0

I have gone through various answers on this forum and others and tried to debug my HAProxy configuration- alas no success. I am newbie at HAProxy and am facing challenges getting it to work the way I want. Here is the context. I would like a client browser to hit the IP of the HAProxy server 1.2.3.4 with a path specified like 1.2.3.4/login and this should forward the connection to abcd.com/login but not expose the abcd.com server to the end client browser. All traffic should go through the HAProxy server. In trying to achieve this, what I need to do is build a system such that the end client types in https/http://1.2.3.4/login and the client should then see content from https://abcd.com/login. if they type just https/http://1.2.3.4 they should get content from https//abcd.com . This is my config:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
defaults
     log global
     option tcplog
     mode tcp
     timeout connect 10s
     timeout client  20s
     timeout server  20s
     timeout client-fin 20s
     timeout tunnel 1h
resolvers mydns
 nameserver dns1 1.0.0.1:53
 nameserver dns2 1.1.1.1:53
 resolve_retries       3
 timeout resolve       1s
 timeout retry         1s
 hold other           30s
 hold refused         30s
 hold nx              30s
 hold timeout         30s
 hold valid           10s
 hold obsolete        30s
frontend https
 bind *:80
     bind *:443
     mode tcp
     acl login-end-point  path_beg /login
     use_backend abcd_login if login-end-point default_backend bk_app
backend bk_app
     option http_proxy
     option httpclose
     option ssl-hello-chk
     mode tcp
     server site www.abcd.com:443 resolvers mydns
backend abcd_login
     option http_proxy
     option httpclose
     option ssl-hello-chk
     mode tcp
     server abcdpanel abcd.com:443 resolvers mydns
     # Map url path as ProxyPass does
     reqirep  ^(GET|POST|HEAD)\ /login/(.*)     \1\ /\2
     # Rewrite redirects as ProxyPassReverse does
     acl response-is-redirect res.hdr(Location) -m found
     rspirep ^Location:\ (http|https)://abcd.com\/(.*)   Location:\ \1://abcd.com/login/\2  if response-is-redirect

I checked to see that HAProxy is listening on both port 80 and 443

sudo netstat -tulpn | grep 443

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 29464/haproxy

sudo netstat -tulpn | grep 80

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 29464/haproxy

a

wget --no-check-certificate http://1.2.3.4 gives --2018-11-14 06:01:26-- http://1.2.3.4/ Connecting to 1.2.3.4:80... connected. HTTP request sent, awaiting response... No data received. Retrying.

Trying https with the above gives Unable to establish SSL connection. Adding a /login to 1.2.3.4 request makes no difference.

I would really appreciate any guidance on where I can fix the error.

JPK
  • 1

2 Answers2

0

To examine the SSL request you will need terminate the SSL connection the haproxy. This requires you to specify your certificate when binding to port 443 using a line similar to: 

bind *:443 ssl crt /etc/ssl/secure/example.pem

Enabling status and watching it in a browser while testing may show where the connections are failing. Running with refresh enabled will provide relatively up to date data without your having to refresh the screen. 

stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:password
stats uri  /haproxy?stats

When proxying to an external site you may run into SSL certificate issues as some site will configure SSL to block man-in-the-middle proxies (attacks). For such sites you will need to do pass-through for SSL and you will not be able to examine the request.

BillThor
  • 27,737
  • 3
  • 37
  • 69
0

Thank you @BillThor - I appreciate it. I was not trying to terminate SSL but instead do a passthrough.

I ended up using apache instead for this, it turned out to be very simple. Using something like this

<VirtualHost *:443>
    ServerAdmin <scrubbed>
    DocumentRoot /var/www/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine On
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    # Set the path to SSL certificate
    # Usage: SSLCertificateFile /path/to/cert.pem
    SSLCertificateFile /etc/ssl/certs/<scrubbed>.crt
    SSLCertificateKeyFile /etc/ssl/private/<scrubbed>.key
    SSLCACertificateFile /etc/ssl/certs/<scrubbed>.ca-bundle
    ProxyPreserveHost Off
    ProxyPass "/" "https://<scrubbed>/"
    ProxyPassReverse "/" "https://<scrubbed>/"
    ServerName localhost
</VirtualHost>

The above works like a charm, and no debugging needed. Of course I'll figure out how to do more fancy URL rewriting as needed.

JPK
  • 1