Need help to defeat an appliance


#1

Hi,

In my network, I have an appliance that I do not fully control. To access its web interface, I must reach it by calling its IP address and that request must be from an IP in the same network as the appliance itself. Because I do not fully control that appliance, I deployed it in a dedicated DMZ.

To defeat its control once, I just did a simple NAT on the firewall. That allowed me to connect the appliance calling it by its IP address over HTTP from anywhere in my network. The moment the client can reach that IP address, the NAT is enough to get the appliance’s web interface working.

Should I create a DNS name for the appliance and call it under that name, that NAT mechanism does not work anymore. Despite the NAT does change the source IP, the HTTP headers now contains that DNS name instead of an IP, so the appliance refuses to work.

My goal is to get that appliance’s web interface managed and secured by HAProxy for me to reach it even from outside the network. That means clients will not be able to call the appliance by IP anymore. So what I need is :
–HAProxy to listen for a dedicated hostname from Internet, over SSL. DONE
–HAProxy to authenticate the clients using a client-side certificate. DONE
–HAProxy to change the Host header in the HTTP request. DONE
–HAProxy to forward the request to the appliance IP address and port. DONE

The problem is with the links sent as a reply by the appliance. They are pointing to the appliance’s internal IP address and port. I need to rewrite all of that to point the client back at the Internet DNS name, port and HTTPS instead of HTTP.

As of now, my backend is configured as :

backend To_Appliance_ipvANY
mode http
id 124
log global
http-response set-header Strict-Transport-Security max-age=15780000;
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
acl AllClients src 0.0.0.0/0
http-request set-header Host 172.16.1.10:3210 if AllClients
rspirep ^Location:\ (http?://172.16.1.10(:[0-9]+)?)?(/.*) Location:\ / if AllClients
http-response set-header Host ext-name.domain.org if AllClients
server Appliance 172.16.1.10:3210 id 125 check inter 1000

That still does not work.

Any idea what I need to do to get that fixed ?

How to have HAProxy makes complete abstraction of protocol, host and port between the client and the server ?

Thanks in advance and I will keep working on that one myself at the same time,


#2

What you’d need is to replace hyperlinks in the HTTP payload of the response (replacing http://<appliance-ip>/ with a single /, for example).

However this is not something that haproxy can do, as all the internal functionality only works for HTTP headers in request and response, but does not work with actual HTTP payload.

I’m not sure if LUA scripting could be used to do such a thing and currently, @thierry 's LUA docs seem to be offline at this moment.