Re: HAProxy question
Hi. Nov 19, 2019 11:05:34 AM Micael Gillet : > Hello, As part of a project, I have some questions about HAProxy's abilities. > Could you confirm if HAProxy is able to handle the following points? > > * STP Protection (RSTP) > * VLANs interfaces This is to low level for HAProxy, IMHO. > * HA Cluster in Active / Passive mode Yes it's possible. > * SNMP for monitoring Not out of the box but with tools possible. > * HealthCheck of LDAP services > * Round robin and failover load balancing > * Routing flows to a specific pool based on the source IP address > * Filtering incoming flow by IP/port Yes it's possible. > * Oneconnect" type profile Is this what you mean with that question? https://support.f5.com/csp/article/K7208 It looks like you want to replace a F5 cluster. I would recommend to get in touch with HAProxy Company for a proposal as I assume that the commercial product will fit in your requirements. > Thanks for your support. Regards Micael Gillet Regards aleks > Courriel confidentiel: > Ce message est protégé par les règles relatives au secret des > correspondances. Il est donc établi à destination exclusive de son > destinataire. Celui-ci peut donc contenir des informations confidentielles. > La divulgation de ces informations est à ce titre rigoureusement interdite. > Si vous avez reçu ce message par erreur, merci de le renvoyer à l'expéditeur > dont l'adresse e-mail figure ci-dessus et de détruire le message ainsi que > toute pièce jointe. > This message is protected by the secrecy of correspondence rules. Therefore, > this message is intended solely for the attention of the addressee. This > message may contain privileged or confidential information, as such the > disclosure of these informations is strictly forbidden. If, by mistake, you > have received this message, please return this message to the addressser > whose e-mail address is written above and destroy this message and all files > attached. > > > [https://www.msa.fr/lfy/documents/98830/d420d3b1-9e7c-05ab-6765-009d1e6c1d1f?t=1572346078784] >
Re: HaProxy question
On Mon, Aug 13, 2018 at 12:55 AM Igor Cicimov <
ig...@encompasscorporation.com> wrote:
> Hi Jonathan,
>
> I'll keep bottom posting otherwise the thread will become a real mess and
> very hard to follow historically.
>
> On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman
> wrote:
>
>> Hi Igor,
>>
>> Not 100% sure what you mean here with the redirect to the proxy bind on
>> that port? What will the rest
>> of the bind look like on the front-end config in haproxy?
>>
>> Cheers
>> Jonathan
>>
>> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
>> ig...@encompasscorporation.com> wrote:
>>
>>>
>>>
>>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>>> ig...@encompasscorporation.com> wrote:
>>>
Hi Jonathan,
On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
wrote:
> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has
> 2 interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip
> addresses based on
> their source address so we can gradually add or customers to haproxy
> so that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j
> HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443
> transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
> haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers
> that do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
One option that comes to mind achiving the same without iptables is
using whitelist file and two backends: one tcp backend that will just pass
through the ssl connection to the SSL server and one in http mode that will
do SSL offloading. Something like:
use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
default_backend be_passthrough
or vice-versa depending on your implementation and which list would be
shorter :-)
>>> Another idea:
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions
>>> src -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443
>>> -j REDIRECT 127.0.2.1:443
>>>
>>> then in haproxy:
>>>
>>> bind 127.0.2.1:443
>>>
>>>
> Well, the last 2 rules with a slight correction for the REDIRECT action:
>
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT --to-ports 4433
>
>
> would mean that the first rule will catch all packets for connections
> coming to 10.0.0.92 from clients that are NOT on the ip list and will be
> sent to the SSL backend directly bypassing haproxy. The ones that don't
> match that rule will be sent to the primary IP, lets say it is still
> 10.0.0.92, but port 4433. This is where you set your SSL termination proxy
> to listen, so same as before just different port.
>
> The point being you can set your haproxy frontend to listen on what ever
> port you like for ssl connections, and redirect to that port via iptables.
