Ssl config issue

Hello

We are trying to use haproxy to bypass government restrictions. they have even blocked even wp.com!

I used different config files but each one had some problems

We want to use same server (dnsmasq) to pass requests to haproxy and get result.
Haproxy is powerfull enough to do any config but unfortunately it’s documentation is not clear.

We use below config. every thing is OK but it is not working when use php curl.

wget:

[root@server ~]# wget  http://downloads.wordpress.org/plugin/akismet.5.0.1.zip
--2022-10-13 17:55:07--  http://downloads.wordpress.org/plugin/akismet.5.0.1.zip
Resolving downloads.wordpress.org (downloads.wordpress.org)... xx.xx.xx.xx
Connecting to downloads.wordpress.org (downloads.wordpress.org)|xx.xx.xx.xx|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://downloads.wordpress.org/plugin/akismet.5.0.1.zip [following]
--2022-10-13 17:55:07--  https://downloads.wordpress.org/plugin/akismet.5.0.1.zip
Connecting to downloads.wordpress.org (downloads.wordpress.org)|xx.xx.xx.xx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84680 (83K) [application/octet-stream]
Saving to: ‘akismet.5.0.1.zip’

100%[==================================================================================================>] 84,680       250KB/s   in 0.3s   

2022-10-13 17:55:08 (250 KB/s) - ‘akismet.5.0.1.zip’ saved [84680/84680]

curl (ssh):

[root@server ~]# curl -o akisment.zip -vv https://downloads.wordpress.org/plugin/akismet.5.0.1.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to downloads.wordpress.org port 443 (#0)
*   Trying xx.xx.xx.xx...
* Connected to downloads.wordpress.org (xx.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.wordpress.org
*       start date: Nov 24 00:00:00 2021 GMT
*       expire date: Dec 25 23:59:59 2022 GMT
*       common name: *.wordpress.org
*       issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0> GET /plugin/akismet.5.0.1.zip HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads.wordpress.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 13 Oct 2022 21:59:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 84680
< Connection: keep-alive
< Content-Disposition: attachment; filename=akismet.5.0.1.zip
< Last-Modified: Wed, 28 Sep 2022 15:27:30 GMT
< X-Frame-Options: SAMEORIGIN
< X-nc: HIT ord 8
< Accept-Ranges: bytes
< 
{ [data not shown]
100 84680  100 84680    0     0  66946      0  0:00:01  0:00:01 --:--:-- 66993
* Connection #0 to host downloads.wordpress.org left intact
[root@server ~]# ls -lh *.zip
-rw-r--r-- 1 root root  83K Oct 13 17:59 akisment.zip
-rw-r--r-- 1 root root  83K Sep 28 11:27 akismet.5.0.1.zip
-rw-r--r-- 1 root root 2.1M Jun  3  2021 dev.zip
-rw-r--r-- 1 root root  22M Aug 30 13:41 latest.zip

curl php:

*   Trying xx.xx.xx.xx:443...
* Connected to downloads.wordpress.org (xx.xx.xx.xx) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to downloads.wordpress.org:443
* Closing connection 0
# Adjust the timeout to your needs
defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s
# Single VIP with sni content switching
frontend ft_ssl_vip
  bind *:443
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  
  acl app1 req_ssl_sni -m end example.com
  acl app2 req_ssl_sni -m end ip2location.com
  acl app3 req_ssl_sni -m end wordpress.com
  acl app4 req_ssl_sni -m end wordpress.org
  acl app5 req_ssl_sni -m end wpmudev.org
  acl app6 req_ssl_sni -m end wpmudev.com

  use_backend back_ssl_app1 if app1
  use_backend back_ssl_app2 if app2
  use_backend back_ssl_app3 if app3
  use_backend back_ssl_app4 if app4
#  use_backend back_ssl_app5 if app5
#  use_backend back_ssl_app6 if app6
  default_backend bk_ssl_default
# Application 1 farm description
backend back_ssl_app1
  mode tcp
  balance roundrobin
  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk
  use-server ip.example.com if { req.ssl_sni -i ip.example.com }
  server ip.example.com ip.example.com:443 check

  use-server www.example.com if { req.ssl_sni -i www.example.com }
  server www.example.com www.example.com:443 check


