@Tony-Soprano said in Hybrid SSL off load and not:

yes a client has a magento installation which wont work after pfsens haproxy ssl offload.

If the client just needs to do the SSL encryption for whatever reason (HAproxy should be able to satisfy the client / backend, so that SSL offloading should be doable), an option could be to assign a private certificate to backend web instance and install the certificate also on pfSense so that it trusts the backend, or simply disable SSL checks.

You can also generate the backend certificate on pfSense with a local CA. The client cert can have a long period of validity.

Ok we do have 2 public ips so if i config a second WAN on pfsense and make 2nd frontend answer to the second public IP, i can seti it as NON ssl offload for any domain into that frontend right?

You can just assign additional IPs as virtual to the WAN interface and configure the additional frontend to listen on it. It has not to be on another interface.

Can confirm this issue occurs from 2.7.1 onwards. The GUI works as expected in 2.7.0.

@minimos We created an alias for “WAN IPs” with the three public IPs in it. (And LAN)

In essence I think you’re asking whether This Firewall will update to include the shared IP when it moves, and I don’t know the answer to that. Maybe, but I would not assume it does.

@jngo
That is a very unusual way to get additional IP addresses based on DHCP.
Typically you get a single (primary) DHCP address and all further IPs you get from the ISP are routed to the primary. So you only need to configure one DHCP interface and can easily use all the assigned IPs.

@clonian Check Diagnostics/Routes on secondary? Any chance the ISP router is locking on to the CARP IP? IOW if you remove the shared IP they should both be able to connect out on their own.

@prisonier
Yes, VRRP is very very similar to CARP. It behaves the same regarding the virtual MAC.

Glad that you got it sorted.

Hi,

i have the same issue but putting :@SECLEVEL=0 to ssl-default-bind-ciphers just gives me an error:

section 'frontend' : 'crt-list' : parsing [/var/etc/haproxy_test/imap_test-994.crt_list:1]: unknown ssl keyword :@SECLEVEL=0

is there anything i can do?

regards

Not from the gui or in any way that officially supported.

You can specify the log storage location in the syslog-ng package so use that to store it. You still need to forward logs to it from the normal syslogs though. And mounting a different disk for that requires some custom script.

@viragomann Just a update.

They called me back. There recommendation is to have a PPPoE server that passes through the IPs.

@Tony-Soprano It is not very easy to Proxy SMTP and IMAP with Haproxy and will cause adnormal problems. But you would need to enable Proxy in Postfix main.cf.

Personally I would not bother.

I would use Haproxy for Webmail & ActiveSync on Port 443 then for SMTP 25. 587 and IMAP 993 I would put them under NAT instead.

Depending how many Static IPs you have too.

I would configure mx1 on Public IP 01 and mx2 on Public IP 02 then configure relay from mx2 to mx1. Make sure you have PTR Records added by your ISP too.

Regards

@correajl thank you for the reply.
I thought that you found a way to set different advbase values on both nodes.

Anyway I found my issues, and it was not the same as yours - as I am not very familiar with netgear switches I missed that storm-control was enabled for multicast.
The storm-control became the root cause for the issue.

Hello, can someone help? thanks

@manu77 I just tested with RDP and did not get dropped at your step 3...

@kiokoman said in HAProxy: 503 errors on 2 domains:

@oguruma
HAproxy 503 Service Unavailable No server is available to handle this request is passed when the http check fail for some reason even if the service is up and running

like in this post https://serverfault.com/a/886319

you need to adjust that option in a way that it receve a valid response from the server or disable httpchk

Thanks again for the help. I got it working by deleting both the frontends and the backends for the not-working domains and recreating them, making sure to disable health checks from the outset when creating the backends.

One thing that is curious is that I re-installed ERPNext on separate, vanilla VM and pointed the backend to that new VM with healthcheck enabled, and it worked fine...

Hi,

same problem here after upgrading from 2.6 to 2.7.2,
Certificate manager don't fill 'In use' column for some of the certifcates used by HAProxy.

Anyone has an explanation or solution?

Thanks