AWS Haproxy NAT Instance (Outbound)


#1

Currently working on using my current Haproxy server as a single outbound IP address. Currently it is only used as an inbound load balancer. I am setup in AWS, three subnets (different AZ’s) and those same servers it is listening to blanace to, I would like to route traffic back out of the HA server so only a single static IP address would need to be whitelisted.

I have been reading on TPROXY, but would this resolve the NAT needs for outbound traffic? Thanks for any assistance!

Below is my config and I am running HA 1.5.12 -

==============
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
daemon

defaults
log global
option dontlognull
retries 3
option redispatch
maxconn 40096
timeout connect 5000
timeout client 240000
timeout server 240000
option http-server-close
option log-health-checks

listen httpproxy 0.0.0.0:80
mode http
option forwardfor
option httplog

#STATS
stats enable
stats hide-version
stats scope .
stats uri /haproxyadmin?stats
stats realm Proxy\ Statistics
stats auth admin:haproxy!canvas

#HEALTH CHECKS
option httpchk GET /someindex.html HTTP/1.1\r\nHost:\ site.site.com
http-check expect ! rstatus ^5 # Accept all 2XX and 3XX errors considering 5XX errors to fail health.
default-server inter 3s fall 3 rise 2

server hostname.com 10.0.1.2:80 check
server hostname.com 10.0.2.2:80 check
server hostname.com 10.0.3.2:80 check
tcp-request content reject if { src -f  /etc/haproxy/blocked.lst }

listen httpsproxy 0.0.0.0:443
mode tcp
option ssl-hello-chk
option tcplog
balance leastconn

#HEALTH CHECKS
option httpchk GET /someindex.html HTTP/1.1\r\nHost:\ site.site.com
http-check expect ! rstatus ^5 # Accept all 2XX and 3XX errors considering 5XX errors to fail health.
default-server inter 3s fall 3 rise 2

server hostname.com 10.0.1.2:443 send-proxy check
server hostname.com 10.0.2.2:443 send-proxy check
server hostname.com 10.0.3.2:443 send-proxy check
tcp-request content reject if { src -f  /etc/haproxy/blocked.lst }

==============


#2

Not sure I understand, HAP is by default a reverse proxy meaning the replies from the backend servers are going back through HAP thus the client sees the HAP public IP in the replies.