[Haproxy cfg checking Socks5] Haproxy cfg to check the Socks5 connection #tags: GFW, network, haproxy, config

haproxy.cfg

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

global
    log         127.0.0.1 local2
    chroot      /usr/share/haproxy
    pidfile     /run/haproxy.pid
    maxconn     2000
    user        haproxy
    daemon

defaults
    mode                    tcp
    log                     global
    option                  dontlognull
    timeout check           30s
    maxconn                 2000

# This server group is used for final users.
# Each server should point at one foreign Internet address
# SOCKS5 is accepted
listen shadowsocks_turnup
	bind 127.0.1.1:3000
	mode tcp
	option tcp-check
	tcp-check connect
	tcp-check send-binary 050100
	tcp-check expect binary 0500 # means local client working okay
	tcp-check send-binary 050100030a676f6f676c652e636f6d0050 # try to acess google
	tcp-check expect binary 05000001000000000000
	tcp-check send GET\ /generate_204\ HTTP/1.0\r\n
	tcp-check send Host:\ google.com\r\n
	tcp-check send User-Agent:\ curl/7.52.1\r\n
	tcp-check send Accept:\ */*\r\n
	tcp-check send \r\n
	tcp-check expect rstring ^HTTP/1.0\ 204
	balance leastconn
	timeout server 600000
	timeout client 600000
	timeout connect 500
	server vnet-xxxx              127.0.1.1:4000		check	inter 15s downinter 1m	fall 4	weight 10 

listen monitor_mgmt
    mode http
    bind 127.0.1.1:3389
    stats enable
    stats admin if TRUE
    stats uri /

ah man you saved me so much work ty <3

I was wondering actually if you had given any thought as to HTTP CONNECT:
https://github.com/paigeadelethompson/netcrave-docker/blob/master/etc/haproxy/haproxy.cfg#L87

I can do at least that much the last step is that he server responds with an HTTP/1.x 200 and everything after that is supposed to be passed through, but I"m thinking its kinda rude to call out and hang up and it would certainly be nice if there's way to hand off the connection to an httpschk or something if it's possible and do the same generate 204 request you used for socks5. As it is at least it rules out servers that respond 4/5xx to CONNECT but it would be really cool if there was a way to upgrade / wrap the socket to TLS perhaps even validate the certificate / chain of trust because some of these proxies have teeth and mean to try to mitm my https sessions.

but yeah now I can dump (a prechecked list of proxies) for socks and http and I'm able to watch youtube videos in 1080p almost completely uninterrupted, its getting there, I probably don't even need to be using server-template but it's kinda convenient:

grep -r "Kestrel" | sed 's/:Server: Kestrel//g' | shuf | tr ':' ' ' | cat -n | awk '{print "set server http_and_https_be/http-proxy-"$1 " addr "$2" port "$3}' | sudo nc -U /mnt/export/netcrave_docker/var/run/haproxy/haproxy_admin.sock

for ref the proxy list made with grep -r "Kestrel" | sed 's/:Server: Kestrel//g' | shuf | tr ':' ' ' | cat -n looks like this before awk:

  2974  x.x.x.x 38011
  2975  x.x.x.x 82
  2976  x.x.x.x 46172
  2977  x.x.x.x 58470
  2978  x.x.x.x 8118

it won't accept hostnames has to be ips, for that you can use getent ahostsv4