by: adminPosted on:

Haproxy Ssl Forward Proxy

Use HAProxy as https forward proxy and ssl termination

I’m trying to do something like this:
Clients send HTTP request to HAProxy.
HAProxy does the TLS stuff to convert the request into and forward to a server. HTTP to the client.
The server sends response to HAProxy, then the response is forwarded as HTTP to client.
Currently, I’m not so sure how to achieve that goal with HAProxy. I tried to create a frontend listen on a custom port and then forward to a backend server. This is my HAProxy configuration:
frontend manager_
bind *:8443
mode tcp
log global
maxconn 2000
timeout client 50000
default_backend _be
backend _be
timeout connect 5000
timeout server 50000
retries 3
server rtmp-manager 127. 0. 1:12345 check-ssl verify none
Unfortunately, this does not work. When clients send HTTP request, HAProxy also forward the HTTP request to backend server, not HTTPS.
How can I change the configuration to make it works as expected?
Another question: Is there any ways to make the offload transparent with client using HAProxy?
I would really appreciate any help!
asked Jan 21 ’19 at 11:34
2
Specify the ssl directive in the definition of your backend server, like this:
server rtmp-manager 127. 1:12345 check-ssl ssl verify none
Note that the check-ssl option affects the health checks only, and if ssl is specified, it can be omitted, since health checks are automatically done via SSL.
HAProxy should act as a transparent reverse proxy, so clients should not recognize that the requests are in fact handled by backend servers.
answered Jan 21 ’19 at 14:00
LacekLacek5, 63219 silver badges25 bronze badges
Not the answer you’re looking for? Browse other questions tagged ssl proxy haproxy or ask your own question.
Setup HTTPs Forward Proxy with HAProxy - Stack Overflow

Setup HTTPs Forward Proxy with HAProxy – Stack Overflow

In HAProxy, I’ve used option -proxy to make it work like forward proxy. This seems to be working fine, but for HTTPS traffic that’s not possible.
So, is there any option in the HAProxy configuration that allows to proxy the HTTPS traffic just like Squid does?
I think the problem is that the option _proxy isn’t available.
This configuration works perfectly for HTTP protocol:
frontend _proxy
bind:3128
option _proxy
default_backend proxy_server
backend proxy_server
Note – I’ve used the certificate with “ssl crt” along with the bind option but that didn’t seem to proxy over HTTPS protocol
asked Mar 22 ’18 at 16:08
This is my Haproxy file configuration, it works well for HTTP and HTTPS protocol.
Here’s the code:
#—————————————————————————–
# global
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/ mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# # An alternative list with additional directives can be obtained from
# ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:! aNULL:! MD5:! DSS
ssl-default-bind-options no-sslv3
# Tuning if required/needed
# 2048
# defaults
defaults
log global
mode
option log
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/
errorfile 403 /etc/haproxy/errors/
errorfile 408 /etc/haproxy/errors/
errorfile 500 /etc/haproxy/errors/
errorfile 502 /etc/haproxy/errors/
errorfile 503 /etc/haproxy/errors/
errorfile 504 /etc/haproxy/errors/
# frontend
frontend -in
bind *:80
# Domain redirect, force the ‘www’ prefix
redirect prefix code 301 if { hdr_beg(host) -i}
# Define hosts
acl is-domain1-site hdr(host) -i acl is-domain1-blog hdr(host) -i
acl is-domain1-wiki hdr(host) -i
acl is-domain2-site hdr(host) -i acl is-domain2-blog hdr(host) -i
acl is-domain2-wiki hdr(host) -i
# Force for domain1
redirect scheme if is-domain1-site! { ssl_fc}
redirect scheme if is-domain1-blog! { ssl_fc}
redirect scheme if is-domain1-wiki! { ssl_fc}
# Force for domain2
redirect scheme if is-domain2-site! { ssl_fc}
redirect scheme if is-domain2-blog! { ssl_fc}
redirect scheme if is-domain2-wiki! { ssl_fc}
# Default backend (parking)
default_backend bk-ct100
bind *:443 ssl crt /etc/ssl/private/
# Domain redirect force www
# Define hosts for domain1
# Define hosts for domain2
# Figure out which backend to use for domain1
use_backend bk-ct101 if is-domain1-site
use_backend bk-ct101 if is-domain1-blog
use_backend bk-ct101 if is-domain1-wiki
# Figure out which backend to use for domain2
use_backend bk-ct102 if is-domain2-site
use_backend bk-ct102 if is-domain2-blog
use_backend bk-ct102 if is-domain2-wiki
# ct100 backend – parking
backend bk-ct100
option forwardfor
server ct100 192. 168. 100. 100:80 check
# ct101 backend – domain1
backend bk-ct101
server ct101 192. 101:80 check
# ct102 backend – domain2
backend bk-ct102
server ct102 192. 102:80 check
# End-Of-File
In this configuration, I chose to redirect all traffic from HTTP to HTTPS. All of my certificates are stored inside /etc/ssl/private directory. I generated them using CertBot.
You can adapt this file for your needs but it should work:)
answered Mar 22 ’18 at 16:27
HurobakiHurobaki2, 4505 gold badges17 silver badges37 bronze badges
2
Not the answer you’re looking for? Browse other questions tagged proxy haproxy squid or ask your own question.
Use HAProxy as https forward proxy and ssl termination

Use HAProxy as https forward proxy and ssl termination

I’m trying to do something like this:
Clients send HTTP request to HAProxy.
HAProxy does the TLS stuff to convert the request into and forward to a server. HTTP to the client.
The server sends response to HAProxy, then the response is forwarded as HTTP to client.
Currently, I’m not so sure how to achieve that goal with HAProxy. I tried to create a frontend listen on a custom port and then forward to a backend server. This is my HAProxy configuration:
frontend manager_
bind *:8443
mode tcp
log global
maxconn 2000
timeout client 50000
default_backend _be
backend _be
timeout connect 5000
timeout server 50000
retries 3
server rtmp-manager 127. 0. 1:12345 check-ssl verify none
Unfortunately, this does not work. When clients send HTTP request, HAProxy also forward the HTTP request to backend server, not HTTPS.
How can I change the configuration to make it works as expected?
Another question: Is there any ways to make the offload transparent with client using HAProxy?
I would really appreciate any help!
asked Jan 21 ’19 at 11:34
2
Specify the ssl directive in the definition of your backend server, like this:
server rtmp-manager 127. 1:12345 check-ssl ssl verify none
Note that the check-ssl option affects the health checks only, and if ssl is specified, it can be omitted, since health checks are automatically done via SSL.
HAProxy should act as a transparent reverse proxy, so clients should not recognize that the requests are in fact handled by backend servers.
answered Jan 21 ’19 at 14:00
LacekLacek5, 63219 silver badges25 bronze badges
Not the answer you’re looking for? Browse other questions tagged ssl proxy haproxy or ask your own question.

Frequently Asked Questions about haproxy ssl forward proxy

Leave a Reply

Your email address will not be published. Required fields are marked *