Use HAProxy with proxy chain

0
votes

I'm trying to connect to internet services (specifically Facebook API) from an internal application, and for that I have to go through one of two proxies provided by the security team. If I use one of these proxies with CURL then it works OK:

export http_proxy=http://<user>:<pass>@<proxy_ip>:<port>/
export https_proxy=http://<user>:<pass>@<proxy_ip>:<port>/
curl -v -I https://graph.facebook.com/v7.0/me/messages
* About to connect() to proxy <proxy_ip> port <port> (#0)
*   Trying <proxy_ip>...
* Connected to <proxy_ip> (<proxy_ip>) port <port> (#0)
* Establish HTTP proxy tunnel to graph.facebook.com:443
* Proxy auth using Basic with user '<user>'
> CONNECT graph.facebook.com:443 HTTP/1.1
> Host: graph.facebook.com:443
> Proxy-Authorization: Basic <base64>
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<

* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.facebook.com,O="Facebook, Inc.",L=Menlo Park,ST=California,C=US
*       start date: May 14 00:00:00 2020 GMT
*       expire date: Aug 05 12:00:00 2020 GMT
*       common name: *.facebook.com
*       issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> HEAD /v7.0/me/messages HTTP/1.1
> User-Agent: curl/7.29.0
> Host: graph.facebook.com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "An active access token must be used to query information about the current user."

Facebook replied with HTTP 400 Bad Request but it doesn't matter now, I'm just trying to see that it reaches Facebook correctly, which it does.

Now, thing is, security team provided two proxies, and I should use them in failover mode, meaning after a (preferably configurable) number of timeouts from proxy 1, I should switch to proxy 2. Before I implement this feature in my application, I wanted to see if I can configure HAProxy to handle all this for me (as I'm already using HAProxy on this same server for inbound direction from Facebook, through another proxy).

So, this is my HAProxy configuration:

global
   log 127.0.0.1 local2 debug
   chroot /var/lib/haproxy
   user haproxy
   group haproxy
   daemon

   stats socket /etc/haproxy/haproxysock level admin

defaults
   log global
   option httplog
   mode http
   timeout connect 5000
   timeout client 50000
   timeout server 50000

# Incoming messages from Facebook
frontend chatbot_front
   bind *:8773 ssl crt /etc/haproxy/haproxy.cer
   use_backend chatbot_back

backend chatbot_back
   balance roundrobin

   server chatbot1 <chatbot_ip1>:<chatbot_port1> check ssl verify none
   server chatbot2 <chatbot_ip2>:<chatbot_port2> check ssl verify none

# Outbound messages to Facebook through another proxy
frontend serverproxy_front
   bind *:8775 ssl crt /etc/haproxy/haproxy.cer
   use_backend serverproxy_back

backend serverproxy_back
   balance roundrobin
   option httpclose
   option forwardfor header X-Client
   cookie SERVERID insert indirect nocache

   http-request set-header Proxy-Authorization "Basic <base64>"

   server serverproxy1 <proxy_ip1>:<port1> check
   server serverproxy2 <proxy_ip2>:<port2> check

listen stats
    bind *:8774 ssl crt /etc/haproxy/haproxy.cer
    mode http
    maxconn 5
    stats enable
    stats refresh 10s
    stats realm Haproxy\ Statistics
    stats uri /stats
    stats auth <user>:<password>

The relevant config is the frontend serverproxy_front and the backend serverproxy_back settings above. I tried to look into tutorials on how to set up HAProxy as forward proxy, and this is what I got. But when I try to use it, it doesn't work:

export http_proxy=http://127.0.0.1:8775
export https_proxy=http://127.0.0.1:8775
curl -v -I https://graph.facebook.com/v7.0/me/messages
* About to connect() to proxy <local_ip> port 8775 (#0)
*   Trying <local_ip>...
* Connected to <local_ip> (<local_ip>) port 8775 (#0)
* Establish HTTP proxy tunnel to graph.facebook.com:443
> CONNECT graph.facebook.com:443 HTTP/1.1
> Host: graph.facebook.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* Connection #0 to host <local_ip> left intact
curl: (56) Proxy CONNECT aborted

What am I missing here?

EDIT: fixed typo

1
proxyhaproxyhttp-proxy

1 Answers

0
votes

I found it. It is an embarrassingly basic issue: the 8775 port on the haproxy was configured as "https", but I was using it as simple "http" for proxy URL...

Changing config to:

frontend serverproxy_front
#   bind *:8775 ssl crt /etc/haproxy/haproxy.cer
   bind *:8775

And restarting haproxy, it works successfully.