Welcome! Log In Create A New Profile

Advanced

HaProxy question

Posted by Jonathan Opperman 
Jonathan Opperman
HaProxy question
August 07, 2018 01:50AM
Hi All,

I am hoping someone can give me some tips and pointers on getting something
working
in haproxy that could do the following:

I have installed haproxy and put a web server behind it, the proxy has 2
interfaces,
eth0 (public) and eth1 (proxy internal)

I've got a requirement where I want to only proxy some source ip addresses
based on
their source address so we can gradually add or customers to haproxy so
that we can
support TLS1.2 and strong ciphers

I have added an iptables rule and can then bypass haproxy with:

for ip in $INBOUNDEXCLUSIONS ; do
ipset -N inboundexclusions iphash
ipset -A inboundexclusions $ip
done
$IPTABLES -t nat -N HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport
443 -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set
inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS

Testing was done and I was happy with the solution, I then had a requirement
to have a proxy with multiple IP address on eth0 (So created eth0:1 eth0:2)
etc
and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
is running, if I stop haproxy the traffic gets dnatted fine.

I am not sure if I am being very clear in here but basically wanted to know
if there is
a way to do selective ssl offloading on the haproxy or bypass
ssl offloading on the
server that sits behind the proxy? This is required so that customers that
do not support
TLS1.2 and strong ciphers we can still let them connect so actually
bypassing
the ssl offloading on the proxy.

Thanks very much for your time reading this.

Regards,
Jonathan
Igor Cicimov
Re: HaProxy question
August 07, 2018 03:00AM
Hi Jonathan,

On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]>
wrote:

> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has 2
> interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip addresses
> based on
> their source address so we can gradually add or customers to haproxy so
> that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers that
> do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
One option that comes to mind achiving the same without iptables is using
whitelist file and two backends: one tcp backend that will just pass
through the ssl connection to the SSL server and one in http mode that will
do SSL offloading. Something like:

use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
default_backend be_passthrough

or vice-versa depending on your implementation and which list would be
shorter :-)
Igor Cicimov
Re: HaProxy question
August 07, 2018 03:20AM
On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
[email protected]> wrote:

> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]>
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Another idea:

$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
--log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
$IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT 127.0.2.1:443

then in haproxy:

bind 127.0.2.1:443
Jonathan Opperman
Re: HaProxy question
August 11, 2018 03:30AM
*bump*

Anyone?

On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, <[email protected]> wrote:

> Hi All,
>
> I am hoping someone can give me some tips and pointers on getting
> something working
> in haproxy that could do the following:
>
> I have installed haproxy and put a web server behind it, the proxy has 2
> interfaces,
> eth0 (public) and eth1 (proxy internal)
>
> I've got a requirement where I want to only proxy some source ip addresses
> based on
> their source address so we can gradually add or customers to haproxy so
> that we can
> support TLS1.2 and strong ciphers
>
> I have added an iptables rule and can then bypass haproxy with:
>
> for ip in $INBOUNDEXCLUSIONS ; do
> ipset -N inboundexclusions iphash
> ipset -A inboundexclusions $ip
> done
> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp --dport
> 443 -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>
> Testing was done and I was happy with the solution, I then had a
> requirement
> to have a proxy with multiple IP address on eth0 (So created eth0:1
> eth0:2) etc
> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
> is running, if I stop haproxy the traffic gets dnatted fine.
>
> I am not sure if I am being very clear in here but basically wanted to
> know if there is
> a way to do selective ssl offloading on the haproxy or bypass
> ssl offloading on the
> server that sits behind the proxy? This is required so that customers that
> do not support
> TLS1.2 and strong ciphers we can still let them connect so actually
> bypassing
> the ssl offloading on the proxy.
>
> Thanks very much for your time reading this.
>
> Regards,
> Jonathan
>
>
Jonathan Matthews
Re: HaProxy question
August 11, 2018 07:50AM
Did you miss the two mails from Igor containing suggestions?

Like this email, they went both to the list and directly to yourself. Maybe
check your spam folder.

J

On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman <[email protected]> wrote:

> *bump*
>
> Anyone?
>
> On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, <[email protected]> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp
>> --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>> --
Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html
Jonathan Opperman
Re: HaProxy question
August 12, 2018 10:10AM
Hi Jonathan,

Thanks for the pointer, correcto mode, found the replies in my spam folder.
Appreciate it..

