Our enterprise environment is essentially cut off from the internet, save for an HTTP (forward) proxy that operates at 192.168.1.2:8080. There is a firewall with an IP whitelist for proxy access, and the proxy itself has a URL whitelist per group of source IPs.
We want to make an existing service (https://example.com) which is available to whitelisted hosts more accessible to other non-whitelisted hosts on the network. Client configuration should be simple.
Towards this goal, we want to set up a reverse proxy on one of the whitelisted hosts which will route requests through 192.168.1.2:8080. Overall a successful request would look like this:
client
-- GET --v
https://example.company.com
-- CONNECT via 192.168.1.2:8080 --v
https://example.com
I have a small Python script that does this but operationalizing it would be enough hassle that it's worth asking for advice here. We would use HAProxy or something anyway in front of it to terminate TLS, configure ACLs, do load balancing, etc, so is there a way we use this to connect directly?
So far we have checked:
- the configuration documentation, and there doesn't seem to be any configuration consisting of
proxy,http_proxy, orforwardthat is related to this use case - and the only instances ofhttp_proxyin the code base are irrelevant. proxychains, which did not work because HAProxy still attempted to do DNS resolution itself, which is not available through192.168.1.2:8080- redsocks + iptables, which is not a great solution for the same reason - HAProxy would still attempt to do DNS resolution before submitting the request. I think this would hold for any software that is not forward-proxy-aware.
- other proxies -
squid,nginx,tinyproxyall seem to lack configuration for this use case. Admittedly it has been hard to filter garbage from the search results for e.g. "reverse proxy in front of forward proxy" and "reverse proxy pointing to forward proxy"