> If you want to change the IP too you can go with
Re: HaProxy question
Hi Jonathan,
I'll keep bottom posting otherwise the thread will become a real mess and
very hard to follow historically.
On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman
wrote:
> Hi Igor,
>
> Not 100% sure what you mean here with the redirect to the proxy bind on
> that port? What will the rest
> of the bind look like on the front-end config in haproxy?
>
> Cheers
> Jonathan
>
> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>>
>>
>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>> ig...@encompasscorporation.com> wrote:
>>
>>> Hi Jonathan,
>>>
>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
>>> wrote:
>>>
Hi All,
I am hoping someone can give me some tips and pointers on getting
something working
in haproxy that could do the following:
I have installed haproxy and put a web server behind it, the proxy has
2 interfaces,
eth0 (public) and eth1 (proxy internal)
I've got a requirement where I want to only proxy some source ip
addresses based on
their source address so we can gradually add or customers to haproxy so
that we can
support TLS1.2 and strong ciphers
I have added an iptables rule and can then bypass haproxy with:
for ip in $INBOUNDEXCLUSIONS ; do
ipset -N inboundexclusions iphash
ipset -A inboundexclusions $ip
done
$IPTABLES -t nat -N HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set
inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
Testing was done and I was happy with the solution, I then had a
requirement
to have a proxy with multiple IP address on eth0 (So created eth0:1
eth0:2) etc
and changed my haproxy frontend config from bind 0.0.0.0:443
transparent
to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
haproxy
is running, if I stop haproxy the traffic gets dnatted fine.
I am not sure if I am being very clear in here but basically wanted to
know if there is
a way to do selective ssl offloading on the haproxy or bypass
ssl offloading on the
server that sits behind the proxy? This is required so that customers
that do not support
TLS1.2 and strong ciphers we can still let them connect so actually
bypassing
the ssl offloading on the proxy.
Thanks very much for your time reading this.
Regards,
Jonathan
>>> One option that comes to mind achiving the same without iptables is
>>> using whitelist file and two backends: one tcp backend that will just pass
>>> through the ssl connection to the SSL server and one in http mode that will
>>> do SSL offloading. Something like:
>>>
>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>>> default_backend be_passthrough
>>>
>>> or vice-versa depending on your implementation and which list would be
>>> shorter :-)
>>>
>>>
>> Another idea:
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
>> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
>> REDIRECT 127.0.2.1:443
>>
>> then in haproxy:
>>
>> bind 127.0.2.1:443
>>
>>
Well, the last 2 rules with a slight correction for the REDIRECT action:
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT --to-ports 4433
would mean that the first rule will catch all packets for connections
coming to 10.0.0.92 from clients that are NOT on the ip list and will be
sent to the SSL backend directly bypassing haproxy. The ones that don't
match that rule will be sent to the primary IP, lets say it is still
10.0.0.92, but port 4433. This is where you set your SSL termination proxy
to listen, so same as before just different port.
The point being you can set your haproxy frontend to listen on what ever
port you like for ssl connections, and redirect to that port via iptables.
If you want to change the IP too you can go with DNAT:
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
DNAT --to-destination 127.0.2.1:4433
Just trying to solve the problem of haproxy binding to 10.0.0.92:443 and
making the dnat rule fail. Hope it is more clear now, o
Re: HaProxy question
Hi Igor,
Not 100% sure what you mean here with the redirect to the proxy bind on
that port? What will the rest
of the bind look like on the front-end config in haproxy?
