Use HAProxy to pass connectivitycheck.gstatic.com

Help!
1

Hello,

TLDR below!

So I bought a Lenovo Smart Clock, and I did the experiment as described here.

Everything is working as expected, except one little big detail.
I managed to install custom apps.
As described in the video, as this is an hack, I want to block the internet access on this device.
I have managed to this by blocking it in my router.

But as it is well known, when android devices cannot reach internet (when they can’t reach http://connectivitycheck.gstatic.com ), they present some weird behaviour.
In this device’s case, it displays the “no internet connection” despite being connected to my wifi and it also creates an open, unencrypted hotspot.
Both anoying and unsdesirable behaviour.
You can see this well described in the same video, from 38:06.

Cameron also presents a solution: keep it blocked off the internet AND use HAProxy to redirect this ping/keepalive test.

I have an homelab PC that I can use for this.
Through my research, and as I already had Proxmox and Pi-Hole installed, I started by redirecting the DNS in my Pi-Hole (it is my local DNS Server) to a simple HTTP server, to try to answer the 204.
But I got some weird behavior, captive portal like, whenever every device tried to connect to wifi.
And it didn’t solved my problem.

I installed a CentOS VM in Proxmox, so I installed HAProxy and created the configuration file as you can see in the video, at 44:36.
You can clearly see the text file.
I copied and pasted and it still doesn’t work.

in /etc/haproxy/haproxy.cfg this is what I inserted:

global
daemon
maxconn 1024

defaults
log global
mode tcp
timeout connect 5s
timeout client 10s
timeout server 10s

frontend nonssl
bind *:80
option tcplog
mode tcp
default_backend nonssl

backend nonssl
mode tcp
balance roundrobin
server connectivitycheck connectivitycheck.gstatic.com:80 check

frontend ssl
bind *:443
option tcplog
mode tcp
default_backend ssl

backend ssl
mode tcp
balance roundrobin
option ssl-hello-chk
server connectivitycheck connectivitycheck.gstatic.com:443 check

I am sorry, it lost the indentation but I don’t know how to put it.

To sum it up:
-I have some intermediate network knowledge.
-I am completely conformatable of installing VMs, LXCs, docker containers, installing software, etc, you name it. As a resource point of view, I would prefer the solution in LXC or docker, and the VM being the latest.
-I am a completely newbiew in HAProxy and the concept of proxies in general, but I am willing to read, learn and test things out. I acknowledge there are some basic concepts of HAProxy I don’t know, but I don’t know where to start.
-I want the device to have LAN access, NO internet access and to be fooled into thinking it has internet access.

What I would really need was some kind of guide or tutorial so I can follow, test and troubleshoot.
And in the way, learn by doing things.

TLDR:
How can I pass the http://connectivitycheck.gstatic.com to a device in my LAN without internet access, so it is fooled into thinkking it has internet access?

Thank you very much everyone for your help in advance.
Can please SOMEONE HELP ME? :sleepy:

2

Hello again,

I am sorry to bump this, but 6 days and 70 views, can’t someone help me out?
I am completely lost to where to start, can someone please help?

Thank you.

3

First thing I’d try is to remove health checks. I makes no sense to health check a single backend server.

To do this, remove the check keyword from the server line and also remove option ssl-hello-chk

4

Hello and thank you for your answer!
I will try this tomorrow as right now I don’t have access to the systems.

In the meantime, do you think it is feasible HAProxy to pass the request and the response from connectivitycheck.gstatic.com?

because I read it might not be possible in the SSL version because it is an encrypted comunication.
Is it possible to just pass back and forth the information?

Thank you once again!

5

You don’t need to decrypt it if all you need is passing it along.

Only if you need to read/write at http layer do you actually need plaintext access.

6

Well, my server is down at the moment (…)
One more problem to solve…

But what I recall from my setup is this:

192.168.10.200 CentOS instance running HAProxy - fixed IP
192.168.10.91 Pi-Hole, Local DNS server - fixed IP
192.168.10.235 Lenovo Smart Clock - fixed IP
192.168.10.249 Internet router and DHCP provider (when applicable)

Th HAProxy service is running, I think the command I issued was systemctl status haproxy or something.
It was green and running.
When I change the config, I stop and start the service, or whenever I am frustrated, I reboot the CentOS to make sure the new config is applied.

