0

I have a smart-dns setup, Using dnsmasq as the dns server, which always resolves to my server ip address, for a given list of domains.

I want to configure either a webserver or proxy program to listen on port 80 and 443 on my server . Which then forwards all the web requests, to an external proxy server (squid) as proxy requests.

Would it be possible to do this, using programs like (nginx, harproxy, squid..etc), for both http and https traffic, without ssl termination on the server.

So far, none of the configs i have tested worked, Haproxy config.

frontend https_front
  bind *:443
  mode tcp
  default_backend squid_backend_https

backend squid_backend_https
  mode tcp
  server squid_proxy 111.22.32.11:3323

Nginx config,

stream {
   upstream ssl_backend {
   server  111.22.32.11:3323;
}

server {
   listen 443;
   proxy_protocol on;
   tcp_nodelay on;
   proxy_pass ssl_backend;
   ssl_preread on;
   proxy_ssl_protocols TLSV1 TLSv1.2 TLSv1.3;
   proxy_ssl_ciphers 'HIGH:!aNULL:!MD5';
   proxy_ssl on;
   proxy_ssl_server_name on;
   #proxy_next_upstream on;
   proxy_ssl_verify off;
  }
  }

I presume, that the backend program listening on 80 and 443, Should effectively, forward the http/https web request, as a proxy request to the external proxy server (squid).

Firstly, is this theoretically possible to achieve this, using just haproxy, squid, nginx, or any similar program.

Any help, on how to achieve this would be greatly appreciated. Thanks

Update 1

The external proxy server is needed to access the required websites. If i add the proxy ip:port manually on the browser, it works fine.

But i have some limitation on some applications, where the proxy cant be added. To bypass that issue, am testing out a setup where, the requests for those specific domains, the dns resolves, to my reverse proxy, which then needs to serve the requests through the external proxy server.

The dns part is working fine. It resolves to my reverse proxy ip, for the requried domains. Am stuck trying to configure the reverse proxy (not just nginx, open to any other program), to serve the requests through the external proxy .

The reverse proxy, does not have access to ssl certs for the domains. The ssl termination, is done after the request is forwarded to the external proxy server .

Update 2

Do not have the option to provision certificates for those domains, on the reverse proxy.

One way i could think of is configuring the reverse proxy to redirect the https traffic, along with SNI, to the external proxy, without terminating the ssl on the server.

The only machine, i can make any meaningful changes is on the reverse proxy server. The server is running Ubuntu 22.04.

The only change that can be made on the client machines is the dns server IP (dnsmasq server )

Do not have provision to make any changes to the external proxy (squid) .

The external proxy accepts only http-relay, Connect proxy connections.

Hope this makes the question bit more clear.

loxtic
  • 21
  • 1
  • 5

2 Answers2

1

Based on Update 2, the only viable solution is to implement an additional proxy between the client and the existing proxy to prefix the stream from the client side with "CONNECT hostname".

Corkscrew (more traditionally used for tunnelling ssh connections via a web proxy) can do that but only talks to stdin/stdout and executes as a single thread. But running this via xinetd solves these constraints.

Then you just have the issue of routing the traffic to the corkscrew host. That could be done in iptables or by DNS.

symcbean
  • 23,767
  • 2
  • 38
  • 58
0

With HAProxy this should work

   global
        log /dev/log local0
        log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

defaults
    log global
    mode http
    option httplog
    option dontlognull
    timeout connect 5000
    timeout client 50000
    timeout server 50000

frontend http-in
    bind *:80
    default_backend your_backend

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 # Specify path to your SSL certificates
    default_backend your_backend

backend your_backend
    server backend-server1 192.168.1.10:80  # Replace with the IP and port of your backend server

Nginx To be able to proxy https traffic both sides need an ssl certificate.

server {
    listen 80;
    server_name yourdomain.com;

location / {
    proxy_pass http://your_backend_server;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}



}


server {
    listen 443 ssl;
    server_name yourdomain.com;


ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;

location / {
    proxy_pass https://your_backend_server;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}



}

Add this vhost to /etc/nginx/sites-available and create a symlink to sites-enabled and reload nginx

Turdie
  • 2,945