10

I need to integrate several web applications on-premise and off-site under a common internally hosted URL. The on-premise applications are in the same data center as the haproxy, but the off-site applications can only be reached via a http proxy because the server on which haproxy is running has no direct Internet access. Therefore I have to use a http Internet proxy, SOCKS might be an option too.

How can I tell haproxy that a backend can only be reached via proxy ? I would rather not use an additional component like socksify / proxifier / proxychains / tsocks / ... because this introduces additional overhead.

This picture shows the components involved in the setup: haproxy setup with proxy

When I run this on a machine with direct Internet connection I can use this config and it works just fine:

frontend  main
    bind *:8000
    acl is_extweb1 path_beg -i /policies
    acl is_extweb2 path_beg -i /produkte

    use_backend externalweb1 if is_extweb1
    use_backend externalweb2 if is_extweb2

backend externalweb1
    server static www.google.com:80 check

backend externalweb2
    server static www.gmx.net:80 check

(Obviously these are not the URLs I am talking to, this is just an example)

Haproxy is able to check the external applications and routes traffic to them:

HAproxy stats page

In the safe environment of the company I work at I have to use a proxy and haproxy is unable to connect to the external applications. How can I enable haproxy to use those external web application servers behind a http proxy (no authentication needed) while providing access to them through a common http page / via browser ?

ozcanovunc
  • 703
  • 1
  • 8
  • 29
Marged
  • 10,577
  • 10
  • 57
  • 99

2 Answers2

4

How about to use delegate ( http://delegate.org/documents/ ) for this, just as an idea.

haproxy -> delegate -f -vv -P127.0.0.1:8081 PROXY=<your-proxy>

http://delegate9.org/delegate/Manual.shtml?PROXY

I know it's not that elegant but it could work.

I have tested this setup with a local squid and this curl call

echo 'GET http://www.php.net/' |curl -v telnet://127.0.0.1:8081

The curl call simluates the haproxy tcp call.

Aleksandar
  • 2,442
  • 3
  • 15
  • 24
  • 1
    I think this is not quite what I need. I would need to do a `curl http(s)://myserver.local/foo` and this should internally call a static site like `http(s)://www.google.com` *+* the not static part of the url, in this case `/foo`. In short: this should reverse proxy to `http(s)://www.google.com/foo` and return that code as if it would have been served by myserver.local itself. – Marged Dec 13 '17 at 10:10
  • This sounds different the the original post. What you know want is a host header rewrite like `http-response replace-header Host www\.google\.com myserver\.local` Doc: http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response – Aleksandar Dec 13 '17 at 22:48
  • I think the main point is getting haproxy to use a proxy, the rest is also important but comes later – Marged Dec 14 '17 at 04:19
  • 1
    Well then please try the suggested solution, thanks. – Aleksandar Dec 14 '17 at 06:47
3

I was intrigued to make it work but i really could not find anything in the haproxy documentation, so i googled a bit and found that nginx might do the trick, but it didn't for me, after a bit more of googleing i ended up finding a configuration for apache that works.

here is the important part:

Listen 80

SSLProxyEngine on

ProxyPass /example/ https://www.example.com/
ProxyPassReverse /example/ https://www.example.com/
ProxyRemote https://www.example.com/ http://corporateproxy:port

ProxyPass /google/ https://www.google.com/
ProxyPassReverse /google/ https://www.google.com/
ProxyRemote https://www.google.com/ http://corporateproxy:port

i'm quite sure there should be a way to translate this configuration to nginx and even to haproxy... if i manage to find the time i will update the answer with my findings.

for apache to work you should also enable a few modules, i put up a github repository with a basic docker configuration that showcases feel free to have a look at that to see the full working configuration.

davide bubz
  • 1,321
  • 13
  • 31