How to analyze Haproxy port reuse

Author of this article: Spark (Ms08067 intranet security team member)

1. Overview

Haproxy is developed using c language High-performance load balancing proxy software, providing TCP and HTTP application proxy, free, fast and reliable.
Similar to frp, it can be run using one configuration file and one server.
Advantages:

Widely used in large business areas

Supports four-layer proxy (transport layer) and seven-layer proxy (application layer)

Supports acl ( Access Control List), routing can be configured flexibly

Windows can be run after compiling with cygwin (can be cross-platform)

Access Control Lists (ACL) are applied in routers A list of commands for an interface. These command lists are used to tell the router which data packets can be accepted and which data packets need to be rejected.

2. Configuration

Official configuration manual: https://cbonte.github.io/haproxy-dconv/2.2/configuration.html
The configuration file consists of global configuration and proxy configuration:
Global configuration (global): Defines parameters related to haproxy process management security and performance

Proxy settings (proxies) :

defaults: Provide default parameters for other configuration sections. The default configuration parameters can be reset by the next "defaults"

frontend: Define a series of listening sockets, these The socket can accept client requests and establish connections with it

backend: Define "backend" servers, and the front-end proxy server will dispatch short-term requests to these servers

listen: Defining the listening socket and backend server is similar to putting the frontend and backend segments together

Example:

global
defaults
  log global
  mode tcp
  option dontlognull
  timeout connect 5000
  timeout client 50000
  timeout server 50000

frontend main
  mode tcp
  bind *:8888
  option forwardfor except 127.0.0.1
  option forwardfor header X‐Real‐IP

# 配置acl规则
  acl is‐proxy‐now urlp_reg(proxy) ^(http|https|socks5)$
# 分发到对应的backend
  use_backend socks5 if is‐proxy‐now
  use_backend http
backend socks5
  mode tcp
  timeout server 1h
  server ss 127.0.0.1:50000
backend http
  mode tcp
  server http 127.0.0.1:80

Focus on frontend and backend.
You need to write acl rules and configure forwarding in Frontend. For example, when HTTP traffic comes, it is forwarded to the web service; when RDP traffic comes, it is forwarded to the RDP service.
Specific operations need to be written in Backend, which is to transfer to which port of which target.

3. Ideas

(1) Idea 1 (general)

Write acl rules at layer four (transmission layer) to carry out load and distribute it according to the protocol type. For example, when http traffic is encountered, it is sent to the http service, when rdp is encountered, it is sent to the rdp service, etc.

(2) Idea 2

Write acl rules, load them on the seventh layer (application layer), determine the application type for distribution, for example, when encountering http distribution to http service, otherwise sent to xxx service.

4. Steps

Take idea 1 as an example:

Capture tpkt (Application Layer Data Transfer Protocol) information through wireshark

Write acl rule routing for traffic distribution

Add backend server

Original interface takeover

Complete

##4.1 Capture tpkt

About tpkt, please refer to Baidu or view the reference link

After the three-way handshake, the application layer data transmission begins.
Use wireshark to capture packets:
ssh protocol:

The first three packets are three-way handshakes, and the first three digits of the fourth packet are the tpkt we need , for example ssh is 535348.

rdp protocol: 030000

Quick check:

ProtocolTPKTSSH535348RDP030000 HTTP(GET)474554HTTP(POS)504f53HTTP(PUT) 505554HTTP(DEL)44454cHTTP(OPT)4f5054HTTP(HEA)484541HTTP(CON)434f4eHTTP(TRA)545241HTTPS160301

4.2 编写acl规则

global
defaults
  timeout connect 5000
  timeout client 50000
  timeout server 50000
frontend main
  mode tcp
  bind *:8888
# 重点：编写acl规则进行转发
  tcp‐request inspect‐delay 3s
  acl is_http req.payload(0,3) ‐m bin 474554 504f53 505554 44454c 4f5054 484541 434f4e 545241
  acl is_ssh req.payload(0,3) ‐m bin 535348
  acl is_rdp req.payload(0,3) ‐m bin 030000
# 设置四层允许通过
  tcp‐request content accept if is_http
  tcp‐request content accept if is_ssh
  tcp‐request content accept if is_rdp
  tcp‐request content accept
# 分发到对应的backend
  use_backend http if is_http
  use_backend ssh if is_ssh
  use_backend rdp if is_rdp
  use_backend socks5
backend socks5
  mode tcp
  timeout server 1h
  server ss 127.0.0.1:50000
backend http
  mode tcp
  server http 127.0.0.1:80
backend ssh
  mode tcp
  server ssh 127.0.0.1:22
backend rdp
  mode tcp
  server rdp 192.168.213.129:3389

该配置文件的功能是监听8888端口，将http流量（速查表中http协议的8种tpkt）转发到本地的80上，将ssh流量转发到本地的22端口上，将rdp流量转发到另一主机的3389上。

五、实验

Target1：Ubuntu 16.04 x64

IP：192.168.213.128

开启22端口、80端口

Target2：Win7 x64

IP：192.168.213.129

开启3389端口

启动haproxy，-f 指定配置文件，开启8888端口表示启动成功。-d：调试模式，可不加。

HTTP协议：访问靶机的8888端口，流量被haproxy分发至本机的80。

RDP协议：访问靶机的8888端口，流量被haproxy分发至192.168.213.129的3389。

SSH协议：访问靶机的8888端口，流量被haproxy分发至本机的22。

haproxy日志：

六、端口重定向

为了不影响常规的80端口访问，将输入的80端口流量重定向到8888端口。当用户以正常方式访问80端口时，流量将转发到8888端口，然后由haproxy再次转发回80端口。

• Linux：iptables（不需要重启服务）

iptables ‐t nat ‐A PREROUTING ‐i eth0 ‐p tcp ‐‐dport 80 ‐j REDIRECT ‐‐to‐port 8888

访问80可以正常访问：

Haproxy日志有记录，说明流量由80先到8888，再回到80。

• Windows：netsh（需要重启web服务）

netsh interface portproxy add v4tov4 listenport=80 connectport=8888 connectaddress=127.0.0.1

注意：如果在windows下启用端口重定向，需要在端口启动前添加netsh端口转发规则。

The above is the detailed content of How to analyze Haproxy port reuse. For more information, please follow other related articles on the PHP Chinese website!