Cheers
Jono

On Sat, 11 Aug 2018, 17:44 Jonathan Matthews, <[email protected]>
wrote:

> Did you miss the two mails from Igor containing suggestions?
>
> Like this email, they went both to the list and directly to yourself.
> Maybe check your spam folder.
>
> J
>
> On Sat, 11 Aug 2018 at 02:28, Jonathan Opperman <[email protected]>
> wrote:
>
>> *bump*
>>
>> Anyone?
>>
>> On Tue, 7 Aug 2018, 11:43 Jonathan Opperman, <[email protected]> wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d 10.0.0.92 -p tcp
>>> --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>> --
> Jonathan Matthews
> London, UK
> http://www.jpluscplusm.com/contact.html
>
Jonathan Opperman
Re: HaProxy question
August 12, 2018 01:30PM
Hi Igor,

Thanks for the suggestion, only saw your reply now as gmail decided to
route emails to the spam folder.

Tried this and got:

Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : http frontend 'ft_https_demo' (/etc/haproxy/haproxy.cfg:86) tries
to use incompatible tcp backend 'bk_https_demo_passthrough'
(/etc/haproxy/haproxy.
Aug 12 18:34:20 vm-proxy-01.prod-01 haproxy[8502]: [ALERT] 223/183420
(8502) : Fatal errors found in configuration.

need a bit of fine tuning on my front-end/back-end config.

Cheers
Jonathan

On Tue, Aug 7, 2018 at 12:53 PM Igor Cicimov <[email protected]>
wrote:

> Hi Jonathan,
>
> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]>
> wrote:
>
>> Hi All,
>>
>> I am hoping someone can give me some tips and pointers on getting
>> something working
>> in haproxy that could do the following:
>>
>> I have installed haproxy and put a web server behind it, the proxy has 2
>> interfaces,
>> eth0 (public) and eth1 (proxy internal)
>>
>> I've got a requirement where I want to only proxy some source ip
>> addresses based on
>> their source address so we can gradually add or customers to haproxy so
>> that we can
>> support TLS1.2 and strong ciphers
>>
>> I have added an iptables rule and can then bypass haproxy with:
>>
>> for ip in $INBOUNDEXCLUSIONS ; do
>> ipset -N inboundexclusions iphash
>> ipset -A inboundexclusions $ip
>> done
>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>
>> Testing was done and I was happy with the solution, I then had a
>> requirement
>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>> eth0:2) etc
>> and changed my haproxy frontend config from bind 0.0.0.0:443 transparent
>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if haproxy
>> is running, if I stop haproxy the traffic gets dnatted fine.
>>
>> I am not sure if I am being very clear in here but basically wanted to
>> know if there is
>> a way to do selective ssl offloading on the haproxy or bypass
>> ssl offloading on the
>> server that sits behind the proxy? This is required so that customers
>> that do not support
>> TLS1.2 and strong ciphers we can still let them connect so actually
>> bypassing
>> the ssl offloading on the proxy.
>>
>> Thanks very much for your time reading this.
>>
>> Regards,
>> Jonathan
>>
>>
> One option that comes to mind achiving the same without iptables is using
> whitelist file and two backends: one tcp backend that will just pass
> through the ssl connection to the SSL server and one in http mode that will
> do SSL offloading. Something like:
>
> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
> default_backend be_passthrough
>
> or vice-versa depending on your implementation and which list would be
> shorter :-)
>
>
Jonathan Opperman
Re: HaProxy question
August 12, 2018 01:30PM
Hi Igor,

Not 100% sure what you mean here with the redirect to the proxy bind on
that port? What will the rest
of the bind look like on the front-end config in haproxy?

Cheers
Jonathan

On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <[email protected]>
wrote:

>
>
> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
> [email protected]> wrote:
>
>> Hi Jonathan,
>>
>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]>
>> wrote:
>>
>>> Hi All,
>>>
>>> I am hoping someone can give me some tips and pointers on getting
>>> something working
>>> in haproxy that could do the following:
>>>
>>> I have installed haproxy and put a web server behind it, the proxy has 2
>>> interfaces,
>>> eth0 (public) and eth1 (proxy internal)
>>>
>>> I've got a requirement where I want to only proxy some source ip
>>> addresses based on
>>> their source address so we can gradually add or customers to haproxy so
>>> that we can
>>> support TLS1.2 and strong ciphers
>>>
>>> I have added an iptables rule and can then bypass haproxy with:
>>>
>>> for ip in $INBOUNDEXCLUSIONS ; do
>>> ipset -N inboundexclusions iphash
>>> ipset -A inboundexclusions $ip
>>> done
>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>
>>> Testing was done and I was happy with the solution, I then had a
>>> requirement
>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>> eth0:2) etc
>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>> transparent
>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>> haproxy
>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>
>>> I am not sure if I am being very clear in here but basically wanted to
>>> know if there is
>>> a way to do selective ssl offloading on the haproxy or bypass
>>> ssl offloading on the
>>> server that sits behind the proxy? This is required so that customers
>>> that do not support
>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>> bypassing
>>> the ssl offloading on the proxy.
>>>
>>> Thanks very much for your time reading this.
>>>
>>> Regards,
>>> Jonathan
>>>
>>>
>> One option that comes to mind achiving the same without iptables is using
>> whitelist file and two backends: one tcp backend that will just pass
>> through the ssl connection to the SSL server and one in http mode that will
>> do SSL offloading. Something like:
>>
>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>> default_backend be_passthrough
>>
>> or vice-versa depending on your implementation and which list would be
>> shorter :-)
>>
>>
> Another idea:
>
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT 127.0.2.1:443
>
> then in haproxy:
>
> bind 127.0.2.1:443
>
>
Igor Cicimov
Re: HaProxy question
August 12, 2018 03:00PM
Hi Jonathan,

I'll keep bottom posting otherwise the thread will become a real mess and
very hard to follow historically.

