Reverse SSL offloading configuration


#1

Was wondering if it’s possible to use Haproxy in the following configuration.

Client  --------------------> Haproxy -----------------------> Server (not controlled by me)
          Internal Network              Internet
          TLS 1.0 Only                  TLS 1.2

In other words, I have a computer that needs to make outgoing connections using TLS 1.2, but it is only capable of TLS 1.0. I want to use haproxy to intercept and re-encrypt using TLS 1.2.

Any thoughts? Thanks!


#2

Yes, you can, just specify the ssl keyword on both sides. If you want to verify the server certificate, make sure you set the ca-file.


#3

Hi Lukas,

Thank you for your response. I presume you are suggesting I specify the remote server as the backend in Haproxy terms? I can do this, and it does work, but there are some problems. Ideally I’d like the client (my computer) to be able to initiate a a connection to any TLS 1.2 server not just the backend. I don’t see a way to do this because I am limited to the remote that I set as backend. Also, Haproxy seems to create a persistant connection to the backend regardless of whether I set it to force-close mode or not. Because I don’t control the remote computer, I’d prefer to only connect to it when I’m using it.

Thanks again.


#4

Something can be done with option http_proxy, but really haproxy is not made for this use case:
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4-option%20http_proxy

I suggest you look elsewhere for this functionality.

On the mailing list, exaproxy was mentioned once (I didn’t use it myself though):


#5

Thanks again! I’ll look in to it.