# Application 2 farm description
backend back_ssl_app2
  mode tcp
  balance roundrobin
  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk

  use-server ip2location.com if { req.ssl_sni -i ip2location.com }
  server ip2location.com ip2location.com:443 check

  use-server www.ip2location.com if { req.ssl_sni -i www.ip2location.com }
  server www.ip2location.com www.ip2location.com:443 check

# Application 3 farm description
backend back_ssl_app3
  mode tcp
  balance roundrobin
  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk

  use-server wordpress.com if { req.ssl_sni -i wordpress.com }
  server wordpress.com wordpress.com:443 check

  use-server www.wordpress.com if { req.ssl_sni -i www.wordpress.com }
  server www.wordpress.com www.wordpress.com:443 check

# Application 4 farm description
backend back_ssl_app4
  mode tcp
  balance roundrobin
  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk

  use-server api.wordpress.org if { req.ssl_sni -i api.wordpress.org }
  server api.wordpress.org api.wordpress.org:443 check

  use-server downloads.wordpress.org if { req.ssl_sni -i downloads.wordpress.org }
  server downloads.wordpress.org downloads.wordpress.org:443 check

  use-server www.wordpress.org if { req.ssl_sni -i www.wordpress.org }
  server www.wordpress.org www.wordpress.org:443 check



# Sorry backend which should invite the user to update its client
backend bk_ssl_default
  mode tcp
  balance roundrobin
  
  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk


listen stats
  bind xx.xx.xx.xx:27199
  mode http
  stats enable
  stats realm Protected\ Area
  stats uri /
  stats auth user:pass2837

frontend front_http
  bind *:80
  mode http
  option httplog
  capture request header Host len 50
  capture request header User-Agent len 150

	acl back_http hdr_end(host) -i example.com
	acl back_http hdr_end(host) -i ip2location.com
	acl back_http hdr_end(host) -i wordpress.com
	acl back_http hdr_end(host) -i wordpress.org
	default_backend back_http

backend back_http
  mode http
       option accept-invalid-http-response

  use-server ip.example.com if { hdr(host) -i ip.example.com }
  server ip.example.com ip.example.com:80 check inter 10s fastinter 2s downinter 2s fall 1800

  use-server www.example.com if { hdr(host) -i www.example.com }
  server www.example.com www.example.com:80 check inter 10s fastinter 2s downinter 2s fall 1800

  use-server ip2location.com if { hdr(host) -i ip2location.com }
  server ip2location.com ip2location.com:80 check inter 10s fastinter 2s downinter 2s fall 1800

  use-server wordpress.org if { hdr(host) -i wordpress.org }
  server wordpress.org wordpress.org:80 check inter 10s fastinter 2s downinter 2s fall 1800

  use-server downloads.wordpress.org if { hdr(host) -i downloads.wordpress.org }
  server downloads.wordpress.org downloads.wordpress.org:80 check inter 10s fastinter 2s downinter 2s fall 1800

  use-server api.wordpress.org if { hdr(host) -i api.wordpress.org }
  server api.wordpress.org api.wordpress.org:80 check inter 10s fastinter 2s downinter 2s fall 1800
	


backend b_deadend_http
  mode http
  option accept-invalid-http-response
  option http-server-close

backend b_deadend_https
  mode tcp


Any reply is apreciated.

maybe you should really look for a proxy like squid.

1 Like

Squid, tinyproxy, etc. There are lots of good forward proxying products. Haproxy is not one of them. Haproxy is a reverse proxy and while some functionality is there, its unecessary hard, by design.

1 Like