Cheers
Jonathan
On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov
wrote:
>
>
> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>> Hi Jonathan,
>>
>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
>> wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>>
>> One option that comes to mind achiving the same without iptables is using
>> whitelist file and two backends: one tcp backend that will just pass
>> through the ssl connection to the SSL server and one in http mode that will
>> do SSL offloading. Something like:
>>
>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>> default_backend be_passthrough
>>
>> or vice-versa depending on your implementation and which list would be
>> shorter :-)
>>
>>
> Another idea:
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT 127.0.2.1:443
>
> then in haproxy:
>
> bind 127.0.2.1:443
>
>
Re: HaProxy question
Hi Igor,
Thanks for the suggestion, only saw your reply now as gmail decided to
route emails to the spam folder.
Tried this and got:
Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : http frontend 'ft_https_demo' (/etc/haproxy/haproxy.cfg:86) tries
to use incompatible tcp backend 'bk_https_demo_passthrough'
(/etc/haproxy/haproxy.
Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : Fatal errors found in configuration.
need a bit of fine tuning on my front-end/back-end config.
Cheers
Jonathan
On Tue, Aug 7, 2018 at 12:53 PM Igor Cicimov
wrote:
> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Re: HaProxy question
Hi Jonathan, Thanks for the pointer, correcto mode, found the replies in my spam folder. Appreciate it.. Cheers Jono On Sat, 11 Aug 2018, 17:44 Jonathan Matthews, wrote: > Did you miss the two mails from Igor containing suggestions? > > Like this email, they went both to the list and directly to yourself. > Maybe check your spam folder. > > J > > On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman > wrote: > >> *bump* >> >> Anyone? >> >> On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, wrote: >> >>> Hi All, >>> >>> I am hoping someone can give me some tips and pointers on getting >>> something working >>> in haproxy that could do the following: >>> >>> I have installed haproxy and put a web server behind it, the proxy has 2 >>> interfaces, >>> eth0 (public) and eth1 (proxy internal) >>> >>> I've got a requirement where I want to only proxy some source ip >>> addresses based on >>> their source address so we can gradually add or customers to haproxy so >>> that we can >>> support TLS1.2 and strong ciphers >>> >>> I have added an iptables rule and can then bypass haproxy with: >>> >>> for ip in $INBOUNDEXCLUSIONS ; do >>> ipset -N inboundexclusions iphash >>> ipset -A inboundexclusions $ip >>> done >>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp >>> --dport 443 -j DNAT --to $JONODEMO1:443 >>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >>> >>> Testing was done and I was happy with the solution, I then had a >>> requirement >>> to have a proxy with multiple IP address on eth0 (So created eth0:1 >>> eth0:2) etc >>> and changed my haproxy frontend config from bind 0.0.0.0:443 >>> transparent >>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if >>> haproxy >>> is running, if I stop haproxy the traffic gets dnatted fine. >>> >>> I am not sure if I am being very clear in here but basically wanted to >>> know if there is >>> a way to do selective ssl offloading on the haproxy or bypass >>> ssl offloading on the >>> server that sits behind the proxy? This is required so that customers >>> that do not support >>> TLS1.2 and strong ciphers we can still let them connect so actually >>> bypassing >>> the ssl offloading on the proxy. >>> >>> Thanks very much for your time reading this. >>> >>> Regards, >>> Jonathan >>> >>> -- > Jonathan Matthews > London, UK > http://www.jpluscplusm.com/contact.html >
Re: HaProxy question
Did you miss the two mails from Igor containing suggestions? Like this email, they went both to the list and directly to yourself. Maybe check your spam folder. J On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman wrote: > *bump* > > Anyone? > > On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, wrote: > >> Hi All, >> >> I am hoping someone can give me some tips and pointers on getting >> something working >> in haproxy that could do the following: >> >> I have installed haproxy and put a web server behind it, the proxy has 2 >> interfaces, >> eth0 (public) and eth1 (proxy internal) >> >> I've got a requirement where I want to only proxy some source ip >> addresses based on >> their source address so we can gradually add or customers to haproxy so >> that we can >> support TLS1.2 and strong ciphers >> >> I have added an iptables rule and can then bypass haproxy with: >> >> for ip in $INBOUNDEXCLUSIONS ; do >> ipset -N inboundexclusions iphash >> ipset -A inboundexclusions $ip >> done >> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j >> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" >> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp >> --dport 443 -j DNAT --to $JONODEMO1:443 >> $IPTABLES -t nat -A PREROUTING -m set ! --match-set >> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS >> >> Testing was done and I was happy with the solution, I then had a >> requirement >> to have a proxy with multiple IP address on eth0 (So created eth0:1 >> eth0:2) etc >> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent >> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy >> is running, if I stop haproxy the traffic gets dnatted fine. >> >> I am not sure if I am being very clear in here but basically wanted to >> know if there is >> a way to do selective ssl offloading on the haproxy or bypass >> ssl offloading on the >> server that sits behind the proxy? This is required so that customers >> that do not support >> TLS1.2 and strong ciphers we can still let them connect so actually >> bypassing >> the ssl offloading on the proxy. >> >> Thanks very much for your time reading this. >> >> Regards, >> Jonathan >> >> -- Jonathan Matthews London, UK http://www.jpluscplusm.com/contact.html
Re: HaProxy question
*bump* Anyone? On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, wrote: > Hi All, > > I am hoping someone can give me some tips and pointers on getting > something working > in haproxy that could do the following: > > I have installed haproxy and put a web server behind it, the proxy has 2 > interfaces, > eth0 (public) and eth1 (proxy internal) > > I've got a requirement where I want to only proxy some source ip addresses > based on > their source address so we can gradually add or customers to haproxy so > that we can > support TLS1.2 and strong ciphers > > I have added an iptables rule and can then bypass haproxy with: > > for ip in $INBOUNDEXCLUSIONS ; do > ipset -N inboundexclusions iphash > ipset -A inboundexclusions $ip > done > $IPTABLES -t nat -N HTTPSINBOUNDBYPASS > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG > --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY" > $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport > 443 -j DNAT --to $JONODEMO1:443 > $IPTABLES -t nat -A PREROUTING -m set ! --match-set > inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS > > Testing was done and I was happy with the solution, I then had a > requirement > to have a proxy with multiple IP address on eth0 (So created eth0:1 > eth0:2) etc > and changed my haproxy frontend config from bind 0.0.0.0:443 transparent > to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy > is running, if I stop haproxy the traffic gets dnatted fine. > > I am not sure if I am being very clear in here but basically wanted to > know if there is > a way to do selective ssl offloading on the haproxy or bypass > ssl offloading on the > server that sits behind the proxy? This is required so that customers that > do not support > TLS1.2 and strong ciphers we can still let them connect so actually > bypassing > the ssl offloading on the proxy. > > Thanks very much for your time reading this. > > Regards, > Jonathan > >
Re: HaProxy question
On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
ig...@encompasscorporation.com> wrote:
> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Another idea:
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT 127.0.2.1:443
then in haproxy:
bind 127.0.2.1:443
Re: HaProxy question
Hi Jonathan,
On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman
wrote:
> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has 2
> interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip addresses
> based on
> their source address so we can gradually add or customers to haproxy so
> that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers that
> do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
One option that comes to mind achiving the same without iptables is using
whitelist file and two backends: one tcp backend that will just pass
through the ssl connection to the SSL server and one in http mode that will
do SSL offloading. Something like:
use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
default_backend be_passthrough
or vice-versa depending on your implementation and which list would be
shorter :-)
Re: HAProxy Question
TCP mode load balancing would treat each TCP quad (source ip/source port, dest ip/dest port), stream, or flow as a "session" or in other words, the TCP stream is the basic unit of TCP load balancing. You can enable the stats http interface and monitor that in your browser for some useful metrics such as session count etc. There are also tools such as hatop that will monitor the stats socket (unix domain socket) and print a summary on the console. See "stats *" directives in manual... http://haproxy.1wt.eu/download/1.5/doc/configuration.txt
