Use haproxy as a reverse proxy with an application behind Internet proxy

10
votes

I need to integrate several web applications on-premise and off-site under a common internally hosted URL. The on-premise applications are in the same data center as the haproxy, but the off-site applications can only be reached via a http proxy because the server on which haproxy is running has no direct Internet access. Therefore I have to use a http Internet proxy, SOCKS might be an option too.

How can I tell haproxy that a backend can only be reached via proxy ? I would rather not use an additional component like socksify / proxifier / proxychains / tsocks / ... because this introduces additional overhead.

This picture shows the components involved in the setup: haproxy setup with proxy

When I run this on a machine with direct Internet connection I can use this config and it works just fine:

frontend  main
    bind *:8000
    acl is_extweb1 path_beg -i /policies
    acl is_extweb2 path_beg -i /produkte

    use_backend externalweb1 if is_extweb1
    use_backend externalweb2 if is_extweb2

backend externalweb1
    server static www.google.com:80 check

backend externalweb2
    server static www.gmx.net:80 check

(Obviously these are not the URLs I am talking to, this is just an example)

Haproxy is able to check the external applications and routes traffic to them:

HAproxy stats page

In the safe environment of the company I work at I have to use a proxy and haproxy is unable to connect to the external applications. How can I enable haproxy to use those external web application servers behind a http proxy (no authentication needed) while providing access to them through a common http page / via browser ?

2
haproxyhttp-proxy

2 Answers

4
votes

How about to use delegate ( http://delegate.org/documents/ ) for this, just as an idea.

haproxy -> delegate -f -vv -P127.0.0.1:8081 PROXY=<your-proxy>

http://delegate9.org/delegate/Manual.shtml?PROXY

I know it's not that elegant but it could work.

I have tested this setup with a local squid and this curl call

echo 'GET http://www.php.net/' |curl -v telnet://127.0.0.1:8081

The curl call simluates the haproxy tcp call.

3
votes

I was intrigued to make it work but i really could not find anything in the haproxy documentation, so i googled a bit and found that nginx might do the trick, but it didn't for me, after a bit more of googleing i ended up finding a configuration for apache that works.

here is the important part:

Listen 80

SSLProxyEngine on

ProxyPass /example/ https://www.example.com/
ProxyPassReverse /example/ https://www.example.com/
ProxyRemote https://www.example.com/ http://corporateproxy:port

ProxyPass /google/ https://www.google.com/
ProxyPassReverse /google/ https://www.google.com/
ProxyRemote https://www.google.com/ http://corporateproxy:port

i'm quite sure there should be a way to translate this configuration to nginx and even to haproxy... if i manage to find the time i will update the answer with my findings.

for apache to work you should also enable a few modules, i put up a github repository with a basic docker configuration that showcases feel free to have a look at that to see the full working configuration.