Using HAproxy, can I direct traffic to a backend server from all the other backend servers in a pool? From a networking standpoint, it would be comparable to mirroring all ports on a switch to one port for inspection. This way I could pass all traffic unecrypted to a loopback address and inspect it with SNORT.
Currently we encrypt all traffic into our HAproxy nodes and send that traffic encrypted to our webservers. We have an out of band IDS, however since it only has our cert to decrypt traffic, we can't implement perfect forward secrecy or diffie-helman ciphers on haproxy.
I've read guides that allow you to do this with an F5, however that's not an option for us.
Thank you for any insight you can provide.
Best Answer
HAProxy can't do it by itself, but if you used a set of fairly simple
frontend/listen
declerations, you could use theiptables
TEE
target (see here for usage), it should be fairly simple.For a system where the server's "public" IP is 10.10.10.10, who's backends are 192.168.1.11 and 192.168.1.12 and who's IDS is 172.16.172.10 the HAProxy configuration would look something like this:
This basically just passes all the traffic from
IN
toINTERMEDIARY
in whatever shape it entered the server, and thenINTERMEDIARY
decrypts the requests and make whatever choices you want.You'd then need to setup
iptables
rules that looks like this:Of course, this assumes all routes and networks are setup, but it should work.
I suppose you could just do away with all the HAProxy stuff and setup some
iptables
rules to match your backend hosts andTEE
that traffic right to your IDS.