HAProxy Transparent Proxy

0-readme.md

Example

GET http://127.0.0.1:3128/todos/2 (Host: jsonplaceholder.typicode.com) <-(http)-> haproxy <-(https)-> GET https://jsonplaceholder.typicode.com/todos/2

transparent-proxy.cfg

global
  debug
  log stdout local0  debug

defaults
  mode http
  option httplog
  log global
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms

resolvers mydns
  nameserver local 127.0.0.11:53
  nameserver google 8.8.8.8:53
  timeout retry 1s
  hold valid 10s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192

frontend fe
  bind :::3128 v4v6

  http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower
  http-request capture var(txn.myip) len 40

  # return 503 when the variable is not set,
  # which mean DNS resolution error
  use_backend b_503 unless { var(txn.myip) -m found }

  default_backend be

backend b_503
  # dummy backend used to return 503.
  # one can use the errorfile directive to send a nice
  # 503 error page to end users

backend be
  # rule to prevent HAProxy from reconnecting to services
  # on the local network (forged DNS name used to scan the network)
  http-request deny if { var(txn.myip) -m ip 127.0.0.0/8 10.0.0.0/8 }

  # Set destination and port explictly for HTTPS
  http-request set-dst var(txn.myip)

  # Include SNI of the original host head for SSL verification
  server clear 0.0.0.0:443 weight 1 maxconn 8192 ssl sni hdr(Host),lower verify none

Debug output:

00002069:be.srvcls[0014:0012]
fd[0012] OpenSSL error[0x1408f10b] ssl3_get_record: wrong version number
fd[0012] OpenSSL error[0x140e0197] SSL_shutdown: shutdown while in init
00002069:be.clicls[0014:0012]
00002069:be.closed[0014:0012]