Welcome! Log In Create A New Profile

Advanced

http reuse and proxy protocol

Posted by Arnall 
Arnall
http reuse and proxy protocol
January 03, 2017 04:20PM
Hi everyone,

recently we have separated https and http frontend in order to scale well.

we are using a nbproc > 1 configuration for ssl offloading :

listen web_tls
mode http
bind *:443 ssl crt whatever.pem process 2
bind *:443 ssl crt whatever.pem process 3

.../..
server web_plain unix@plain.sock send-proxy-v2-ssl

frontend web_plain
bind *:80 process 1
bind unix@plain.sock process 1 accept-proxy

I have forgotten that in default section i had this :

http-reuse always

Today a user tells us that he had access for one moment to debug tools
of the site. Debug tools are IP protected (bad thing i know but that's
another story ... )

I've searched the log and found this :

11:54:39 lb1 haproxy[123274]: xxx.xxx.xxx.xxx:51139
[03/Jan/2017:11:54:39.080] web_plain forums_connected/proxy12
180/0/0/180/360 200 34197 - \- ---- 1965/1963/9/4/0 0/0
{Mozilla/5.0_(X11;_Linux_x86_64;_rv:50.0)_Gecko/20100101_Firefox/50.0|FR}
"GET /forums/xxx.htm HTTP/1.1"
11:54:39 lb1 haproxy[123278]: yyy.yyy.yyy.yyy:38878
[03/Jan/2017:11:54:39.218] web_tls~ web_tls/web_plain 42/0/0/180/222 200
34192 - \- ---- 91/91/1/2/0 0/0 "GET /forums/xxx.htm HTTP/1.1"

At the same time i have :

11:54:39 lb1 haproxy[123274]: xxx.xxx.xxx.xxx:51139
[03/Jan/2017:11:54:39.440] web_plain nocache_connected/jv-proxy12
6/0/0/3/9 400 452 - \- ---- 1965/1963/2/2/0 0/0
{|like_Gecko)_Version/4.0_Chrome/55.0.2883.91_Mobile_Safari/537.36|FR}
"GET /favicon.ico HTTP/1.1"
11:54:39 lb1 haproxy[123274]: xxx.xxx.xxx.xxx:51139
[03/Jan/2017:11:54:39.450] web_plain cache1/jv-proxy10 26/0/0/13/39 200
1482 - \- ---- 1958/1958/4/4/0 0/0 {||FR} "GET /whatever_url HTTP/1.1"

It seems that the user has made a https request with the IP
yyy.yyy.yyy.yyy, but when the request is forwarded to web_plain frontend
the IP is now xxx.xxx.xxx.xxx ! and thus has access to debug tools
because xxx.xxx.xxx.xxx has access. The user has provided us screenshot
and the IP in the screenshot IS xxx.xxx.xxx.xxx

Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request
has used the xxx.xxx.xxx.xxx connection between https and http frontend
with proxy protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ?

I hope this is it, i have to be sure :)
Thnks !
Lukas Tribus
Re: http reuse and proxy protocol
January 03, 2017 06:30PM
Hi Arnall,


Am 03.01.2017 um 16:15 schrieb Arnall:
>
> Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy
> request has used
> the xxx.xxx.xxx.xxx connection between https and http frontend with proxy
> protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ?
>

Yes, that's what http-reuse does.

Either use a HTTP header to transport the source IP to the backend or
set http-reuse
to never [1], because the proxy-protocol only sends information at the
beginning (its
like our old "tunnel" mode).


Lukas


[1]
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4-http-reuse
Willy Tarreau
Re: http reuse and proxy protocol
January 04, 2017 08:00AM
On Tue, Jan 03, 2017 at 06:18:23PM +0100, Lukas Tribus wrote:
> Hi Arnall,
>
>
> Am 03.01.2017 um 16:15 schrieb Arnall:
> >
> > Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request
> > has used
> > the xxx.xxx.xxx.xxx connection between https and http frontend with proxy
> > protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ?
> >
>
> Yes, that's what http-reuse does.
>
> Either use a HTTP header to transport the source IP to the backend or set
> http-reuse
> to never [1], because the proxy-protocol only sends information at the
> beginning (its
> like our old "tunnel" mode).

And by the way the purpose of the proxy protocol is mostly to pass IP
addresses for non-HTTP protocols (ie smtp or ssl). I think we should
emit a warning when a server has send-proxy in a backend configured
with http-reuse because I don't see any valid use case for this.

Willy
Arnall
Re: http reuse and proxy protocol
January 05, 2017 05:40PM
Le 03/01/2017 à 18:18, Lukas Tribus a écrit :
> Hi Arnall,
>
>
> Am 03.01.2017 um 16:15 schrieb Arnall:
>>
>> Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy
>> request has used
>> the xxx.xxx.xxx.xxx connection between https and http frontend with
>> proxy
>> protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ?
>>
>
> Yes, that's what http-reuse does.
>
> Either use a HTTP header to transport the source IP to the backend or
> set http-reuse
> to never [1], because the proxy-protocol only sends information at the
> beginning (its
> like our old "tunnel" mode).
>
Thanks Lukas,

i've instantly used the "http-reuse never" for tls frontend, after
seeing the log.
Sorry, only registered users may post in this forum.

Click here to login