On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman <[email protected]>
wrote:

> Hi Igor,
>
> Not 100% sure what you mean here with the redirect to the proxy bind on
> that port? What will the rest
> of the bind look like on the front-end config in haproxy?
>
> Cheers
> Jonathan
>
> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
> [email protected]> wrote:
>
>>
>>
>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>> [email protected]> wrote:
>>
>>> Hi Jonathan,
>>>
>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am hoping someone can give me some tips and pointers on getting
>>>> something working
>>>> in haproxy that could do the following:
>>>>
>>>> I have installed haproxy and put a web server behind it, the proxy has
>>>> 2 interfaces,
>>>> eth0 (public) and eth1 (proxy internal)
>>>>
>>>> I've got a requirement where I want to only proxy some source ip
>>>> addresses based on
>>>> their source address so we can gradually add or customers to haproxy so
>>>> that we can
>>>> support TLS1.2 and strong ciphers
>>>>
>>>> I have added an iptables rule and can then bypass haproxy with:
>>>>
>>>> for ip in $INBOUNDEXCLUSIONS ; do
>>>> ipset -N inboundexclusions iphash
>>>> ipset -A inboundexclusions $ip
>>>> done
>>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>>
>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>>
>>>> Testing was done and I was happy with the solution, I then had a
>>>> requirement
>>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>>> eth0:2) etc
>>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>>> transparent
>>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>>> haproxy
>>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>>
>>>> I am not sure if I am being very clear in here but basically wanted to
>>>> know if there is
>>>> a way to do selective ssl offloading on the haproxy or bypass
>>>> ssl offloading on the
>>>> server that sits behind the proxy? This is required so that customers
>>>> that do not support
>>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>>> bypassing
>>>> the ssl offloading on the proxy.
>>>>
>>>> Thanks very much for your time reading this.
>>>>
>>>> Regards,
>>>> Jonathan
>>>>
>>>>
>>> One option that comes to mind achiving the same without iptables is
>>> using whitelist file and two backends: one tcp backend that will just pass
>>> through the ssl connection to the SSL server and one in http mode that will
>>> do SSL offloading. Something like:
>>>
>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>>> default_backend be_passthrough
>>>
>>> or vice-versa depending on your implementation and which list would be
>>> shorter :-)
>>>
>>>
>> Another idea:
>>
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
>> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
>> REDIRECT 127.0.2.1:443
>>
>> then in haproxy:
>>
>> bind 127.0.2.1:443
>>
>>
Well, the last 2 rules with a slight correction for the REDIRECT action:

$IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
-i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
REDIRECT --to-ports 4433
http://127.0.2.1:443

would mean that the first rule will catch all packets for connections
coming to 10.0.0.92 from clients that are NOT on the ip list and will be
sent to the SSL backend directly bypassing haproxy. The ones that don't
match that rule will be sent to the primary IP, lets say it is still
10.0.0.92, but port 4433. This is where you set your SSL termination proxy
to listen, so same as before just different port.

The point being you can set your haproxy frontend to listen on what ever
port you like for ssl connections, and redirect to that port via iptables.
If you want to change the IP too you can go with DNAT:

$IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
DNAT --to-destination 127.0.2.1:4433

Just trying to solve the problem of haproxy binding to 10.0.0.92:443 and
making the dnat rule fail. Hope it is more clear now, otherwise would mean
I'm really bad in explanation :-)
Jonathan Opperman
Re: HaProxy question
August 14, 2018 02:30AM
On Mon, Aug 13, 2018 at 12:55 AM Igor Cicimov <
[email protected]> wrote:

