fiddler shows tunnel to ip1 but get response from ip2 - fiddler

I use a ping tool to get a list of ip of domain ABC.com
when I request use ip1 from the list
fiddler shows
tunnel to ip1:443
200 response from ip2
I have tried many ip but all get response from ip2
what's the relationship of ip1 and ip2

Related

HaProxy forward the source IP to the backend server

I have the following HaProxy configuration:
frontend smtp
bind :25 accept-proxy
default_backend smtp_backend
backend smtp_backend
mode tcp
timeout server 1m
timeout connect 5s
server srv1 127.0.0.1:2500 send-proxy check maxconn 500
That is being a Load Balancer (AWS). I need to know the IP of the Load Balancer.
Looking at the logs on HaProxy, I have the following lines:
Jul 1 16:00:03 ip-172-31-1-100 haproxy[10350]: Connect from 172.31.1.5:35040 to 172.31.1.100:25 (smtp/TCP)
So HaProxy get the proper source IP of the Load Balancer (I'm not looking for the client at that level).
But when showing the IP/Port on the destination server, I get the local IP : 127.0.0.1.
I suspect it's because of server srv1 127.0.0.1:2525 send-proxy check maxconn 500 line, but how can I get the IP of the Load Balancer on my end server?
Thank you in advance!
(note: Once the connection is established, AWS Target Group sends me a Proxy v2 command that allows me to get the client IP address, and this works, but I first need to get that 172.31.1.5 IP from the Load Balancer).
Unfortunately, Haproxy will only support ip forwarding in HTTP mode through some headers.
In your case, you need to use specially compiled HAproxy - TProxy.
Docs: https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/
This will support forwarding client ip(AWS load balancer IP in your case) even in TCP mode.

Using haproxy to forward or redirect a URL

I am looking to perform something quite simple.
Using haproxy I would like to forward any requests from the URL http://webmail.rutest.org or https://webmail.rutest.org to https://outlook.com/rutest.org
BASICALLY:
We currently own the domain rutest.org. What I intend to do is create a DNS "A" record for "webmail" IP address 24.103.122.18. This will then go to a FortiGate Router which has 2 port forwarding rules for 80 and 443 to an internal IP address 10.1.1.18. 10.1.1.18 will be the haproxy server. Once that request gets there, I want haproxy to say ok, you want http://webmail.rockefeller.edu or https://webmail.rockefeller.edu then send the user to https://outlook.com/rutest.org
The users browser should then reflect this URL redirection.
Can this be done? If so, what are the entries needed in the haproxy.cfg?
You can try the following, untested.
listen webmail
bind :80 v4v6
# here should be your certificates
bind :::443 v4v6 alpn h2,http/1.1 ssl crt /etc/ssl/haproxy/
http-request redirect location https://outlook.com/rutest.org if hdr(host) -i webmail.rockefeller.edu
The documentation: http-request redirect

Send real Host header for httpchk in HAProxy

I'm trying to make http (layer 7) checks to monitor backend state in HAProxy load balancer. I have 3 backends configured, each having it's own name. Current configuration looks like this:
backend apiservers
balance leastconn
mode http
option httpchk GET /healthz HTTP/1.0\r\nAuthorization:\ Bearer\ SOME_TOKEN_HERE
http-check disable-on-404
http-check expect rstring ^ok
server core1 core1.cloud:443 ssl check
server core2 core2.cloud:443 ssl check
server core3 core3.cloud:443 ssl check
The problem is I can't switch to HTTP/1.1 because I wasn't able to find a way to pass a real Host header with httpchk requests. Using some random dummy Host string may cause problems in the feature, so I need to pass the corresponding backend hostname to the Host header. Options like http-request add-header Host %[src] and http-send-name-header Host in the backend section seem not affect httpchk mechanism.
Any ideas?
Updated thanks to borellini.
Per the haproxy docs you can configure the header in the httpchk line. The example from the docs is:
# check HTTP and HTTPs services on a server.
# first open port 80 thanks to server line port directive, then
# tcp-check opens port 443, ciphered and run a request on it:
option httpchk
http-check connect
http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
http-check expect status 200-399
http-check connect port 443 ssl sni haproxy.1wt.eu
http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
http-check expect status 200-399
server www 10.0.0.1 check port 80
You should then be able to replace the host value with your variable and have it sent.

How to get IP of backend selected?

I am using HAProxy with multiple backends and some ACLs to select a backend, I want my client (for testing purposes and etc) to know the ip of the backend that was selected.
For example, Client sends request to HAProxy which loadbalances between ip A and ip B. In the response header, I want the ip of A if A was selected by HAProxy and I want the ip of B if B was selected. I know of %[dst] but it returns the ip of the HAProxy server instead.
Right now I'm putting http-response set-header X-Forwarded-Host %[dst]:%[dst_port] in the frontend and it is returning the ip and port of the HAProxy
found the answer, its %si:%sp. cbonte.github.io/haproxy-dconv/1.7/configuration.html#8.2.4

Simple TCP socket and HTTP proxy on single port with nginx

I have a process listening to port 23333 and I also have some files I would like to serve through HTTPS in a directory on my server, say /var/www/files/
Can I use nginx to serve files and act as a proxy to the socket on a single port, e.g. 21000?
E.g. be able to do:
telnet example.com 21000
and
curl https://example.com:21000/files/file.txt