Shulou(Shulou.com)05/31 Report--

How to analyze Haproxy port reuse, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The writer: Spark (member of the Ms08067 intranet security team)

I. Overview

Haproxy is a high-performance load balancing agent software developed in C language, which provides application agents for tcp and http. It is free, fast and reliable.

Similar to frp, it can be run using a configuration file + a server.

Advantages:

Large-scale business is widely used.

Supports four-layer agents (transport layer) and seven-layer agents (application layer)

Support for acl (access control list) for flexible routing configuration

Windows can be compiled with cygwin and run (cross-platform)

An access control list (Access Control Lists,ACL) is a list of instructions applied to a router interface that tells the router which packets are acceptable and which packets need to be rejected.

II. Configuration

Official configuration manual: https://cbonte.github.io/haproxy-dconv/2.2/configuration.html

The configuration file consists of a global configuration and an agent configuration:

Global configuration (global): define haproxy process management security and performance-related parameters

Proxy Settings (proxies):

Defaults: provides default parameters for other configuration segments, which can be reset by the next "defaults"

Frontend: defines a series of listening sockets that can accept client requests and establish connections with them

Backend: define "back-end" servers to which front-end proxy servers will dispatch crying requests

Listen: define listening sockets and back-end servers, similar to putting frontend and backend segments together

Example:

Globaldefaults log global mode tcp option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000frontend main mode tcp bind *: 8888 option forwardfor except 127.0.0.1 option forwardfor header X-Real-IP# configure acl rule acl is-proxy-now urlp_reg (proxy) ^ (http | https | socks5) $# distribute to the corresponding backend use_backend socks5 if is-proxy-now use_backend httpbackend socks5 mode tcp timeout server 1h server ss 127.0.0.1:50000backend http mode tcp server http 127.0.0.1 option forwardfor header X-Real-IP# 80

Focus on frontend and backend.

In Frontend, you need to write acl rules and configure forwarding. For example, when http traffic comes, it is forwarded to web service; when rdp traffic comes, it is forwarded to rdp service.

In Backend, you need to write a specific operation, which is to go to which port of which goal.

3. Train of thought (1) idea 1 (general)

Write acl rules, load at layer 4 (transport layer), distribute according to protocol type, for example, send http traffic to http service, encounter rdp to rdp service, and so on.

(2) Train II

Write acl rules, load at layer 7 (application layer), determine the type of application for distribution, for example, if you encounter http to distribute to a http service, otherwise send it to a xxx service.

IV. Steps

Take idea one as an example:

Capture tpkt (Application layer data transfer Protocol) information through wireshark

Write acl rule routing for traffic distribution

Add backend server

Original interface takeover

Complete

4.1capturing tpkt

About tpkt Baidu or check the reference link

After the three-way handshake, the application layer data transmission begins.

Use wireshark to grab the package:

Ssh protocol:

The first three packets are three-way handshakes, and the first three digits of the fourth package are the tpkt we need, for example, ssh is 535348.

Rdp protocol: 030000

Quick check:

Protocol TPKTSSH535348RDP030000HTTP (GET) 474554HTTP (POS) 504f53HTTP (PUT) 505554HTTP (DEL) 44454cHTTP (OPT) 4f5054HTTP (HEA) 484541HTTP (CON) 434f4eHTTP (TRA) 545241HTTPS1603014.2 preparation of acl rules globaldefaults timeout connect 5000 timeout client 50000 timeout server 50000frontend main mode tcp bind *: 888 key points: write acl rules for forwarding tcp-request inspect-delay 3s acl is_http req.payload (0ref 3)-m bin 474554 504f53 505554 44454c 4f5054 484541 434f4e 545241 acl is_ssh req.payload (0p3)-m bin 535348 acl is _ rdp req.payload (0 3)-m bin 03000layers set layer 4 to allow distribution to the corresponding backend use_backend http if is_http use_backend ssh if is_ssh use_backend rdp if is_rdp use_backend socks5backend socks5 mode tcp timeout server 1h server ss 127.0.0.1:50000backend http mode tcp server http 127.0.0 via tcp-request content accept if is_http tcp-request content accept if is_ssh tcp-request content accept if is_rdp tcp-request content accept# .1: 80backend ssh mode tcp server ssh 127.0.0.1:22backend rdp mode tcp server rdp 192.168.213.129:3389

The function of this profile is to listen on port 8888, forward http traffic (eight tpkt of http protocol in the quick check table) to local 80, forward ssh traffic to local port 22, and forward rdp traffic to 3389 of another host.

5. Experiment

Target1:Ubuntu 16.04 x64

IP:192.168.213.128

Open port 22, port 80

Target2:Win7 x64

IP:192.168.213.129

Open port 3389

Start the haproxy,-f specified configuration file. Opening port 8888 indicates that the startup is successful. -d: debug mode, but not added.

HTTP protocol: access port 8888 of the target machine, and traffic is distributed to 80% of the machine by haproxy.

RDP protocol: access port 8888 of the target, and traffic is distributed by haproxy to 3389 of 192.168.213.129.

SSH protocol: access port 8888 of the target machine, and traffic is distributed by haproxy to 22 of the machine.

Haproxy log:

VI. Port redirection

In order not to affect the normal access to port 80, the traffic from port 80 is forwarded to port 8888. In this way, when the user accesses port 80 normally, the traffic will be forwarded to port 8888 first, and then forwarded back to port 80 by haproxy.

Linux:iptables (no need to restart the service)

Iptables-t nat-A PREROUTING-I eth0-p tcp-- dport 80-j REDIRECT-- to-port 8888

Access 80 can be accessed normally:

The Haproxy log records traffic from 80 to 8888, and then back to 80.

Windows:netsh (web service needs to be restarted)

Netsh interface portproxy add v4tov4 listenport=80 connectport=8888 connectaddress=127.0.0.1

Note: if you enable port redirection under windows, you need to add netsh port forwarding rules before the port starts.

After reading the above, have you mastered how to analyze Haproxy port reuse? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.