Table of Contents
1. Overview
2. Configuration
3. Ideas
(1) Idea 1 (general)
(2) Idea 2
4. Steps
4.2 编写acl规则
五、实验
六、端口重定向
Home Operation and Maintenance Safety How to analyze Haproxy port reuse

How to analyze Haproxy port reuse

May 29, 2023 am 09:25 AM
haproxy

Author of this article: Spark (Ms08067 intranet security team member)

1. Overview

Haproxy is developed using c language High-performance load balancing proxy software, providing TCP and HTTP application proxy, free, fast and reliable.
Similar to frp, it can be run using one configuration file and one server.
Advantages:

Widely used in large business areas

Supports four-layer proxy (transport layer) and seven-layer proxy (application layer)

Supports acl ( Access Control List), routing can be configured flexibly

Windows can be run after compiling with cygwin (can be cross-platform)

Access Control Lists (ACL) are applied in routers A list of commands for an interface. These command lists are used to tell the router which data packets can be accepted and which data packets need to be rejected.

2. Configuration

Official configuration manual: https://cbonte.github.io/haproxy-dconv/2.2/configuration.html
The configuration file consists of global configuration and proxy configuration:
Global configuration (global): Defines parameters related to haproxy process management security and performance

Proxy settings (proxies) :

defaults: Provide default parameters for other configuration sections. The default configuration parameters can be reset by the next "defaults"

frontend: Define a series of listening sockets, these The socket can accept client requests and establish connections with it

backend: Define "backend" servers, and the front-end proxy server will dispatch short-term requests to these servers

listen: Defining the listening socket and backend server is similar to putting the frontend and backend segments together

Example:

global
defaults
  log global
  mode tcp
  option dontlognull
  timeout connect 5000
  timeout client 50000
  timeout server 50000

frontend main
  mode tcp
  bind *:8888
  option forwardfor except 127.0.0.1
  option forwardfor header X‐Real‐IP

# 配置acl规则
  acl is‐proxy‐now urlp_reg(proxy) ^(http|https|socks5)$
# 分发到对应的backend
  use_backend socks5 if is‐proxy‐now
  use_backend http
backend socks5
  mode tcp
  timeout server 1h
  server ss 127.0.0.1:50000
backend http
  mode tcp
  server http 127.0.0.1:80
Copy after login

Focus on frontend and backend.
You need to write acl rules and configure forwarding in Frontend. For example, when HTTP traffic comes, it is forwarded to the web service; when RDP traffic comes, it is forwarded to the RDP service.
Specific operations need to be written in Backend, which is to transfer to which port of which target.

3. Ideas

(1) Idea 1 (general)

Write acl rules at layer four (transmission layer) to carry out load and distribute it according to the protocol type. For example, when http traffic is encountered, it is sent to the http service, when rdp is encountered, it is sent to the rdp service, etc.

(2) Idea 2

Write acl rules, load them on the seventh layer (application layer), determine the application type for distribution, for example, when encountering http distribution to http service, otherwise sent to xxx service.

4. Steps

Take idea 1 as an example:

Capture tpkt (Application Layer Data Transfer Protocol) information through wireshark

Write acl rule routing for traffic distribution

Add backend server

Original interface takeover

Complete

##4.1 Capture tpkt

About tpkt, please refer to Baidu or view the reference link

After the three-way handshake, the application layer data transmission begins.
Use wireshark to capture packets:
ssh protocol:

How to analyze Haproxy port reuse

The first three packets are three-way handshakes, and the first three digits of the fourth packet are the tpkt we need , for example ssh is 535348.

rdp protocol: 030000

Quick check:How to analyze Haproxy port reuse

ProtocolTPKTSSH535348RDP030000 HTTP(GET)474554HTTP(POS)504f53HTTP(PUT) 505554HTTP(DEL)44454cHTTP(OPT)4f5054HTTP(HEA)484541HTTP(CON)434f4eHTTP(TRA)545241HTTPS160301

4.2 编写acl规则

global
defaults
  timeout connect 5000
  timeout client 50000
  timeout server 50000
frontend main
  mode tcp
  bind *:8888
# 重点:编写acl规则进行转发
  tcp‐request inspect‐delay 3s
  acl is_http req.payload(0,3) ‐m bin 474554 504f53 505554 44454c 4f5054 484541 434f4e 545241
  acl is_ssh req.payload(0,3) ‐m bin 535348
  acl is_rdp req.payload(0,3) ‐m bin 030000
# 设置四层允许通过
  tcp‐request content accept if is_http
  tcp‐request content accept if is_ssh
  tcp‐request content accept if is_rdp
  tcp‐request content accept
# 分发到对应的backend
  use_backend http if is_http
  use_backend ssh if is_ssh
  use_backend rdp if is_rdp
  use_backend socks5
backend socks5
  mode tcp
  timeout server 1h
  server ss 127.0.0.1:50000
backend http
  mode tcp
  server http 127.0.0.1:80
backend ssh
  mode tcp
  server ssh 127.0.0.1:22
backend rdp
  mode tcp
  server rdp 192.168.213.129:3389
Copy after login

