Last active
August 22, 2023 02:16
-
-
Save neutronscott/afc3f7a1d0d84304dfa913b91acaeb89 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Transparent proxying so logs show correct IP and content inspection for when port 443 allows ssh but 22 is blocked :) | |
# | |
# https://gist.github.com/mhofman/a01df56480b3791d526b77dbebef43a2#creative-ip-routing-for-transparent-proxying | |
# | |
# root@debian:~# cat /etc/network/interfaces.d/lo | |
# auto lo | |
# iface lo inet loopback | |
# post-up ip -4 a a 192.168.255.233/30 dev lo | |
# post-up ip -6 a a fd00:8::1/64 dev lo | |
# post-up ip -4 rule add from 192.168.255.232/30 lookup 232 | |
# post-up ip -6 rule add from fd00:8::/64 lookup 232 | |
# post-up ip -4 r add 0.0.0.0/0 dev lo table 232 | |
# post-up ip -6 r add local ::/0 dev lo table 232 | |
global | |
log /dev/log local0 | |
stats socket /run/haproxy-admin.sock mode 660 level admin expose-fd listeners | |
stats timeout 30s | |
daemon | |
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate | |
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | |
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | |
ssl-dh-param-file /etc/haproxy/dhparam.pem # https://ssl-config.mozilla.org/ffdhe2048.txt | |
defaults | |
log global | |
mode tcp | |
option tcplog | |
option dontlognull | |
timeout connect 5000 | |
timeout client 2h | |
timeout server 2h | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
default-server resolve-prefer ipv4 | |
frontend tcp443 | |
bind ipv4@:443 | |
bind ipv6@:443 v6only | |
acl v4src src 0.0.0.0/0 | |
acl is_ssl req.ssl_hello_type 1 | |
acl is_ssh payload(0,4) -m str SSH- | |
tcp-request inspect-delay 2s | |
tcp-request content accept if is_ssl | |
tcp-request content accept if is_ssh | |
use_backend piv if { req.ssl_sni -i piv.scottn.us } | |
# use_backend ssh if is_ssh | |
default_backend recir_plaintext | |
backend piv | |
use-server piv4 if { src 0.0.0.0/0 } | |
use-server piv6 if { always_true } | |
server piv4 192.168.255.234:8443 source * usesrc client | |
server piv6 [fd00:8::1]:8443 source * usesrc client | |
backend ssh | |
use-server ssh4 if { src 0.0.0.0/0 } | |
use-server ssh6 if { always_true } | |
server ssh4 192.168.255.234:22 source * usesrc client | |
server ssh6 [fd00:8::1]:22 source * usesrc client | |
backend recir_plaintext | |
use-server ssl if { req.ssl_hello_type 1 } | |
use-server nossl if { always_true } | |
server ssl abns@ssl send-proxy-v2 | |
server nossl abns@nossl send-proxy-v2 | |
frontend plaintext | |
bind abns@ssl accept-proxy ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 | |
bind abns@nossl accept-proxy alpn h2,http/1.1 | |
bind ipv4@:80 | |
bind ipv6@:80 v6only | |
acl v4src src 0.0.0.0/0 | |
acl is_ssh payload(0,4) -m str SSH- | |
acl is_p11 req.payload(0,84),hex -m sub 505249564154452D474E4F4D452D4B455952494E472D504B435331312D50524F544F434F4C2D562D31 | |
# PRIVATE-GNOME-KEYRING-PKCS11-PROTOCOL-V-1 | |
tcp-request inspect-delay 2s | |
tcp-request content accept if HTTP | |
tcp-request content accept if is_p11 | |
# tcp-request content reject | |
use_backend p11 if is_p11 { ssl_fc } # MUST be protected by SSL | |
use_backend ssh if is_ssh # MAY be protected by SSL | |
default_backend nginx | |
backend p11 | |
server socat 127.0.0.1:2445 | |
backend nginx | |
mode http | |
acl https ssl_fc | |
http-request set-header X-Forwarded-Proto %[ssl_fc,iif(https,http)] | |
http-response set-header Strict-Transport-Security max-age=63072000 if https | |
use-server nginx4 if { src 0.0.0.0/0 } | |
use-server nginx6 if { always_true } | |
server nginx4 192.168.255.234:8080 source * usesrc client | |
server nginx6 [fd00:8::1]:8080 source * usesrc client |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment