Hi Jonathan, Thanks for the pointer, correcto mode, found the replies in my spam folder. Appreciate it..
Cheers Jono On Sat, 11 Aug 2018, 17:44 Jonathan Matthews, <cont...@jpluscplusm.com> wrote: > Did you miss the two mails from Igor containing suggestions? > > Like this email, they went both to the list and directly to yourself. > Maybe check your spam folder. > > J > > On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman <jonoi...@gmail.com> > wrote: > >> *bump* >> >> Anyone? >> >> On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, <jonoi...@gmail.com> wrote: >> >>> Hi All, >>> >>> I am hoping someone can give me some tips and pointers on getting >>> something working >>> in haproxy that could do the following: >>> >>> I have installed haproxy and put a web server behind it, the proxy has 2 >>> interfaces, >>> eth0 (public) and eth1 (proxy internal) >>> >>> I've got a requirement where I want to only proxy some source ip >>> addresses based on >>> their source address so we can gradually add or customers to haproxy so >>> that we can >>> support TLS1.2 and strong ciphers >>> >>> I have added an iptables rule and can then bypass haproxy with: >>> >>> for ip in $INBOUNDEXCLUSIONS ; do >>> ipset -N inboundexclusions iphash >>> ipset -A inboundexclusions $ip >>> done >>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp >>> --dport 443 -j DNAT --to $JONODEMO1:443 >>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >>> >>> Testing was done and I was happy with the solution, I then had a >>> requirement >>> to have a proxy with multiple IP address on eth0 (So created eth0:1 >>> eth0:2) etc >>> and changed my haproxy frontend config from bind 0.0.0.0:443 >>> transparent >>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if >>> haproxy >>> is running, if I stop haproxy the traffic gets dnatted fine. >>> >>> I am not sure if I am being very clear in here but basically wanted to >>> know if there is >>> a way to do selective ssl offloading on the haproxy or bypass >>> ssl offloading on the >>> server that sits behind the proxy? This is required so that customers >>> that do not support >>> TLS1.2 and strong ciphers we can still let them connect so actually >>> bypassing >>> the ssl offloading on the proxy. >>> >>> Thanks very much for your time reading this. >>> >>> Regards, >>> Jonathan >>> >>> -- > Jonathan Matthews > London, UK > http://www.jpluscplusm.com/contact.html >
