HAProxy community

Haproxy reformat URL before it reaches the client

Hi I have an IP camera “Tp-link NC450” whcih has a weak SSL for the admin page (port 8092 with cipher AES128-SHA) but no SSL for the video streaming (port 8080 is plain http).

I am using Haproxy on a Raspberry pi in order to harden the admin page with a stronger SSL cipher and add SSL to the video streaming.

From the admin page you have the option to open the video streaming by clicking a button which opens a new tab with the video streaming.

So far, I have successfuly added a stronger protection to the admin page and SSL to the video streaming page.

The issue I am facing is that if I try to open the video streaming from the admin page, the tab that is opened is the camera IP and not the one that goes through haproxy.

Here is a screenshot of the admin page with the button “Live View”:

This is the tab I get when opening it:

Without haproxy, this is the chinese camera working like this:

https://192.168.0.155:8092/index.html opens a tab to: http://192.168.0.155/live_view.html

Now, with haproxy configuration, I expect to see:

https://192.168.0.113:8092 opens a tab to: https://192.168.0.113:8080/live_view.html

And instead I get:

https://192.168.0.113:8092 opens a tab to: http://192.168.0.155/live_view.html

I guess a solution would be to force Haproxy to change what is serverd by backend in port 8092 with references to its local IP to the one that I am connected to:
For example:
If I am on admin page (https://192.168.0.113:8092) then change all serverd contented with references to http://192.168.0.155/whaterever http://192.168.0.113/whaterever
If I am using a DNS (https://camera.duckdns.org:8092) then change all serverd contented with references to http://192.168.0.155/whaterever http://camera.duckdns.org/whaterever

I am not sure if this is the right path nor where to start and would really appreciate if anyone can give me any hint or suggestion or Documentation section to read.

My Haproxy is running on a raspberry pi 3B+ and is:

root@raspberrypi /var/log # haproxy -vv
HA-Proxy version 1.8.19-1+rpi1 2019/03/14

And here is my actual Haproxy configuration for this camera:

frontend tplink_in_8080
   bind-process 2-3
    bind :8080 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt3  accept-proxy tfo ssl crt /etc/ssl/certs_self process 3 curves X25519:P-256:secp384r1
    mode tcp
    #option tcplog
    option tcp-smart-accept
    default_backend tplink_dest_8080

backend tplink_dest_8080
    mode tcp
    option tcp-smart-connect
    server ipcam 192.168.0.155:8080 check fall 5 rise 2 maxconn 50

frontend tplink_in_8092
    bind-process 2-3
    bind :8092 tfo ssl crt /etc/ssl/certs_self process 2 alpn h2,http/1.1 curves X25519:P-256:secp384r1
    bind abns@haproxy-clt5 accept-proxy tfo ssl crt /etc/ssl/certs_self process 3 alpn h2,http/1.1 curves X25519:P-256:secp384r1
    mode http
    option forwardfor
    compression algo gzip
    http-request redirect scheme https code 301 if !{ ssl_fc }
    http-request redirect scheme https unless { ssl_fc }
    http-request add-header X-Forwarded-Proto https
      http-response set-header X-Frame-Options: DENY
      http-response set-header X-Content-Type-Options: nosnif
      http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
      http-response set-header X-XSS-Protection: 1;mode=block
      http-response set-header Referrer-Policy no-referrer-when-downgrade
      # HSTS (15768000 seconds = 6 months)
      http-response set-header Strict-Transport-Security max-age=15768000
        #http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
    default_backend tplink_dest_8092

backend tplink_dest_8092
    mode http
    option forwardfor
    option http-keep-alive
    compression algo gzip
    #option http-server-close
    option http-keep-alive
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    cookie SSIONID prefix indirect nocache 
    server ipcam 192.168.0.155:8092 maxconn 50 cookie SSIONID ssl verify none ciphers AES128-SHA

Thanks in advance!

Haproxy does not rewrite HTTP payload (links in HTML). If you IP camera keeps pointing to http://192.168.0.155/live_view.html then the browser will keep accessing that directly.

I don’t know if LUA can rewrite the body.