@JonathanLee Hi, running Pfsense CE 2.7.2 Squid 6.3.

Make sense what you mention, will be cool to have this feature available.

Thanks @JonathanLee

The options are still valid; they just can't have spaces between them otherwise it tries to interpret them is new switches.

As far as I can tell the pfSense HAProxy SSL backend checks do not work and are bugged, at least for backend devices that have a self signed cert. I've tried everything and always resort back to doing basic checks.

@mr-elamin2 said in WordPress behind HAProxy:

$_SERVER['HTTPS']='on';

define('WP_HOME','http://mysite.com');
define('WP_SITEURL','http://mysite.com');

Failed for me, but for WP 6.7.2, I added this to the top of the wp-config.php to make it work:

define('FORCE_SSL_ADMIN', false);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';

define('WP_HOME','http://sitename.com');
define('WP_SITEURL','http://sitename.com');

@melnyk sprunki 2
It's great to hear that a simple reboot resolved your issue! If you encounter similar problems in the future, these steps may help you troubleshoot effectively.

@peterweissdk said in Parsing host header through HAProxy to backend: drift hunters

I'm running a k8s cluster with traefik v3 installed to loadballance my services. I'm using traefik's ingressroute to route e.g. http request to my services, using the hostname as a match for the service.
When i use local dns (inside my lan) to resolve the hostname, i can reach the service in the cluster, so traefik and the service is working just fine.
For the record I'm query http (80) inside my lan, and ssl off-loading everything in HAProxy running as a package in pfsense. When makin a query from outside the lan, i use cloudflare as DNS-provider, and ACME in pfsense to handle my certificates.
When i query the DNS from outside my lan using https, and the query resolves to my router running pfsense, the query hangs, and I can't reach my sevice at the k8s cluster.
If i have a service with a internal ip-address, everything works fine. I can resolve the DNS name, the HAProxy frontend ssl-offloads and filter the domaine names using ACL, and sending the trafic to the corresponding backends, and i have a secure connection from my browser with a valid let's encrypt certificate.
So my theory is, that the domaine name (host header) is not sent through to the backend service, and thats why the Traefik proxy in the k8s cluster, can not match the domaine name.
I have tried to set in: HAProxy - frontend - actions:
http-request header set
Conditon acl names: <backend_service>
name: Host
fmt: <the_domaine_name>
But that did not work....
Any suggestions ?

Make sure that the HAProxy configuration correctly forwards the Host header to your backend. You mentioned trying to set the Host header using an action, but it's crucial that this configuration is correctly applie.

@johnpoz Do you have any other ideas, I have it set to listen on ipv6 and ipv4 I can see it bind to my interface on both addresses but if a machine connects to the proxy with an ipv6 source address the proxy gives a 409 error. Everything else works, this is in HE tunnel broker configuration, I see states that get established, again ipv6 does not do nat but I would assume that if it has the option to listen on ipv6 addresses that it would proxy the addresses, if I put the machine on the guest network without the proxy the system functions, so I know my IPV6 only settings on the side of HE tunnel work. What am I missing, I also configured tcp outgoing testing with the ipv6 for ipv6 and that was the same thing, so I turned it back to outgoing auto. I know it supports it per the Squid website, I also tried to do a http_port :: 3128 test same thing. I just wonder what is causing squid to not proxy ipv6 traffic I have tested in all transparent and non-transparent with ssl intercept.

Any ideas? Thanks again for working with me on getting me comfortable with ipv6, I just feel there is something I am missing for the proxy.

I have not tested this

#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

Have you ever had it configured where ipv6 source addresses work? I have it working when it is ipv4 going to say ipv6.google.com the proxy sees the address source is my local machine ipv4 destination ipv6 and it connects, my ipv6 tests work, but if anything is a source of ipv6 it fails.

Update: Set your SSH on the wpad to only allow access during business hours. This can be done with the PAM

edit the following file

/etc/security/time.conf

add:

sshd;*;*;AL0500-2300

Meaning I can only access ssh into my wpad durring 5-2300

After adapt /etc/ssh/sshd_config

make sure your listenaddress is the ip of the wpad set your AllowUsers to your login

Example

Port 8085 #change port if needed AddressFamily inet #ipv4 only ListenAddress 192.168.1.6 #address of wpad AllowUsers Jonathan@192.168.1.* # any device that is 192.168.1.X

Change

PermitRootLogin no #no ssh login for root UsePam yes # turn on pam for use with time restrictions

after adapt
/etc/passwd

for added security also change your login to use the shell rbash and lock down the wad.

Also if you use ipv6 and ipv4 you will have a race condition and sshd will not start on reboots you must also adapt

sudo -i systemctl edit --full sshd.service

under [unit] add

Requires=network-only.target After=network-only.taget

This will only start sshd once the network target is running in my example 192.168.1.6 I also have ipv6 running so it would cause issues unless I changed this. If you do not use ipv4 forget about this.

@viragomann yeah, it was enough of a nightmare to get this VPN setup originally, anytime you involve TCS in something IT related you can add an extra hundred hours!

I use it, I mean it is updated so the security issues are gone from it.

Thank you for your reply. Alas there are no spaces. But I have more issues. I re-entered a new front end which did not throw any errors on SAVE. But, Apply Changes, I got:

[ALERT] (56576) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind 192.168.42.1:443' in section 'frontend' : 'crt-list' : unable to load certificate from file '/var/etc/haproxy_test/MyProxyA.pem': no start line.
[ALERT] (56576) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] (56576) : config : Fatal errors found in configuration.

I have gotten this before and I navigated to /var/etc and haproxy_test direcory does not exist. I have no idea where that is being picked up from.

I have uninstalled haproxy and deleted the haproxy directory, re-install haproxy and it's still wants /var/etc/haproxy_test/haproxy.cfg, which does not exist.

At this point I think my best bet is to restore a backup to before I started with haproxy and start over.

@JonathanLee Thanks ! I'll check this asap. Have a Nice day

https://github.com/pfsense/FreeBSD-ports/commit/476a7d0e3dca704b236839970f1d215912184f73

This is a known issue I had a merge for a previous version when you could disable the older tls however this directive is no longer on the latest version of squid. This directive is no longer part of the latest squid package.

@lncc63

Hello,
Sorry for my ignorance but can you provide the way you have dokerized the WAF from jcmoraisjr/modsecurity-spoa ??
May be is not the right place to post this question but on jcmoraisjr git page I can't find any guide to pull the image or so on...

Can you provide any help?
Thanks,
Gianluca