View Single Post
Old 6th September 2012, 22:15
Ber Ber is offline
Junior Member
Join Date: Sep 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default redirect handling with haproxy/stunnel


I have a web server on my intranet that I did not build nor administer.
However I was asked to set up a reverse proxy which would allow to access
the web service from the internet in a secure way.

I set up a server within our DMZ where I configured haproxy and stunnel.
My idea is to receive any http request comming to my proxy server through the port 80 and respond to it with a redirect to the port 443 using https pointing to the same IP address (the one were both haproxy and stunnel are running).

Once the client request comes from the port 443 using https, the stunnel software would take the request, decrypt it and route it to the same server by the port 81. Once again the haproxy software would pick up the request and transfer it to the actual web server (wich uses a specific port, 50100)
The server would respond through the port 50100, then the haproxy would send it to Stunnel (in the same box as haproxy). Stunnel would encrypt the response and route it to the client through the port 443.

This scheme seems to work, but ...
When navigating the web page... when clicking on certain links, the server responds with a redirection to some other internal web sites within our intranet. These redirect messages travel to the client browser which then tries to access these internal web sites from outside our network and then it fails.

I thought that there might be a way to have my haproxy to follow these redirects instead of handing them on to the client browser.

The following is my haproxy's config file:

# this config needs haproxy-1.1.28 or haproxy-1.2.1

maxconn 16834
pidfile /etc/haproxy/

mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend http-afuera
bind *:80
acl is_initial_session hdr_beg
acl is_irj hdr_sub -i irj
use_backend login if is_initial_session ! is_irj
default_backend portal_safe

frontend http-interno
bind *:81
default_backend irj

backend irj
server portal <actual web server's IP addr.>:50100

backend portal_safe
redirect prefix

backend login
redirect location

The following is my stunnel config file:

sslVersion = all
options = NO_SSLv2
setuid = root
setgid = root
pid = /var/run/
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log
cert = /root/stunnel-4.53/myCert_com_ar.crt
key = /root/stunnel-4.53/server.key
accept = <this server's IP addr>:443
connect = <this server's IP addr>:81
TIMEOUTclose = 0

Any help will be immensely appreciated!!

Last edited by Ber; 7th September 2012 at 16:15.
Reply With Quote
Sponsored Links