Hi Igor, Thanks for the suggestion, only saw your reply now as gmail decided to route emails to the spam folder.
Tried this and got: Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420 (8502) : http frontend 'ft_https_demo' (/etc/haproxy/haproxy.cfg:86) tries to use incompatible tcp backend 'bk_https_demo_passthrough' (/etc/haproxy/haproxy. Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420 (8502) : Fatal errors found in configuration. need a bit of fine tuning on my front-end/back-end config. Cheers Jonathan On Tue, Aug 7, 2018 at 12:53 PM Igor Cicimov <ig...@encompasscorporation.com> wrote: > Hi Jonathan, > > On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com> > wrote: > >> Hi All, >> >> I am hoping someone can give me some tips and pointers on getting >> something working >> in haproxy that could do the following: >> >> I have installed haproxy and put a web server behind it, the proxy has 2 >> interfaces, >> eth0 (public) and eth1 (proxy internal) >> >> I've got a requirement where I want to only proxy some source ip >> addresses based on >> their source address so we can gradually add or customers to haproxy so >> that we can >> support TLS1.2 and strong ciphers >> >> I have added an iptables rule and can then bypass haproxy with: >> >> for ip in $INBOUNDEXCLUSIONS ; do >> ipset -N inboundexclusions iphash >> ipset -A inboundexclusions $ip >> done >> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >> >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d >> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443 >> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >> >> Testing was done and I was happy with the solution, I then had a >> requirement >> to have a proxy with multiple IP address on eth0 (So created eth0:1 >> eth0:2) etc >> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent >> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy >> is running, if I stop haproxy the traffic gets dnatted fine. >> >> I am not sure if I am being very clear in here but basically wanted to >> know if there is >> a way to do selective ssl offloading on the haproxy or bypass >> ssl offloading on the >> server that sits behind the proxy? This is required so that customers >> that do not support >> TLS1.2 and strong ciphers we can still let them connect so actually >> bypassing >> the ssl offloading on the proxy. >> >> Thanks very much for your time reading this. >> >> Regards, >> Jonathan >> >> > One option that comes to mind achiving the same without iptables is using > whitelist file and two backends: one tcp backend that will just pass > through the ssl connection to the SSL server and one in http mode that will > do SSL offloading. Something like: > > use_backend be_offload if { src -f /etc/haproxy/whitelist.lst } > default_backend be_passthrough > > or vice-versa depending on your implementation and which list would be > shorter :-) > >