Skip to content

Instantly share code, notes, and snippets.

@jgornick
Last active May 11, 2020 18:50
Show Gist options
  • Save jgornick/3f654da3393282fa2eba0e81f163aa4d to your computer and use it in GitHub Desktop.
Save jgornick/3f654da3393282fa2eba0e81f163aa4d to your computer and use it in GitHub Desktop.
HAProxy Transparent Proxy

Example

GET http://127.0.0.1:3128/todos/2 (Host: jsonplaceholder.typicode.com) <-(http)-> haproxy <-(https)-> GET https://jsonplaceholder.typicode.com/todos/2
global
debug
log stdout local0 debug
defaults
mode http
option httplog
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
resolvers mydns
nameserver local 127.0.0.11:53
nameserver google 8.8.8.8:53
timeout retry 1s
hold valid 10s
hold nx 3s
hold other 3s
hold obsolete 0s
accepted_payload_size 8192
frontend fe
bind :::3128 v4v6
http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower
http-request capture var(txn.myip) len 40
# return 503 when the variable is not set,
# which mean DNS resolution error
use_backend b_503 unless { var(txn.myip) -m found }
default_backend be
backend b_503
# dummy backend used to return 503.
# one can use the errorfile directive to send a nice
# 503 error page to end users
backend be
# rule to prevent HAProxy from reconnecting to services
# on the local network (forged DNS name used to scan the network)
http-request deny if { var(txn.myip) -m ip 127.0.0.0/8 10.0.0.0/8 }
# Set destination and port explictly for HTTPS
http-request set-dst var(txn.myip)
# Include SNI of the original host head for SSL verification
server clear 0.0.0.0:443 weight 1 maxconn 8192 ssl sni hdr(Host),lower verify none
@jgornick
Copy link
Author

Debug output:

00002069:be.srvcls[0014:0012]
fd[0012] OpenSSL error[0x1408f10b] ssl3_get_record: wrong version number
fd[0012] OpenSSL error[0x140e0197] SSL_shutdown: shutdown while in init
00002069:be.clicls[0014:0012]
00002069:be.closed[0014:0012]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment