@viragomann said in HAproxy exposing only pfSense’ ip address at hosts log:

@gschmidt
You can run HAproxy in transparent reverse mode. It can be enabled in the backend advanced settings.

Thanx, I will have a look at it!

Update: sadly not an option, I also want to access the domotica web app inside my network (I have only one subnet)...

I will ask first at the Domoticz forum if it is possible to retrieve the ip address from the header with a script...thanx

I already figured it out.

Changed 2 options in my Cloudflare account

b530eb2a-a2e9-4ec9-87eb-620378256273-image.png

Under SSL/TLS menu:
Overview
Default setting was Flexible, but needs to be Full(Strict)

Edge Certificates
I had checked "Always use HTTPS" to ON....but needs to be OFF

Thats it...I think it was the HTPPS trick...because in HAproxy I use SSL Offloading and HTTP to access the Host

@joulester The short version is it just worked. Especially if you don't need the certificate part, it just works. To give me an idea how to be more helpful than just saying it works, is there a step you have a question about?

@valepe69 Fixed.
Having a Multi-WAN configuration all was screwed up by the bug of the 2.5.1 release.
Reloaded the 2.5.0 and the same configuration works great.

@piba

I have a question about the 503 error page.

If somebody is accessing my WAN IP adress (e.g. https://67.46.29.83:443) instead of my domain name, HAproxy shows a 503 error page, Is this normal behaviour of HAproxy?

If so, this is nice because I want to block access to WAN ip, but is it also possible to modify the header and content of the 503 page?

@vijay7 How are you doing the upload blocking?

@rupesh

According to the hint written in the IP Alias creation form, it does.

Hint : Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used. An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated.

The thing is, when re-doing the DNS resolution, pfSense may be fooled by a DNS cache. If it probes a DNS that has the old record in cache and does not re-probe the SOA, the new IP will not be detected. As such, the delay after an IP address changed is :
--Time for the client to update its records (can be as quick as instant or longer)
--Time for the previous record to be purged from the cache in the DNS server probed by pfSense
--Time for pfSense to renew the IP alias

After all of these delays, then the alias will be updated. It can be very long, some DNS cache may last for 30 days, but at a certain moment, it will happen.

Regards,

@piba thankyou piba, you are a savior.

Ok after playing around with it and clearing the states a few times a rebooting it seems to be working now. Will see if the issue happens again

@TGill,

HAProxy is testing over HTTP/1.0 while your curl is using HTTP/1.1. That may very well be the difference between the two tests and the two results.

You can try something like
HTTP/1.1\r\nHost:\ hostname.domain.lan

in the "Http check version" box in your backend's configuration.

@kom That did the trick! I knew it was something simple I was overlooking. Thanks for the help!