@planetinse confirmed the later add tcp-request inspect-delay in TCP mode only.

anyone?

@danwize @viragomann I've got it working now. I changed to just use one front end and added my acl for cloud back. I removed my attempts to set the header and changed my could back end to point to 10.10.0.2:443 after I had changed it to 10.10.0.2:10223 for testing. After I did that, and after saving and applying the changes several times, cloud.mydomain.com was still resolving to 10223. I even tested in igognito windows and restarted the ha proxy service from the pfsense ui and it kept resolving to 10223. I finally got it routing to 443 after editing the front end settings for cloud to use a different backend, saved those changes, and then changed it back to my cloud.mydomain.com backed and saved again. Possibly my problem from the beginning was the fact that the settings didn't take initially.

https://forum.netgate.com/topic/183088/error-libssl-so-30-not-found-when-installing-package/3

@benjamesfleming said in [SOLVED] haproxy-auth-request luasocket support?: https://pkg.freebsd.org/freebsd:11:x86:64/latest/All/lua53-luasocket-3.0.r1_5,1.txz Reply Hello, I am having the same issue on PFSense Plus 23.09.1-RELEASE and HAProxy-devel 2.9.d2. This package no longer seems to be available for download and I cannot seem to find equivalent for FreeBSD 14. I tried browsing to the FreeBSD package URL's and get an NGINX forbidden when I attempt to browse to find what the latest package URL's are. Any guidance on how download the latest version of lua53-luasocket? Thanks

@viragomann Thanks for your reply. The firewall is just open for testing right now, Later it will be limited to the ports that the Vaultwarden Docker container uses (3012 for Websocket, 7010 for internal 443 and 7011 for internal 80). The domain frontend only has actions fot http requests to allow or deny. I basically followed the Dani Garcia setup linked above since it's my first time with HAProxy. The Dani Garcia setup seem s to be working for others so I'm wondering where I did wrong, maybe I misunderstood the ports to be used or put the wrong IP in the wrong place...or else, I just can't figure it out...most likely because I don't know HAProxy at all. The Vaultwarden frontend ACL1 and 3 are almost identical except the "Not option" which is yes in ACL1 and no in ACL3 The goal is to have my locally hosted Vaultwarden accessible at vault.mydomain.nz from WAN. (browser plugins, phone apps etc.)

@garyd I did eventually get Snort's Open App ID with full text rules running. My text rules I call the sorcerers code file, anyway it was able to show the applications that were running without any use over the network and pinpoint it to my Android smartphone. I got a new phone it stopped. Again, I knew it was there my goal was to find a way to stop it globally something I could report. Yes Snort's appID was the closest as you can detect the app use. Again, it does not list containers used. I was researching this over summer break and found you can use pf to detect the OS in use in the tcp stack if you want to check this out. All for the goal of a more secure system. But it requires a OS container database much like a blacklist for this to function again this is similar to AppID with the text files. [image: 1706150040159-screenshot-2024-01-24-at-18.33.20.png] [image: 1706150674808-screenshot-2024-01-24-at-18.41.02.jpg] [image: 1706150181448-screenshot-2024-01-24-at-18.34.17.png] [image: 1706150359796-screenshot-2024-01-24-at-18.34.26.png] [image: 1706150391100-screenshot-2024-01-24-at-18.34.38.png] [image: 1706150417267-screenshot-2024-01-24-at-18.34.46.png] [image: 1706150417451-screenshot-2024-01-24-at-18.34.55.png] [image: 1706150417540-screenshot-2024-01-24-at-18.35.05.png] So any containers can be detected this way. What I want to do is set up a signature of what I use and start to block the bad ones. Least privilege approval. I am sure some are real and needed but some are unknown also. I had a big one in my NAS that was found the other day also. Got that issue fixed.

@dutsnekcirf Basically there is no need to run a website within a subdirectory behind a reverse proxy. This makes things more complicated. However, HAproxy is able to insert a string at the beginning of the path. You can use "http-request set-path" to do this. You can set it in the frontend or backend. The preferred method depends on your setup. Add an action, select "http-request set-path" and enter "/web/%[path]" below. This assumes that the website has further subdirectories. However, with this, the additional path is inserted into all requests.If your website send URLs to call to the client, which already inlcludes the "/web/", you have to bind this action to an ACL to ensure it is not applied in this case.

@gilbe92 said in problem with update behind proxy: @viragomann I don't use proxy service inside pfsense like squid. The proxy I use is ccproxy.exe un other host Yes, I was talking about this kind of proxy of course.

@kn4thx So I assume, you have a single public IP and multiple domain names, which you want to redirect to different backends. This requires that HAproxy can distinguish the requested domain name. There are two options to do this. Either read out the host header or via SNI. HAproxy supports to modes: http and tcp. The host header is only included in http requests. SNI is only included in TLS/SSL protocol and has to be supported by the client. So if your protocol is not http, SNI is the only one option, hence TLS is required and you have also ensure, that your client support it.

@uplink So as you can see, there are some subfolders in the path. So need to insert "/photo" just at the beginning of the path. You can do this by appending the path variable. Just replace the value with "/photo/%[path]".

@jimp do you have any suggestion for antivirus ?

@jc1976 for your question ... It works exactly like the proxy in a Palo Alto Firewall, same way certificates and all that is all I can say. Nothing out of the ordinary. Standard stuff.

That’s amazing I wish my 2100 had 8GB that’s all it needs for clamav

@digitalmg The problem solved, I was defined an Outgoing NAT Rule for This Firewall(Self) with AON I limited this rule to my specific usage and Squid now switch between outgoing interface like a charm !

@viragomann Thanks. I tried your suggestions, yet all traffic still goes to the was://blah.example.com/... When I enter https://blah.example.com:7000/api/v2/device in a browser the response come from the websocket (was://)

Okay I found the solution. In HAProxy backend for the server that is affected you set: send-proxy In the "Per server pass thru" box under Advanced Settings. Then in your Apache site config you have to include: RemoteIPProxyProtocol On As well as enabling the mod_remoteip module. Hopefully this is helpful to anyone else finding themselves with this type of configuration.

@ronmwhite said in Proxy or Squid Alternatives: Here is the NAT: Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description LAN ANY 192.168.1.246 * WAN address * 192.168.1.1 * Redirect Router for any LAN Address WAN ANY * * 192.168.1.246 * 192.168.1.1 * Redirect Router for any WAN Address You might want to set the destination to any instead WAN address. I don't think that the AP uses your WAN address as destination. The rule on WAN might be superfluous. Traffic from the AP on the LAN will not enter pfSense on the WAN. Here is an example of the states I see now: LAN tcp 192.168.1.246:36352 -> 54.185.135.21:443 ESTABLISHED:ESTABLISHED 1.819K / 1.82K 93 KiB / 99 KiB WAN tcp 174.17.63.23:56928 (192.168.1.246:36352) -> 54.185.135.21:443 ESTABLISHED:ESTABLISHED 1.819K / 1.82K 93 KiB / 99 KiB Not sure, it the AP is happy with the redirection. It obviously connects to an SSL port, so it might expect to get an SSL certificate from the server. But try it out.