Hello
We are trying to use haproxy to bypass government restrictions. they have even blocked even wp.com!
I used different config files but each one had some problems
We want to use same server (dnsmasq) to pass requests to haproxy and get result.
Haproxy is powerfull enough to do any config but unfortunately it’s documentation is not clear.
We use below config. every thing is OK but it is not working when use php curl.
wget:
[root@server ~]# wget http://downloads.wordpress.org/plugin/akismet.5.0.1.zip
--2022-10-13 17:55:07-- http://downloads.wordpress.org/plugin/akismet.5.0.1.zip
Resolving downloads.wordpress.org (downloads.wordpress.org)... xx.xx.xx.xx
Connecting to downloads.wordpress.org (downloads.wordpress.org)|xx.xx.xx.xx|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://downloads.wordpress.org/plugin/akismet.5.0.1.zip [following]
--2022-10-13 17:55:07-- https://downloads.wordpress.org/plugin/akismet.5.0.1.zip
Connecting to downloads.wordpress.org (downloads.wordpress.org)|xx.xx.xx.xx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84680 (83K) [application/octet-stream]
Saving to: ‘akismet.5.0.1.zip’
100%[==================================================================================================>] 84,680 250KB/s in 0.3s
2022-10-13 17:55:08 (250 KB/s) - ‘akismet.5.0.1.zip’ saved [84680/84680]
curl (ssh):
[root@server ~]# curl -o akisment.zip -vv https://downloads.wordpress.org/plugin/akismet.5.0.1.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to downloads.wordpress.org port 443 (#0)
* Trying xx.xx.xx.xx...
* Connected to downloads.wordpress.org (xx.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.wordpress.org
* start date: Nov 24 00:00:00 2021 GMT
* expire date: Dec 25 23:59:59 2022 GMT
* common name: *.wordpress.org
* issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0> GET /plugin/akismet.5.0.1.zip HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads.wordpress.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 13 Oct 2022 21:59:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 84680
< Connection: keep-alive
< Content-Disposition: attachment; filename=akismet.5.0.1.zip
< Last-Modified: Wed, 28 Sep 2022 15:27:30 GMT
< X-Frame-Options: SAMEORIGIN
< X-nc: HIT ord 8
< Accept-Ranges: bytes
<
{ [data not shown]
100 84680 100 84680 0 0 66946 0 0:00:01 0:00:01 --:--:-- 66993
* Connection #0 to host downloads.wordpress.org left intact
[root@server ~]# ls -lh *.zip
-rw-r--r-- 1 root root 83K Oct 13 17:59 akisment.zip
-rw-r--r-- 1 root root 83K Sep 28 11:27 akismet.5.0.1.zip
-rw-r--r-- 1 root root 2.1M Jun 3 2021 dev.zip
-rw-r--r-- 1 root root 22M Aug 30 13:41 latest.zip
curl php:
* Trying xx.xx.xx.xx:443...
* Connected to downloads.wordpress.org (xx.xx.xx.xx) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to downloads.wordpress.org:443
* Closing connection 0
# Adjust the timeout to your needs
defaults
timeout client 30s
timeout server 30s
timeout connect 5s
# Single VIP with sni content switching
frontend ft_ssl_vip
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl app1 req_ssl_sni -m end example.com
acl app2 req_ssl_sni -m end ip2location.com
acl app3 req_ssl_sni -m end wordpress.com
acl app4 req_ssl_sni -m end wordpress.org
acl app5 req_ssl_sni -m end wpmudev.org
acl app6 req_ssl_sni -m end wpmudev.com
use_backend back_ssl_app1 if app1
use_backend back_ssl_app2 if app2
use_backend back_ssl_app3 if app3
use_backend back_ssl_app4 if app4
# use_backend back_ssl_app5 if app5
# use_backend back_ssl_app6 if app6
default_backend bk_ssl_default
# Application 1 farm description
backend back_ssl_app1
mode tcp
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
use-server ip.example.com if { req.ssl_sni -i ip.example.com }
server ip.example.com ip.example.com:443 check
use-server www.example.com if { req.ssl_sni -i www.example.com }
server www.example.com www.example.com:443 check
# Application 2 farm description
backend back_ssl_app2
mode tcp
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
use-server ip2location.com if { req.ssl_sni -i ip2location.com }
server ip2location.com ip2location.com:443 check
use-server www.ip2location.com if { req.ssl_sni -i www.ip2location.com }
server www.ip2location.com www.ip2location.com:443 check
# Application 3 farm description
backend back_ssl_app3
mode tcp
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
use-server wordpress.com if { req.ssl_sni -i wordpress.com }
server wordpress.com wordpress.com:443 check
use-server www.wordpress.com if { req.ssl_sni -i www.wordpress.com }
server www.wordpress.com www.wordpress.com:443 check
# Application 4 farm description
backend back_ssl_app4
mode tcp
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
use-server api.wordpress.org if { req.ssl_sni -i api.wordpress.org }
server api.wordpress.org api.wordpress.org:443 check
use-server downloads.wordpress.org if { req.ssl_sni -i downloads.wordpress.org }
server downloads.wordpress.org downloads.wordpress.org:443 check
use-server www.wordpress.org if { req.ssl_sni -i www.wordpress.org }
server www.wordpress.org www.wordpress.org:443 check
# Sorry backend which should invite the user to update its client
backend bk_ssl_default
mode tcp
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
listen stats
bind xx.xx.xx.xx:27199
mode http
stats enable
stats realm Protected\ Area
stats uri /
stats auth user:pass2837
frontend front_http
bind *:80
mode http
option httplog
capture request header Host len 50
capture request header User-Agent len 150
acl back_http hdr_end(host) -i example.com
acl back_http hdr_end(host) -i ip2location.com
acl back_http hdr_end(host) -i wordpress.com
acl back_http hdr_end(host) -i wordpress.org
default_backend back_http
backend back_http
mode http
option accept-invalid-http-response
use-server ip.example.com if { hdr(host) -i ip.example.com }
server ip.example.com ip.example.com:80 check inter 10s fastinter 2s downinter 2s fall 1800
use-server www.example.com if { hdr(host) -i www.example.com }
server www.example.com www.example.com:80 check inter 10s fastinter 2s downinter 2s fall 1800
use-server ip2location.com if { hdr(host) -i ip2location.com }
server ip2location.com ip2location.com:80 check inter 10s fastinter 2s downinter 2s fall 1800
use-server wordpress.org if { hdr(host) -i wordpress.org }
server wordpress.org wordpress.org:80 check inter 10s fastinter 2s downinter 2s fall 1800
use-server downloads.wordpress.org if { hdr(host) -i downloads.wordpress.org }
server downloads.wordpress.org downloads.wordpress.org:80 check inter 10s fastinter 2s downinter 2s fall 1800
use-server api.wordpress.org if { hdr(host) -i api.wordpress.org }
server api.wordpress.org api.wordpress.org:80 check inter 10s fastinter 2s downinter 2s fall 1800
backend b_deadend_http
mode http
option accept-invalid-http-response
option http-server-close
backend b_deadend_https
mode tcp