanted to > know if there is > a way to do selective ssl offloading on the haproxy or bypass > ssl offloading on the > server that sits behind the proxy? This is required so that customers that > do not support > TLS1.2 and strong ciphers we can still let them connect so actually > bypassing > the ssl offloading on the proxy. > > Thanks very much for your time reading this. > > Regards, > Jonathan > >
