Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to HAPROXY Backend with and without OpenVPN

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      schweidj
      last edited by

      Hi,

      i have two ssl-webservers in my local network, which work fine when i access them from the internet via different hostnames (using haproxy). But when I connect to my home network via a pfsense openvpn tunnel i cannot access them at all.

      Below is the haproxy config and a screenshot of the firewall rule.

      Any ideas, what´s wrong here?

      Regards,
      Joe

      global
      maxconn 10
      stats socket /tmp/haproxy.socket level admin
      gid 80
      nbproc 1
      chroot /tmp/haproxy_chroot
      daemon

      listen HAProxyLocalStats
      bind 127.0.0.1:2369 name localstats
      mode http
      stats enable
      stats admin if TRUE
      stats uri /haproxy/haproxy_stats.php?haproxystats=1
      timeout client 5000
      timeout connect 5000
      timeout server 5000

      frontend MainFrontends
      bind 192.168.2.2:443 name 192.168.2.2:443 
      mode tcp
      log global
      option socket-stats
      timeout client 30000
      tcp-request inspect-delay 5s
      acl server1-acl req.ssl_sni -i server1.domain.com
      acl server2-acl req.ssl_sni -i server2.domain.com
      tcp-request content accept if { req.ssl_hello_type 1 }

      use_backend server1_https_ipv4  if  server1-acl
      use_backend server2_https_ipv4  if  server2-acl
      default_backend server2_https_ipv4

      backend server1_https_ipv4
      mode tcp
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      source ipv4@ usesrc clientip
      option ssl-hello-chk
      server server1 192.168.3.32:443 check inter 1000

      backend server2_https_ipv4
      mode tcp
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      source ipv4@ usesrc clientip
      option ssl-hello-chk
      server server2 192.168.3.44:443 check inter 1000

      ![Ohne Titel.jpg](/public/imported_attachments/1/Ohne Titel.jpg)
      ![Ohne Titel.jpg_thumb](/public/imported_attachments/1/Ohne Titel.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • P Offline
        PiBa
        last edited by

        If you want to acces them over the VPN then the firewall rule should be on the VPN interface.

        Another thing that might complicate matters is that you use the 'transparent client ip' feature in the backend. This has a large warning for several reasons.. Can you try without it?

        Also the frontend seems to be listening on a private ip 192.168.2.2, did you substitute it for privacy? Or is it really listening on a private ip? And pfSense is behind another router then i presume? If thats the case thats probably part of the issue.. as client sends traffic to pfSense, then to the ISProuter which returns the traffic, which creates a short 'loop' where traffic could get lost.. blocked due to async routing..

        1 Reply Last reply Reply Quote 0
        • S Offline
          schweidj
          last edited by

          Unchecking the 'transparent client ip' feature solved my problem.

          Thank you very much,

          Regards,
          Joe

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.