It intercepts https traffic and gives the client a self-signed certificate for SSL Termination at the proxy.
However, for certain domains (medical websites, bank websites, etc.) I want to make an exception and let HAProxy forward it and not create his own certificate for that specific domain so it won’t be decrypted (privacy/legal reasons).
How can I achieve this? I thought of something with an ACL but I can’t bind on 443 twice…
It looks like you are setting the destination port to a transaction variable named x-forwarded-for. I’m assuming you are setting this variable somewhere else?
Either way, the destination ports needs to be 443.
Please either set the port to 443 manually, or configure the destination server correctly.
http-request set-dst-port int(443)
[...]
server backend 0.0.0.0:443
You need uncomment tcp-request* configuration in listen haproxy-tcp-in, otherwise the ACL will not work, certainly not reliably.
In backend passthrough, you need the http-request do-resolve configuration, otherwise haproxy won’t connect to anything.
And also, you need ssl verify none everywhere on the server configurations, when you expect to reencrypt, otherwise you will be sending plaintext HTTP to HTTPS servers on port 443. Also use mode http here.
In backend passthrough, you do need the http-request set-dst var(txn.myip) statement, however NOT the do-resolve statement, because hdr(Host) accesses a HTTP header (the Host header), which is not available in the passthrough scenario (which is encrypted).
Also, I’m not sure if in this case you can use the txn variable (since we are not doing HTTP here).
Please implement this, then try, if it doesn’t work try using sess variable instead of txn variable at least to get passthrough working. If it still doesn’t work, share again the entire configuration.
Figured that. Tried only the txn.myip and sess.myip but it did not have effect. Is there another way to get the host from the https request? I’m starting to think there is no way to make this possible.
Will the “mode http” work if it’s not plain http?
(Sorry for the edits btw, I’m trying out and thinking constantly)
The is no way to access plaintext HTTP headers, when the only thing you have is encrypted SSL. That is the point of HTTPS, otherwise it would not be secure at all.
The SNI value is the only way. We need to replace http-request with tcp-request content directives and use sess instead of txn variables:
CD The client unexpectedly aborted during data transfer. This can be
caused by a browser crash, by an intermediate equipment between the
client and haproxy which decided to actively break the connection,
by network routing issues between the client and haproxy, or by a
keep-alive session between the server and the client terminated first
by the client.
The browser crash or intermediate equipment between the client and haproxy shouldn’t be the issue imo (there’s a firewall, but that’s not blocking anything outbound since the TLS termination and re-encryption works fine).
Right now I’m getting another error. I separated my frontend and backend on two different machines, like I have when it is terminating and re-encrypting for non-whitelisted domains.
HAProxy Error code is now ‘SC’. Firefox shows an PR_END_OF_FILE_ERROR. I did some research on it, but everything people say on forums are things I already should have configured.