Is it possible to bind on HTTP while connecting to an HTTPS endpoint behind a Squid forwarding proxy using Client Certificate Authentication, while using Layer 7 proxy mode?
We have this already working using Apache HTTP server based on:
ProxyTimeout 600
ProxyRequests on
ProxyRemote "*" "http://squid-internet:3128"
<VirtualHost *:80>
ServerName onloading-proxy-internet-endpoint-a
Use SSLGeneric
RequestHeader set CustomHeader "custom_value"
RequestHeader unset SecretHeader
SSLProxyMachineCertificateFile /usr/local/apache2/certs/keypair-internet.pem
SSLProxyMachineCertificateChainFile /usr/local/apache2/certs/chain-internet.pem
ProxyPass / https://internet-endpoint-a.net
ProxyPassReverse / https://internet-endpoint-a.net
</VirtualHost>
We want to replace Apache HTTP server because HAProxy has opentracing support en we need this.
We are using haproxy-2.4-dev15 and the config we came up with is:
frontend onloading-proxy
bind *:80
filter opentracing id ot-fe config /usr/local/etc/haproxy/ot.cfg
use_backend be_ca_verbindingstest if { hdr(host) -i onloading-proxy-internet-endpoint-a }
default_backend be_default
backend be_ca_verbindingstest
mode http
http-request set-header internet-endpoint-a.net
http-request set-uri https://%[req.hdr(Host)]%[path]?%[query]
option forwardfor header X-Client
#option 1: Response is 400; No SSL client certificate presented to internet-endpoint-a
server squid-proxy-internet 10.32.0.29:3128 crt /usr/local/etc/haproxy/certs/keypair-internet.pem ca-file /usr/local/etc/haproxy/certs/truststore-internet-endpoints.pem
#option 2: Response is 502 service unavailable
#server squid-proxy-internet 10.32.0.29:3128 ssl crt /usr/local/etc/haproxy/certs/keypair-internet.pem ca-file /usr/local/etc/haproxy/certs/truststore-internet-endpoints.pem
backend be_default
http-request deny deny_status 400
The next curl test on the HAProxy pod results in a 200:
curl -x http://10.32.0.29:3128 -k -v --key /usr/local/etc/haproxy/certs/internet-keypair.pem --cert /usr/local/etc/haproxy/certs/internet-keypair.pem https://internet-endpoint-a.net/index.php
The whole idea behind this setup is to keep the infrastructure related stuff (request headers, certificates, routing, etc. ) in the onloading proxy service and by doing so keeping our Applications unaware of them and less complex.
Once again, my question is this possible and if so how?