HAproxy : How to mix SSL forwarding and Reverse Proxy with SSL termination
-
Hi,
First, I'm running pfsense 2.5.2-RELEASE (amd64) built on Fri Jul 02 15:33:00 EDT 2021 and HAProxy version 1.8.30-c248dab, released 2021/04/12.
I had until now Haproxy as reverse proxy for a website with 2 servers in https - > working. ( HAProxy + ACME for certs)
PFSense was doing reverse proxy / load balancing SLL Offloading to to my 2 servers in http as backendNow, I have another website, a single host, which manage his certificate alone.
I checked and if I expose it to 443 with NAT basic port forwarding, it works.
I try few config and still do not manage to get both working through the reverse proxy.First, is this possible ?
I would need to have both setup behind my pfsense ( single IP address )
I understood that selecting tcp/ssl instead of offloading should do the trick, but I get only connection refused and errors.Anyone woul have insights ?
Thanks ! -
up ?
Am I asking something not possible maybe ? -
-
@viragomann Thanks a lot ! seems to answer perfectly my question
will do some tests.... -
@viragomann
Hi , i made many tests and it is not happening the same way than it is describe in the doc, as it is slighly different, let me reshare all the details & config to see what am I missing ...I have 1 single public IP address,
I need the following at the same time :I have a domain , smalldragoon.com , where
- A1 - A.smalldragoon.com, B.smalldragoon.com, C.smalldragoon.com need to be forwarded to an internal which is managing the SSL connection ( equivalent to my old config which was just port forwarding of the 443)
- A2 - D.smalldragoon.com need to have its SSL communication terminated on PFSense and redirected to an internal host which is running on port 80 ( so not in https , it is a basic website).
Ex : https://D.smalldragoon.com redirect to http://192.168.1.1:80
I have a second domain : smalldragoon.xyz, where
B1 - I want to terminate the SSL connection on pfsense. Now based on the directory of the URL, do redirection to an internal host with different ports, example :
https://test.smalldragoon.xyz/A redirect to http://internalhost:4545/A
https://test.smalldragoon.xyz/B redirect to http://internalhost:4546/BB2 - Last, with the same domain smalldragoon.xyz, I need to redirect all hosts traffic from a subdomain to an internal host as is ( no https termination )
ex :
https://.mysubdomain.smalldragoon.xyz to https://195.168.1.1/ ( which manage the ssl )*
I need to have all these working at the same time.
So to proceed in order ,
what I have done :
for A1 : ok and working
created 1 front end, with the different hostname possible for the domain
and redirect to a backend :
Now when I create A2 with a 2nd frontend
config of frontend
when validating I get :
I tried to merge the 2 frontends, but it is not working, so I assume there is somehting around shared frontends as per the message ? What am I missing ?
Thanks -
@smalldragoon
Yes, that's what I'd expect.
You can set up only one frontend for a single IP + port combo, or even a shared frontend at best.However, in a single frontend you can configure multiple backends in conjunction with different ACLs.
-
@viragomann
ok, but so I'm not understading your answer. can I do A1 and A2 then or not ?
I don't really care about the way to do it, as long as it works :) -
@smalldragoon
I never did such setup myself. So I cannot tell you if it work. Just found the guide in the web, when I was searching for haproxy solutions.As I understand it, it should be possible to get it work. But for A2 you have to configure pfSense itself as backend and forward the traffic from the unique frontend to it by checking out SNI.
-
@viragomann
OK, I will create another post with a more specific topic on shared frontend
thanks for your time and help ! -
S smalldragoon referenced this topic on