HAProxy community

Haproxy itself talks proxy protocol

Using the send-proxy option in a server allows the proxy protocol to be forwarded for the requester.
Is it possible that the haproxy itself generates the proxy protocol in the server section, so the requester does not know about the proxy protocol?
Example:
server server_behind_proxy x.x.x.x:443 proxy y.y.y.y:3128 ssl …

send-proxy means that haproxy generates the proxy header.

I don’t understand the question. Haproxy only “forwards” the proxy protocol when it’s part of the incoming TCP payload and haproxy is not configured to intercept it.

exactly, My question now is whether it is possible to create the proxy header if it is not included in the incoming TCP payload but in the haproxy config.

That’s exactly what send-proxy does.

How do I provide the proxy ip and port in the config then? send-proxy does not take an argument.

You don’t.

Please explain what you are trying to achieve and what your problem actually is so that we can solve your problem instead of playing the XY problem game.

Let me put it another way: Suppose I were to perform:

curl --proxy <proxy>:<port> http://216.58.208.46

now i configure haproxy to reach the same destination via localhost:

frontend test
    bind 127.0.0.1:8080
    use_backend google

backend google
    server google1 216.58.208.46:80 ... # go via proxy:port

now I’m trying

curl http://127.0.0.1

The crucial part of my question is that I want to omit --proxy <proxy>:<port> but store it in haproxy accordingly.

A few things to unpack here.

First of all, the PROXY protocol is text based (v1) and binary (v2) protocol, that allows haproxy to send IP address informations (like source IP and source port) to the backend server, without using application layer headers (like X-Forwarded-For header). This is important because sometimes the application layer cannot be used for this. It requires support for the PROXY protocol in the backend server.

This is what you configure with send-proxy on a backend server, and what you accept with accept-proxy.

curl --proxy <proxy>:<port>

This is you telling curl to use a HTTP forwarding proxy server. It has absolutely nothing to do with the PROXY protocol of haproxy and also haproxy is not a forwarding proxy server.

I assume you have some kind of success with this command because haproxy is forwarding the request as-is and the backend server actually doesn’t reject it.

You want to access google here. 4 important things to keep in mind:

  • haproxy listens on port 8080 in your configuration, so you need to consider this in your curl call (curl http://127.0.0.1:8080)
  • google probably expects correct Host headers, so you need to put it into your backend something like http-request set-header Host www.google.com
  • if you are doing ssl, google will expect SNI, so you need to add sni str(www.google.com) to your server line.
  • and the most important thing here: haproxy is not a forwarding proxy, but a reverse proxy. YMMV when you are trying to use it as forwarding proxy and you will have to overcome all kinds of obstacles. You’re better of looking for a actual forwarding proxy server, like squid or tinyproxy instead. But I’m not sure if this was just an oversimplification or if this is what you are actually trying to do.

First of all, thank you for your patience with me, I know the question is quite unusual.

I took curl https://127.0.0.1:8080 (right, forgot the port) as an example of an application that is unable to address a server behind a forwarding proxy. I don’t intend to use haproxy as a forwarding proxy, that’s what <proxy>:<port> is for. In my case haproxy serves as a reverse proxy component in a service mesh to be able to address other http server backends without the requesting client (on the same host) having to know where and how to connect to. In some rare cases, the server to be queried (instead of google) is unfortunately only located behind a forwarding proxy.

I’m sorry I didn’t give you the full picture from the start.