Use haproxy as a reverse proxy with an application behind Internet proxy
Asked Answered
S

2

10

I need to integrate several web applications on-premise and off-site under a common internally hosted URL. The on-premise applications are in the same data center as the haproxy, but the off-site applications can only be reached via a http proxy because the server on which haproxy is running has no direct Internet access. Therefore I have to use a http Internet proxy, SOCKS might be an option too.

How can I tell haproxy that a backend can only be reached via proxy ? I would rather not use an additional component like socksify / proxifier / proxychains / tsocks / ... because this introduces additional overhead.

This picture shows the components involved in the setup: haproxy setup with proxy

When I run this on a machine with direct Internet connection I can use this config and it works just fine:

frontend  main
    bind *:8000
    acl is_extweb1 path_beg -i /policies
    acl is_extweb2 path_beg -i /produkte

    use_backend externalweb1 if is_extweb1
    use_backend externalweb2 if is_extweb2

backend externalweb1
    server static www.google.com:80 check

backend externalweb2
    server static www.gmx.net:80 check

(Obviously these are not the URLs I am talking to, this is just an example)

Haproxy is able to check the external applications and routes traffic to them:

HAproxy stats page

In the safe environment of the company I work at I have to use a proxy and haproxy is unable to connect to the external applications. How can I enable haproxy to use those external web application servers behind a http proxy (no authentication needed) while providing access to them through a common http page / via browser ?

Shuddering answered 2/12, 2017 at 7:47 Comment(0)
A
4

I was intrigued to make it work but i really could not find anything in the haproxy documentation, so i googled a bit and found that nginx might do the trick, but it didn't for me, after a bit more of googleing i ended up finding a configuration for apache that works.

here is the important part:

Listen 80

SSLProxyEngine on

ProxyPass /example/ https://www.example.com/
ProxyPassReverse /example/ https://www.example.com/
ProxyRemote https://www.example.com/ http://corporateproxy:port

ProxyPass /google/ https://www.google.com/
ProxyPassReverse /google/ https://www.google.com/
ProxyRemote https://www.google.com/ http://corporateproxy:port

i'm quite sure there should be a way to translate this configuration to nginx and even to haproxy... if i manage to find the time i will update the answer with my findings.

for apache to work you should also enable a few modules, i put up a github repository with a basic docker configuration that showcases feel free to have a look at that to see the full working configuration.

Antonioantonius answered 15/12, 2017 at 17:18 Comment(0)
H
4

How about to use delegate ( http://delegate.org/documents/ ) for this, just as an idea.

haproxy -> delegate -f -vv -P127.0.0.1:8081 PROXY=<your-proxy>

http://delegate9.org/delegate/Manual.shtml?PROXY

I know it's not that elegant but it could work.

I have tested this setup with a local squid and this curl call

echo 'GET http://www.php.net/' |curl -v telnet://127.0.0.1:8081

The curl call simluates the haproxy tcp call.

Heilman answered 11/12, 2017 at 19:12 Comment(4)
I think this is not quite what I need. I would need to do a curl http(s)://myserver.local/foo and this should internally call a static site like http(s)://www.google.com + the not static part of the url, in this case /foo. In short: this should reverse proxy to http(s)://www.google.com/foo and return that code as if it would have been served by myserver.local itself.Shuddering
This sounds different the the original post. What you know want is a host header rewrite like http-response replace-header Host www\.google\.com myserver\.local Doc: cbonte.github.io/haproxy-dconv/1.8/…Heilman
I think the main point is getting haproxy to use a proxy, the rest is also important but comes laterShuddering
Well then please try the suggested solution, thanks.Heilman
A
4

I was intrigued to make it work but i really could not find anything in the haproxy documentation, so i googled a bit and found that nginx might do the trick, but it didn't for me, after a bit more of googleing i ended up finding a configuration for apache that works.

here is the important part:

Listen 80

SSLProxyEngine on

ProxyPass /example/ https://www.example.com/
ProxyPassReverse /example/ https://www.example.com/
ProxyRemote https://www.example.com/ http://corporateproxy:port

ProxyPass /google/ https://www.google.com/
ProxyPassReverse /google/ https://www.google.com/
ProxyRemote https://www.google.com/ http://corporateproxy:port

i'm quite sure there should be a way to translate this configuration to nginx and even to haproxy... if i manage to find the time i will update the answer with my findings.

for apache to work you should also enable a few modules, i put up a github repository with a basic docker configuration that showcases feel free to have a look at that to see the full working configuration.

Antonioantonius answered 15/12, 2017 at 17:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.