In my pi-hole instance, in DNS server, I assigned the
connectivitycheck.gstatic.com
to
192.168.10.200
So when I ping connectivitycheck.gstatic.com from a node in the network (for example another PC), I get ping to 192.168.10.200 so I guess it is OK.

I installed WebMin in my CentOS, and when I open the browser in the clock, and open
https://connectivitycheck.gstatic.com:10000
I get the WebMin landing page, so the DNS resolution is working for the clock.

Question 1:
From what I understood the video, this is the way I should do it: “fool” the clock with DNS to think the google server is in facty my CentOS HAProxy machine, right?
It should work this way?
Or have I missunderstood and it is meant to be done other way I didn’t understand?

I edited the HAproxy config file (in /etc/haproxy/haproxy.cfg) as you told, right now is:

global
daemon
maxconn 1024

defaults
log global
mode tcp
timeout connect 5s
timeout client 10s
timeout server 10s

frontend nonssl
bind *:80
option tcplog
mode tcp
default_backend nonssl

backend nonssl
mode tcp
balance roundrobin
server connectivitycheck connectivitycheck.gstatic.com:80

frontend ssl
bind *:443
option tcplog
mode tcp
default_backend ssl

backend ssl
mode tcp
balance roundrobin
server connectivitycheck connectivitycheck.gstatic.com:443

Question 2:
Is this now the way you told me to?

Question 3:
Is the indentation important?
Because in this editor I can’t keep indentation so you can’t say anything on that.

At the moment, the setup isn’t working as intended.

Question 4:
Tips on how to check the logs to see if the clock is acessing/using the proxy?

Question 5:
Any other tips to help troubleshooting?

Question 6:
Should I keep default gateway for the clock, or should it be empty?

Thank you once again for your help, I am lost right now…

7

Hello @lukastribus can you please check on my questions? :upside_down_face:

8

Right, howver the centos haproxy needs to be able to lookup the actual IP address of the Google server, otherwise it will point itself and it will never work.

So make a ping from the haproxy centos machine to connectivitycheck.gstatic.com and make sure it goes to Google, not itself.

Yes.

No.

Use haproxy logs:

Use curl -vv both on haproxy centos box (not redirected) and other machines (redirected), check what happens in both situations and also check haproxy logs.

Keep it.

9

@fmnamado

Can I ask if you could make this working? I got a very similar setup (lenovo smart clock, proxmox server, new to haproxy) and would like to block the clock partly.

With my current setup I let pass the pings to google’s servers, but this is not ideal.
Moreover, it does not work properly cause from time to time (or maybe only after reboot) i need to grant unlimited access to the internet once to make the clock work.

If you have a solution for this I am very grateful if you could share it!

Regards

10

First of all, I am sorry for just returning to this now, unfortunately I have bigger problems related to the server itself to solve, before this.
But thanks to @dierochade post, I came back.

OMG I had to google to find out how to quote :sleepy:
I am getting old for this s… :laughing:

This error of mine is stupid… how didn’t I remembered this?
Before changing anything because of your suggestion

[root@connectivitycheck ~]# ping connectivitycheck.gstatic.com
PING connectivitycheck.gstatic.com (192.168.10.200) 56(84) bytes of data.

Of course it is wrong…
As my ip is given by DHCP, I had to google how to change the DNS just for CentOS machine.
I found out this site

TLDR

nano /etc/sysconfig/network-scripts/ifcfg-eth0

add

DNS1=1.1.1.1
DNS2=1.0.0.1
PEERDNS=no

reboot and try again

[root@localhost ~]# ping connectivitycheck.gstatic.com
PING connectivitycheck.gstatic.com (142.250.184.3) 56(84) bytes of data.
64 bytes from mad41s10-in-f3.1e100.net (142.250.184.3): icmp_seq=1 ttl=59 time=24.9 ms

Now it is working, thank you for highlighting this obvious mistake…

After this step, when I have local access to the clock (right now I don’t) I will try to continue the process.
Thank you once again!

Can you please give an example? I am not understanding the idea/usage.

Hello and thank you for your post, it revived the thread and the action needed.
But as I just posted above, @lukastribus as just helped me passing this step where I was stuck, so ATM it is not working.

I will update the thread when I revive the subject locally.

11

Use:

curl -vv "http://connectivitycheck.gstatic.com/generate_204"

on:

a) the haproxy box (not affected by DNS redirect)
b) other machines (affected by DNS redirect)

This way you see what happens in all perspectives.