Hi Jonathan,
I'll keep bottom posting otherwise the thread will become a real mess and
very hard to follow historically.
On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman <jonoi...@gmail.com>
wrote:
> Hi Igor,
>
> Not 100% sure what you mean here with the redirect to the proxy bind on
> that port? What will the rest
> of the bind look like on the front-end config in haproxy?
>
> Cheers
> Jonathan
>
> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>>
>>
>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>> ig...@encompasscorporation.com> wrote:
>>
>>> Hi Jonathan,
>>>
>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <jonoi...@gmail.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am hoping someone can give me some tips and pointers on getting
>>>> something working
>>>> in haproxy that could do the following:
>>>>
>>>> I have installed haproxy and put a web server behind it, the proxy has
>>>> 2 interfaces,
>>>> eth0 (public) and eth1 (proxy internal)
>>>>
>>>> I've got a requirement where I want to only proxy some source ip
>>>> addresses based on
>>>> their source address so we can gradually add or customers to haproxy so
>>>> that we can
>>>> support TLS1.2 and strong ciphers
>>>>
>>>> I have added an iptables rule and can then bypass haproxy with:
>>>>
>>>> for ip in $INBOUNDEXCLUSIONS ; do
>>>> ipset -N inboundexclusions iphash
>>>> ipset -A inboundexclusions $ip
>>>> done
>>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>>
>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>>
>>>> Testing was done and I was happy with the solution, I then had a
>>>> requirement
>>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>>> eth0:2) etc
>>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>>> transparent
>>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>>> haproxy
>>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>>
>>>> I am not sure if I am being very clear in here but basically wanted to
>>>> know if there is
>>>> a way to do selective ssl offloading on the haproxy or bypass
>>>> ssl offloading on the
>>>> server that sits behind the proxy? This is required so that customers
>>>> that do not support
>>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>>> bypassing
>>>> the ssl offloading on the proxy.
>>>>
>>>> Thanks very much for your time reading this.
>>>>
>>>> Regards,
>>>> Jonathan
>>>>
>>>>
>>> One option that comes to mind achiving the same without iptables is
>>> using whitelist file and two backends: one tcp backend that will just pass
>>> through the ssl connection to the SSL server and one in http mode that will
>>> do SSL offloading. Something like:
>>>
>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>>> default_backend be_passthrough
>>>
>>> or vice-versa depending on your implementation and which list would be
>>> shorter :-)
>>>
>>>
>> Another idea:
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
>> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
>> REDIRECT 127.0.2.1:443
>>
>> then in haproxy:
>>
>> bind 127.0.2.1:443
>>
>>
Well, the last 2 rules with a slight correction for the REDIRECT action:
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT --to-ports 4433
<http://127.0.2.1:443>
would mean that the first rule will catch all packets for connections
coming to 10.0.0.92 from clients that are NOT on the ip list and will be
sent to the SSL backend directly bypassing haproxy. The ones that don't
match that rule will be sent to the primary IP, lets say it is still
10.0.0.92, but port 4433. This is where you set your SSL termination proxy
to listen, so same as before just different port.
The point being you can set your haproxy frontend to listen on what ever
port you like for ssl connections, and redirect to that port via iptables.
If you want to change the IP too you can go with DNAT:
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
DNAT --to-destination 127.0.2.1:4433
Just trying to solve the problem of haproxy binding to 10.0.0.92:443 and
making the dnat rule fail. Hope it is more clear now, otherwise would mean
I'm really bad in explanation :-)
