I am trying to use HAProxy as forward Proxy. It works well in case of HTTP but not working for HTTPS.
Below is my HAProxy config for HTTP
listen forward_http_proxy
bind *:80
http-request do-resolve(txn.dstip,mydns) hdr(Host),lower
http-request set-dst var(txn.dstip)
server proxy_server *
Using above config I get correct results as below
> requests.get("http://api.ipify.org?format=json", proxies={'http': 'http://myproxy.server:80'}).text
> '{"ip":"15.12.XX.XX"}'
My HTTPS config is as below
listen forward_https_proxy
bind *:5248 ssl crt /etc/ssl/my.domain.combined.pem
http-request do-resolve(txn.dstip,mydns) hdr(Host),lower
http-request set-dst var(txn.dstip)
http-request set-dst-port hdr(x-port)
server proxy_https_server * ssl verify none
Now when I try for HTTPS as below, it gives me error
> requests.get("https://api.ipify.org?format=json", proxies={'http': 'https://myproxy.server:5248'}, verify=False).text
HAProxy Error Log >> Jul 9 17:56:40 ip-12-2-XX-XXX haproxy[3996]: XXX.XX.XXX.XX:26306 [09/Jul/2021:17:56:40.345] forward_https_proxy/1: SSL handshake failure
cURL output is below
> curl -X GET https://api.ipify.org --proxy https://myproxy.server:5248 --verbose
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying XX.X.X.XX:5248...
* TCP_NODELAY set
* Connected to myproxy.server (XX.X.X.XX) port 5248 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Proxy certificate:
* subject: OU=Domain Control Validated; CN=*.myproxy.server
* start date: Jun 7 07:00:34 2021 GMT
* expire date: Jul 7 10:24:05 2022 GMT
* subjectAltName: host "myproxy.server" matched cert's "*.myproxy.server"
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.
* allocate connect buffer!
* Establish HTTP proxy tunnel to api.ipify.org:443
> CONNECT api.ipify.org:443 HTTP/1.1
> Host: api.ipify.org:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
After the last line it just keep waiting and nothing happens.
output of haproxy -vv is as below
HA-Proxy version 2.2.14-1ppa1~focal 2021/04/29 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.14.html
Running on: Linux 5.8.0-1038-aws #40~20.04.1-Ubuntu SMP Thu Jun 17 13:25:28 UTC 2021 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-3dgaC8/haproxy-2.2.14=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
DEBUG =
Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0
Built with the Prometheus exporter as a service
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
fcgi : mode=HTTP side=BE mux=FCGI
<default> : mode=HTTP side=FE|BE mux=H1
h2 : mode=HTTP side=FE|BE mux=H2
<default> : mode=TCP side=FE|BE mux=PASS
Available services : prometheus-exporter
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
[CACHE] cache
[FCGI] fcgi-app
I have already gone through this post and more other post, but it didn't worked.
I am doing this, because I don't want to manage Squid and HAProxy both.
Please let me know if I am doing something wrong, or HAProxy is not meant for what I am trying to achieve.
UPDATE: I'll be changing my approach to solve this problem. reference HAProxy Issue reply