Re: haproxy question about check
Thank you Willy for your answer and the team for their work on Haproxy. Sorry for my big mail, then I will be shorter in my further mail. Thank you for you advise. it provides the good answer to my question. Willy Tarreau a écrit : Hello, first, there are too many questions for a single mail, it's hard for list subscribers to find enough time to reply to everything, and it is likely that you'll only get partial responses. On Fri, May 21, 2010 at 03:15:54PM +0200, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. Thanks, but I'm not the only one :-) I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the "running.ok" file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file "running.ok" . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the "running.ok" file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Now you can proceed more easily : use the "http-check disable-on-404" feature. It says that if the server responds 404 to a health check, then it just doesn't want any new user but those with cookies are still welcome. That's precisely what you're doing, and was designed exactly for this usage. So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? Yes and it's even recommended. Haproxy will only care about the HTTP status code, not the rest. So it's pointless to ask the server to emit the data. - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Recent linux kernels (>= 2.6.28) integrate the patch. Maybe your distro was compiled with it enabled and you don't even need to recompile. However, you should be aware that you have to adjust the routing on your servers so that the response traffic passes through haproxy. You can also use LVS for the pure layer 4 LB, it has the advantage of supporting direct server return since it basically only changes the destination MAC address of the packets. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? simply use a same cookie name with different values. Have all your haproxy instances know all the servers. If there are too many servers, then a different option is possible. Have the cookie name (or value) indicate what site handles the session, and have all haproxy instances know about each other and be able to forward traffic to each other. Example : frontend site1 bind :80 acl is_site1 hdr_sub(cookie) SERVERID=a acl is_site2 hdr_sub(cookie) SERVERID=b acl is_site3 hdr_sub(cookie) SERVERID=c use_backend site2 if is_site2 use_backend site3 if is_site3 default_backend local backend local # handles site1's traffic as well as non-site specific traffic # all cookies are prefixed with "a" cookie SERVERID server srv1 1.0.0.1:80 cookie a1 server srv2 1.0.0.1:80 cookie a2 server srv3 1.0.0.1:80 cookie a3 backend site2 # reroute traffic to site 2's load balancer server site2 2.2.2.2:80 backend site3 # reroute traffic to site 2's load balancer server site3 3.3.3.3:80 Hoping this helps, Willy
Re: haproxy question about check
Hello, first, there are too many questions for a single mail, it's hard for list subscribers to find enough time to reply to everything, and it is likely that you'll only get partial responses. On Fri, May 21, 2010 at 03:15:54PM +0200, eni-urgence wrote: > Hello all. > > I discover haproxy few weeks ago and I want to thanks willy for his > very good product. Thanks, but I'm not the only one :-) > I'm planing to integrate haproxy to our dmz. > I want to use haproxy for loadbalancing heavy secure php/ajax > applications with cookie persitence: a collaborate scheduler and a > image consult extranet. > > stunnel service will handle https connections and forward decrypted > requests to haproxy on port 88. Then haproxy will forward > connections to web server on port 10088, 100089 (and so...) on a mass > virtual host configuration of apache (see below). > In /var/www/vhost-SSL/ on web server, there is some symbolic links to > the php sources. Some domains are not linked to same path because > they don't provide the same application. So i don't want to have to > delete/rename the "running.ok" file on every path when I want to > shutdown the webserver. > I want to use the httpcheck on port 10081 and the file "running.ok" > . But I want a soft stop of service. I want haproxy to stop > forwarding new connection if he don't find the "running.ok" file but > continue to forward connection if cookie is initialised. so i will > configure a backup server with same cookies (like said in Haproxy > documentation). Now you can proceed more easily : use the "http-check disable-on-404" feature. It says that if the server responds 404 to a health check, then it just doesn't want any new user but those with cookies are still welcome. That's precisely what you're doing, and was designed exactly for