2

In my configuration, I use Haproxy mainly for reverse proxy.

I installed Squid Proxy in my private lan and I can access it from external with port 3128. But I use the basic authentification ncsa and the headers is not crypted so my login is vulnerable. I want to forward my proxy by haproxy.

[Client]->proxy.example.net->[haproxy:443 ssl]->[squid:3128]

I added in my haproxy configuration a new backend:

frontend www-https
    bind *:443 ssl crt /etc/haproxy/ssl/fullchain.pem no-sslv3
    log global
    mode http
    use_backend proxy-squid if { ssl_fc_sni proxy.example.com }
    use_backend default if { ssl_fc_sni example.com }
    default_backend default

backend default
    option forwardfor
    server d8-apps 127.0.0.1:8000 #nginx

backend proxy-squid
    mode http
    option forwardfor
    option http-server-close
    server d8-apps 127.0.0.1:3128

My default backend and other works fine but not proxy-squid. I realized a "tcpdump -nX -vv -i lo port 3128" during my request and nothing.. and with the port 443, I see many packets with incorrect checksum.

In Wireshark, I do not see the ssl handshake like when I accessing example.com (default backend). I just see the 3-way handshake tcp followed by FIN, ACK.

I think Haproxy do not understand my real request when I set the proxy in my browser config. So, is it possible to realize that with a specific configuration?

Thanks!

Body
  • 66
  • 1
  • 8

1 Answers1

0

HTTP contains several different message syntaxes which are used in different situations. The messages sent to a server (or reverse-proxy) are quite different to those sent to a proxy.

Since you have haproxy setup to operate as a reverse-proxy it does not permit the messages the browser needs to setup an HTTPS tunnel.

Since all you are really trying to do is secure your connections to the Squid I suggest you simply make it listen on an https_port for connections from the browser. That will need a TLS certificate setup with the proxies public hostname of course. Note that this is not the same cert detail as used for a reverse-proxy (which uses the origin server domain name).

Firefox and Chrome apparently support TLS to an explicit proxy when configured to use it via a PAC file or the https_proxy= environment variable. In both cases the proxy URI should use https:// scheme where traditionally one would put http:// scheme.

(I say apparently because I've not tried it myself yet. Others have had mixed results, but the browser people keep saying that its possible).

Amos Jeffries
  • 280
  • 1
  • 5