Re: HTTP CONNECT request returns 4XX
Hi, Its possible with the Socket Lua object. The high level directives ares: - create a tcp frontend - create an hook with tcp-request content lua - in the lua, you read the first line with the Channel object (txn.req:read()) - establish the SSL conenction with Socket like this: socket = core.tcp and socket:connect_ssl(). - forward data with a loop. TIP: read is a blocking function, so look first the amount of data available. Thierry On Sat, 8 Aug 2015 02:30:41 + (UTC) prabu shyam prabushyam_2...@yahoo.co.in wrote: Hi Willy, Is there a way we can accomplish this with the http-request lua hook on haproxy? For example, on the process_connect lua function: - Process the HTTP CONNECT method and extract the target server+port- Establish a secure socket connection with the target server+port- Reply the client with HTTP 200 and wrap the connection over ssl- Read the next HTTP command from the client and forward it to the server Thanks for your help! On Thursday, August 6, 2015 10:57 PM, Willy Tarreau w...@1wt.eu wrote: Hi, On Thu, Aug 06, 2015 at 07:25:42PM -0700, Bowen Ni wrote: Hi, I am trying to use HAProxy as a man-in-the-middle proxy for HTTPS traffic. When doing an HTTPS request over HAProxy, it tries to tunnel the HTTPS request using an HTTP CONNECT request and the HTTP CONNECT request is passed to backend server directly. My problem is that the response of the CONNECT request I got from HAProxy is always 4XX. For example: 403 Tunnel Forbidden, 400 Bad Request. I have tried many backends and none of them give me 200. Am I missing anything? It's not haproxy which returns this but the next server which receives the CONNECT request. Haproxy is not a forward proxy, so it will not : - resolve host names in uri to decide where to forward the connection ; - extract the tunnel from a CONNECT request If you want a forward proxy, simply use squid. It's the expert in this role and works pretty well. You can even put haproxy in front of it if you want. Hoping this helps, Willy
Re: HTTP CONNECT request returns 4XX
Hi Willy, Is there a way we can accomplish this with the http-request lua hook on haproxy? For example, on the process_connect lua function: - Process the HTTP CONNECT method and extract the target server+port- Establish a secure socket connection with the target server+port- Reply the client with HTTP 200 and wrap the connection over ssl- Read the next HTTP command from the client and forward it to the server Thanks for your help! On Thursday, August 6, 2015 10:57 PM, Willy Tarreau w...@1wt.eu wrote: Hi, On Thu, Aug 06, 2015 at 07:25:42PM -0700, Bowen Ni wrote: Hi, I am trying to use HAProxy as a man-in-the-middle proxy for HTTPS traffic. When doing an HTTPS request over HAProxy, it tries to tunnel the HTTPS request using an HTTP CONNECT request and the HTTP CONNECT request is passed to backend server directly. My problem is that the response of the CONNECT request I got from HAProxy is always 4XX. For example: 403 Tunnel Forbidden, 400 Bad Request. I have tried many backends and none of them give me 200. Am I missing anything? It's not haproxy which returns this but the next server which receives the CONNECT request. Haproxy is not a forward proxy, so it will not : - resolve host names in uri to decide where to forward the connection ; - extract the tunnel from a CONNECT request If you want a forward proxy, simply use squid. It's the expert in this role and works pretty well. You can even put haproxy in front of it if you want. Hoping this helps, Willy
HTTP CONNECT request returns 4XX
Hi, I am trying to use HAProxy as a man-in-the-middle proxy for HTTPS traffic. When doing an HTTPS request over HAProxy, it tries to tunnel the HTTPS request using an HTTP CONNECT request and the HTTP CONNECT request is passed to backend server directly. My problem is that the response of the CONNECT request I got from HAProxy is always 4XX. For example: 403 Tunnel Forbidden, 400 Bad Request. I have tried many backends and none of them give me 200. Am I missing anything? I looked into some other proxies (https://mitmproxy.org/doc/explicit_https.png and http://www.charlesproxy.com/documentation/proxying/ssl-proxying/). It seems that they are replying 200 OK at the proxy immediately without forwarding it to the backends. Is it possible to do the same in HAProxy? Best, Bowen
Re: HTTP CONNECT request returns 4XX
Hi, On Thu, Aug 06, 2015 at 07:25:42PM -0700, Bowen Ni wrote: Hi, I am trying to use HAProxy as a man-in-the-middle proxy for HTTPS traffic. When doing an HTTPS request over HAProxy, it tries to tunnel the HTTPS request using an HTTP CONNECT request and the HTTP CONNECT request is passed to backend server directly. My problem is that the response of the CONNECT request I got from HAProxy is always 4XX. For example: 403 Tunnel Forbidden, 400 Bad Request. I have tried many backends and none of them give me 200. Am I missing anything? It's not haproxy which returns this but the next server which receives the CONNECT request. Haproxy is not a forward proxy, so it will not : - resolve host names in uri to decide where to forward the connection ; - extract the tunnel from a CONNECT request If you want a forward proxy, simply use squid. It's the expert in this role and works pretty well. You can even put haproxy in front of it if you want. Hoping this helps, Willy