How to setup MITM?

Hello, I am trying to configure a MITM like haproxy (to add cookies for incoming requests)
and servers are actually other HTTP proxies.
This is how I am generating the .pem file -

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout haproxy-ca-key.pem -out haproxy-ca-cert.pem -subj “/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/
**websites like etc.

Followed by -

cat haproxy-ca-cert.pem haproxy-ca-key.pem >> mysite.pem

My configuration -

log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
        log     global
        mode    tcp
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend front
    mode tcp
    bind ssl crt /etc/haproxy/certs/mysite.pem crt-ignore-err all
    redirect scheme https if !{ ssl_fc }
    default_backend web_servers

backend web_servers
    mode tcp
    balance roundrobin

 server Node1009 proxy:1009 ssl verify none
 server Node1010 proxy:1010

output of haproxy -vv

HA-Proxy version 2.2.3-2 2020/09/09 -
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs:
Running on: Linux 5.8.0-29-generic #31-Ubuntu SMP Fri Nov 6 12:37:59 UTC 2020 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-fB8IVI/haproxy-2.2.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference


Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 10.2.0
Built with the Prometheus exporter as a service

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
h2 : mode=HTTP side=FE|BE mux=H2
: mode=TCP side=FE|BE mux=PASS

Available services :

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
[CACHE] cache

Using haproxy as a proxy on firefox just returns “Secure Connection Failed” , not allowing to make an exception for unsecure certificate.
Clearly I’m doing something wrong, so please if you notice something let me know as this is becoming so frustrating.
What do I even need to do, the SSL/TLS Bridging , or the SSL/TLS Termination should do the job?
Thank you in advance!

If you want to be able to modify the HTTP headers, you have to terminate the SSL/TLS on haproxy and use http mode.
I would use terminate the TLS in the frontend, transform the request, and use a backend with TLS configuration to reach the final servers.

1 Like

Thank you for the answer, but how would one configure the TLS for a backend?
Something like -

  server server1 proxyserver1:1001 ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt


Yes, something like that.