this usage. > So now my questions : >- is it possible to check only the header like this /HEAD / > HTTP/1.0 /for backup server ? Yes and it's even recommended. Haproxy will only care about the HTTP status code, not the rest. So it's pointless to ask the server to emit the data. >- Like said in the article of willy > (http://1wt.eu/articles/2006_lb/),it is good to load balance the > encryption/decryption flow too. So a haproxy instance in tcp mode > (layer 4), seems to be a good solution. But our applications have to > know the client IP for security reasons. I read that a recompiled > kernel with tproxy support will forward connections keeping the real > client IP. Is that true ? Recent linux kernels (>= 2.6.28) integrate the patch. Maybe your distro was compiled with it enabled and you don't even need to recompile. However, you should be aware that you have to adjust the routing on your servers so that the response traffic passes through haproxy. You can also use LVS for the pure layer 4 LB, it has the advantage of supporting direct server return since it basically only changes the destination MAC address of the packets. > - I want to manage a multi site configuration keeping the > session persistence. How can I manage to do so? simply use a same cookie name with different values. Have all your haproxy instances know all the servers. If there are too many servers, then a different option is possible. Have the cookie name (or value) indicate what site handles the session, and have all haproxy instances know about each other and be able to forward traffic to each other. Example : frontend site1 bind :80 acl is_site1 hdr_sub(cookie) SERVERID=a acl is_site2 hdr_sub(cookie) SERVERID=b acl is_site3 hdr_sub(cookie) SERVERID=c use_backend site2 if is_site2 use_backend site3 if is_site3 default_backend local backend local # handles site1's traffic as well as non-site specific traffic # all cookies are prefixed with "a" cookie SERVERID server srv1 1.0.0.1:80 cookie a1 server srv2 1.0.0.1:80 cookie a2 server srv3 1.0.0.1:80 cookie a3 backend site2 # reroute traffic to site 2's load balancer server site2 2.2.2.2:80 backend site3 # reroute traffic to site 2's load balancer server site3 3.3.3.3:80 Hoping this helps, Willy
Re: haproxy question about check
Hello. Sorry for my latency on the answer. Thank you for the trick about the check. I will test it when i have times. About the multi site question, i will explain because it's a bit confusing. I have two agency at this time : one this 2 WEB/DNS server (agency A) and the other with 1 WEB/DNSserver (agency B). Agency A have two WAN line . My zones are configured with 3 NS record, 2 go on Agency A via different public adress. My firewall NAT the public adress on 2 different private adress (on DMZ), and using view I adjust the response . Today,in order to provide service continuity, I start the DNS server of agency B when the DNS server of Agency A are down. But it's a lose of power and server that i want to use now with haproxy. Have i been clear? Hello, On 05/21/2010 03:15 PM, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the "running.ok" file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file "running.ok" . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the "running.ok" file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Use "http-check disable-on-404" for this So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? option httpchk HEAD / HTTP/1.0 - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Yes it is, tproxy has been included in mainstream >=2.6.28 kernel. Usage of X-Forwarded-For header is preferred if you use stunnel. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? I don't understand this question :) Regards, Hervé.
Re: haproxy question about check
Hello, On 05/21/2010 03:15 PM, eni-urgence wrote: Hello all. I discover haproxy few weeks ago and I want to thanks willy for his very good product. I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below). In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the "running.ok" file on every path when I want to shutdown the webserver. I want to use the httpcheck on port 10081 and the file "running.ok" . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the "running.ok" file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation). Use "http-check disable-on-404" for this So now my questions : - is it possible to check only the header like this /HEAD / HTTP/1.0 /for backup server ? option httpchk HEAD / HTTP/1.0 - Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ? Yes it is, tproxy has been included in mainstream >=2.6.28 kernel. Usage of X-Forwarded-For header is preferred if you use stunnel. - I want to manage a multi site configuration keeping the session persistence. How can I manage to do so? I don't understand this question :) Regards, Hervé.