> Hi Jonathan,
>
> I'll keep bottom posting otherwise the thread will become a real mess and
> very hard to follow historically.
>
> On Sun, Aug 12, 2018 at 9:19 PM Jonathan Opperman <[email protected]>
> wrote:
>
>> Hi Igor,
>>
>> Not 100% sure what you mean here with the redirect to the proxy bind on
>> that port? What will the rest
>> of the bind look like on the front-end config in haproxy?
>>
>> Cheers
>> Jonathan
>>
>> On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov <
>> [email protected]> wrote:
>>
>>>
>>>
>>> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov <
>>> [email protected]> wrote:
>>>
>>>> Hi Jonathan,
>>>>
>>>> On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I am hoping someone can give me some tips and pointers on getting
>>>>> something working
>>>>> in haproxy that could do the following:
>>>>>
>>>>> I have installed haproxy and put a web server behind it, the proxy has
>>>>> 2 interfaces,
>>>>> eth0 (public) and eth1 (proxy internal)
>>>>>
>>>>> I've got a requirement where I want to only proxy some source ip
>>>>> addresses based on
>>>>> their source address so we can gradually add or customers to haproxy
>>>>> so that we can
>>>>> support TLS1.2 and strong ciphers
>>>>>
>>>>> I have added an iptables rule and can then bypass haproxy with:
>>>>>
>>>>> for ip in $INBOUNDEXCLUSIONS ; do
>>>>> ipset -N inboundexclusions iphash
>>>>> ipset -A inboundexclusions $ip
>>>>> done
>>>>> $IPTABLES -t nat -N HTTPSINBOUNDBYPASS
>>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j
>>>>> LOG --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>>>>
>>>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -d
>>>>> 10.0.0.92 -p tcp --dport 443 -j DNAT --to $JONODEMO1:443
>>>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set
>>>>> inboundexclusions src -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>>>>
>>>>> Testing was done and I was happy with the solution, I then had a
>>>>> requirement
>>>>> to have a proxy with multiple IP address on eth0 (So created eth0:1
>>>>> eth0:2) etc
>>>>> and changed my haproxy frontend config from bind 0.0.0.0:443
>>>>> transparent
>>>>> to bind 10.0.0.92:443 transparent but now my dnat doesn't work if
>>>>> haproxy
>>>>> is running, if I stop haproxy the traffic gets dnatted fine.
>>>>>
>>>>> I am not sure if I am being very clear in here but basically wanted to
>>>>> know if there is
>>>>> a way to do selective ssl offloading on the haproxy or bypass
>>>>> ssl offloading on the
>>>>> server that sits behind the proxy? This is required so that customers
>>>>> that do not support
>>>>> TLS1.2 and strong ciphers we can still let them connect so actually
>>>>> bypassing
>>>>> the ssl offloading on the proxy.
>>>>>
>>>>> Thanks very much for your time reading this.
>>>>>
>>>>> Regards,
>>>>> Jonathan
>>>>>
>>>>>
>>>> One option that comes to mind achiving the same without iptables is
>>>> using whitelist file and two backends: one tcp backend that will just pass
>>>> through the ssl connection to the SSL server and one in http mode that will
>>>> do SSL offloading. Something like:
>>>>
>>>> use_backend be_offload if { src -f /etc/haproxy/whitelist.lst }
>>>> default_backend be_passthrough
>>>>
>>>> or vice-versa depending on your implementation and which list would be
>>>> shorter :-)
>>>>
>>>>
>>> Another idea:
>>>
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -m state --state NEW -j LOG
>>> --log-prefix " [>] SOURCE TO DEMO BYPASSING HAPROXY"
>>> $IPTABLES -t nat -A HTTPSINBOUNDBYPASS -j DNAT --to $JONODEMO1:443
>>> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions
>>> src -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
>>> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443
>>> -j REDIRECT 127.0.2.1:443
>>>
>>> then in haproxy:
>>>
>>> bind 127.0.2.1:443
>>>
>>>
> Well, the last 2 rules with a slight correction for the REDIRECT action:
>
> $IPTABLES -t nat -A PREROUTING -m set ! --match-set inboundexclusions src
> -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j HTTPSINBOUNDBYPASS
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> REDIRECT --to-ports 4433
> http://127.0.2.1:443
>
> would mean that the first rule will catch all packets for connections
> coming to 10.0.0.92 from clients that are NOT on the ip list and will be
> sent to the SSL backend directly bypassing haproxy. The ones that don't
> match that rule will be sent to the primary IP, lets say it is still
> 10.0.0.92, but port 4433. This is where you set your SSL termination proxy
> to listen, so same as before just different port.
>
> The point being you can set your haproxy frontend to listen on what ever
> port you like for ssl connections, and redirect to that port via iptables.
> If you want to change the IP too you can go with DNAT:
>
> $IPTABLES -t nat -A PREROUTING -i eth0 -d 10.0.0.92 -p tcp --dport 443 -j
> DNAT --to-destination 127.0.2.1:4433
>
> Just trying to solve the problem of haproxy binding to 10.0.0.92:443 and
> making the dnat rule fail. Hope it is more clear now, otherwise would mean
> I'm really bad in explanation :-)
>

Thanks Igor, will give it a try. Appreciate your time and suggestion. will
provide some feedback as soon as i've tried it.

Cheers
Jonathan
Sorry, only registered users may post in this forum.

Click here to login