该配置文件的功能是监听8888端口,将http流量(速查表中http协议的8种tpkt)转发到本地的80上,将ssh流量转发到本地的22端口上,将rdp流量转发到另一主机的3389上。

五、实验

Target1:Ubuntu 16.04 x64

IP:192.168.213.128

开启22端口、80端口

How to analyze Haproxy port reuse

Target2:Win7 x64

IP:192.168.213.129

开启3389端口

How to analyze Haproxy port reuse

启动haproxy,-f 指定配置文件,开启8888端口表示启动成功。-d:调试模式,可不加。

How to analyze Haproxy port reuse

HTTP协议:访问靶机的8888端口,流量被haproxy分发至本机的80。

How to analyze Haproxy port reuse

RDP协议:访问靶机的8888端口,流量被haproxy分发至192.168.213.129的3389。

How to analyze Haproxy port reuseSSH协议:访问靶机的8888端口,流量被haproxy分发至本机的22。

How to analyze Haproxy port reuse

haproxy日志:

How to analyze Haproxy port reuse

六、端口重定向

为了不影响常规的80端口访问,将输入的80端口流量重定向到8888端口。当用户以正常方式访问80端口时,流量将转发到8888端口,然后由haproxy再次转发回80端口。

  • Linux:iptables(不需要重启服务)

iptables ‐t nat ‐A PREROUTING ‐i eth0 ‐p tcp ‐‐dport 80 ‐j REDIRECT ‐‐to‐port 8888
Copy after login

访问80可以正常访问:

How to analyze Haproxy port reuse

Haproxy日志有记录,说明流量由80先到8888,再回到80。

How to analyze Haproxy port reuse

  • Windows:netsh(需要重启web服务)

netsh interface portproxy add v4tov4 listenport=80 connectport=8888 connectaddress=127.0.0.1
Copy after login

注意:如果在windows下启用端口重定向,需要在端口启动前添加netsh端口转发规则。

The above is the detailed content of How to analyze Haproxy port reuse. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

What category does the operation and maintenance security audit system belong to? What category does the operation and maintenance security audit system belong to? Mar 05, 2025 pm 03:59 PM

This article examines operational security audit system procurement. It details typical categories (hardware, software, services), budget allocation (CAPEX, OPEX, project, training, contingency), and suitable government contracting vehicles (GSA Sch

What does the operation and maintenance safety engineer do? What does the operation and maintenance safety engineer do? Mar 05, 2025 pm 04:00 PM

This article explores the roles and required skills of DevOps, security, and IT operations engineers. It details the daily tasks, career paths, and necessary technical and soft skills for each, highlighting the increasing importance of automation, c

What are the job safety responsibilities of operation and maintenance personnel What are the job safety responsibilities of operation and maintenance personnel Mar 05, 2025 pm 03:51 PM

This article details crucial security responsibilities for DevOps engineers, system administrators, IT operations staff, and maintenance personnel. It emphasizes integrating security into all stages of the SDLC (DevOps), implementing robust access c

The difference between operation and maintenance security audit system and network security audit system The difference between operation and maintenance security audit system and network security audit system Mar 05, 2025 pm 04:02 PM

This article contrasts Operations Security (OpSec) and Network Security (NetSec) audit systems. OpSec focuses on internal processes, data access, and employee behavior, while NetSec centers on network infrastructure and communication security. Key

What is operation and maintenance security? What is operation and maintenance security? Mar 05, 2025 pm 03:54 PM

This article examines DevSecOps, integrating security into the software development lifecycle. It details a DevOps security engineer's multifaceted role, encompassing security architecture, automation, vulnerability management, and incident response

What is the prospect of safety operation and maintenance personnel? What is the prospect of safety operation and maintenance personnel? Mar 05, 2025 pm 03:52 PM

This article examines essential skills for a successful security operations career. It highlights the need for technical expertise (network security, SIEM, cloud platforms), analytical skills (data analysis, threat intelligence), and soft skills (co

What is operation and maintenance security? What is operation and maintenance security? Mar 05, 2025 pm 03:58 PM

DevOps enhances operational security by automating security checks within CI/CD pipelines, utilizing Infrastructure as Code for improved control, and fostering collaboration between development and security teams. This approach accelerates vulnerabi

Main work of operation and maintenance security Main work of operation and maintenance security Mar 05, 2025 pm 03:53 PM

This article details operational and maintenance (O&M) security, emphasizing vulnerability management, access control, security monitoring, data protection, and physical security. Key responsibilities and mitigation strategies, including proacti

See all articles