Setting up SimpleHelp behind Nginx reverse proxy

OrsirisdeJong · November 3, 2023, 5:26pm

I’ve had the (non) pleasure to do this with HaProxy.
Since Simplehelp uses various non HTTP protocols, it is really hard to achieve.

I’ve had HaProxy detect various Simplehelp protocols. Here’s the interesting config part of my setup:

frontend main
    bind :::80

    # Optional Redirect if HTTPS is *not* used
    #redirect scheme https code 301 if !{ ssl_fc }

	# We use TCP mode since do want to check TCP payloads, else we could use http mode
    mode tcp
    option tcplog
    option http-keep-alive
    option forwardfor

    log global
    log 127.0.0.1 local2 debug
    log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %[capture.req.hdr(0)]"
    tcp-request inspect-delay 1s

    # Let's capture the first 300 bytes of any request
    tcp-request content capture payload(0,300) len 300

    # Letsencrypt override
    # Both syntax work in tcp and http mode, using faster non regex version
    # acl lets_encrypt_url url_reg ^\/\.well-known\/acme-challenge\/.*$
    acl lets_encrypt_url path_beg /.well-known/acme-challenge/


    # Those ACL works for tcp haproxy mode
    
	# brute destination host discovery
	#acl simplehelp_protocol_pl req.payload(0,500) -m sub "support.mydomain.tld"
	# simplehelp protocol discovery
    acl simplehelp_protocol_ident req.payload(0,4) -m bin 4e444c4b

	# Example to get POST and GET requests (be aware that below url_reg acls are mich cleaner)
    # Begin after payload 5 bytes "POST "
    #acl simplehelp_lossyproc payload(5,10) -m str "/lossyproc"
    # Begin after payload 4 bytes "GET "
    #acl simplehelp_ping payload(4,8) -m str "/machine"
    # Let's stick to the backend when the ACL is true

    # This ACL works for tcp and http haproxy mode
    acl simplehelp_url  hdr(host) -i support.mydomain.tld
    # GET /machine-1626426453697?ping= where the number is a epoch, hence 13 chars
    acl simplehelp_ping url_reg -i ^\/machine-[0-9]{13}\?ping=.*$
    # GET /lossyproc?rand=0.xxxx
    acl simplehelp_lossyproc url_reg -i ^/lossyproc\?rand=.*$


    use_backend lets_encrypt_server if lets_encrypt_url

    use_backend simplehelp          if simplehelp_protocol_ident
    use_backend simplehelp          if simplehelp_ping
    use_backend simplehelp          if simplehelp_lossyproc
    use_backend simplehelp          if simplehelp_url
    use_backend simplehelp          if { sc0_conn_rate(stick_table_tcp_src) gt 0 }

The setup works, but Simplehelp won’t be able to use UDP, and protocol switch times weren’t good.

I’ve ended up buying more public IPs since Simplehelp’s best working protocol is UDP, and no UDP proxy exists AFAIK.

I tent to be able to have multiple POP/IMAP/SMTP servers behind one public IP, but this one isn’t just TCP.
If someone has achieved this, I’m all in