Convert proxy connect request


#1

Hi,

I am currently using some squid forwarding proxies to provide internet access to a number of desktops in a locked down vlan.

A new application is being deployed that will send a lot of requests to an external api.
My squid proxies are currently configured to perform user authentication.
What I would like to do is to intercept requests from certain ip’s going to certain urls and send them directly to the endpoint, bypassing the squid proxies.

simliar to:
frontend proxyin
bind *:8081
mode http
use_backend apihttp if { base_dom -i example.com }

default_backend proxyout

backend proxyout
mode http
server proxyout1 XX.XX.XX.XX:3128 maxconn 100 weight 10 check

backend apihttp
mode http
server apiserver1 XX.XX.XX.XX:443 check ssl verify none

The problem is that as the platforms are setup to talk via Proxy, the requests going to the api server are CONNECT requests that the oldish api platform doesn’t understand.

Is there any way to get HAProxy to replicate proxy functionality for these requests?

Thanks


#2

Mmmmh, there is only a very limited functionality that goes in this direction, its called option http_proxy.

I suggest you don’t go down that road. Better add an additional real forward proxy in the mix and route to that one when haproxy detects the call goes to the external API.


#3

Hi @lukastribus

Yeah thats exactly what i’m doing.

so for some traffic it is:
client --> haproxy --> squid --> endpoint

other, api based traffic is:
client --> haproxy --> endpoint

The problem is that for traffic that doesn’t go to the forward proxy, when ha proxy sends it direct to the api endpoint, its sending the full CONNECT initialization to the endpoint. (Outbound traffic is configured via proxy)
My original idea was to allow haproxy to perform first touch operations on the outbound requests so that I could having to send all the traffic to the forwarding proxies. Known endpoints from whitelisted ip addresses could bypass the forwarding proxy.
I don’t think that this is going to be possible however. I’ll probably take the haproxy out and just send all traffic to the forwarding proxy.