HTTP to HTTPS endpoint behind Squid using client certificate authentication (layer 7)

Is it possible to bind on HTTP while connecting to an HTTPS endpoint behind a Squid forwarding proxy using Client Certificate Authentication, while using Layer 7 proxy mode?

We have this already working using Apache HTTP server based on:

ProxyTimeout 600
ProxyRequests on
ProxyRemote "*" "http://squid-internet:3128"

<VirtualHost *:80>
  ServerName onloading-proxy-internet-endpoint-a

  Use SSLGeneric

  RequestHeader set CustomHeader "custom_value"
  RequestHeader unset SecretHeader

  SSLProxyMachineCertificateFile /usr/local/apache2/certs/keypair-internet.pem
  SSLProxyMachineCertificateChainFile /usr/local/apache2/certs/chain-internet.pem

  ProxyPass        / https://internet-endpoint-a.net
  ProxyPassReverse / https://internet-endpoint-a.net
</VirtualHost>

We want to replace Apache HTTP server because HAProxy has opentracing support en we need this.

The HAProxy config I have now is:

frontend onloading-proxy
    bind *:80

    filter opentracing id ot-fe config /usr/local/etc/haproxy/ot.cfg

    use_backend be_ca_verbindingstest if { hdr(host) -i onloading-proxy-internet-endpoint-a }
    default_backend be_default

backend be_ca_verbindingstest
    mode http
    http-request set-header internet-endpoint-a.net
    http-request set-uri https://%[req.hdr(Host)]%[path]?%[query]
    option forwardfor header X-Client
    #option 1: Response is 400; No SSL client certificate presented to internet-endpoint-a
    server squid-proxy-internet 10.32.0.29:3128 crt /usr/local/etc/haproxy/certs/keypair-internet.pem ca-file /usr/local/etc/haproxy/certs/truststore-internet-endpoints.pem
    #option 2: Response is 502 service unavailable
    #server squid-proxy-internet 10.32.0.29:3128 ssl crt /usr/local/etc/haproxy/certs/keypair-internet.pem ca-file /usr/local/etc/haproxy/certs/truststore-internet-endpoints.pem

backend be_default
    http-request deny deny_status 400

The next curl test on the HAProxy pod results in a 200:

curl -x http://10.32.0.29:3128 -k -v --key /usr/local/etc/haproxy/certs/internet-keypair.pem --cert /usr/local/etc/haproxy/certs/internet-keypair.pem https://internet-endpoint-a.net/index.php

The whole idea behind this setup is to keep the infrastructure related stuff (request headers, certificates, routing, etc. ) in the onloading proxy service and by doing so keeping our Applications unaware of them and less complex.

Once again, my question is this possible and if so how?

1 post - 1 participant

Read full topic