Did you miss the two mails from Igor containing suggestions? Like this email, they went both to the list and directly to yourself. Maybe check your spam folder.
J On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman <jonoi...@gmail.com> wrote: > *bump* > > Anyone? > > On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, <jonoi...@gmail.com> wrote: > >> Hi All, >> >> I am hoping someone can give me some tips and pointers on getting >> something working >> in haproxy that could do the following: >> >> I have installed haproxy and put a web server behind it, the proxy has 2 >> interfaces, >> eth0 (public) and eth1 (proxy internal) >> >> I've got a requirement where I want to only proxy some source ip >> addresses based on >> their source address so we can gradually add or customers to haproxy so >> that we can >> support TLS1.2 and strong ciphers >> >> I have added an iptables rule and can then bypass haproxy with: >> >> for ip in $INBOUNDEXCLUSIONS ; do >> ipset -N inboundexclusions iphash >> ipset -A inboundexclusions $ip >> done >> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp >> --dport 443 -j DNAT --to $JONODEMO1:443 >> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >> >> Testing was done and I was happy with the solution, I then had a >> requirement >> to have a proxy with multiple IP address on eth0 (So created eth0:1 >> eth0:2) etc >> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent >> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy >> is running, if I stop haproxy the traffic gets dnatted fine. >> >> I am not sure if I am being very clear in here but basically wanted to >> know if there is >> a way to do selective ssl offloading on the haproxy or bypass >> ssl offloading on the >> server that sits behind the proxy? This is required so that customers >> that do not support >> TLS1.2 and strong ciphers we can still let them connect so actually >> bypassing >> the ssl offloading on the proxy. >> >> Thanks very much for your time reading this. >> >> Regards, >> Jonathan >> >> -- Jonathan Matthews London, UK http://www.jpluscplusm.com/contact.html
