SSL certs handling and HAproxy

stephenw10 · Jan 3, 2024, 12:57 AM

I'd be surprised if Varnish can't also use https. As long as the front and backend sessions are terminated there it can still see and cache all the content.

But, yes, if you're running Varnish on some separate server then it might be easier to do it all there.

lewis · Jan 3, 2024, 2:46 PM

These are some headers I have set in the Apache configuration.
I'm reading that haproxy also needs to have custom headers for some of these to work.


        # Add X-Forwarded-For header to log the original client IP
        RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e

        # Add X-Real-IP header
        RequestHeader set X-Real-IP %{REMOTE_ADDR}e

        # Add X-Forwarded-Proto header to identify the protocol used by the client
        RequestHeader set X-Forwarded-Proto https

        # Use Vary header for content negotiation
        <Location />
            Header append Vary Accept-Encoding
        </Location>

I would need to add custom configs in haproxy, like under the frontend or backend sections, depending on specific requirements.
The actual syntax for these directives will typically look like http-request set-header X-Forwarded-For %[src] for X-Forwarded-For, as an example.
But that's the problem, I can't find enough information to even understand what I would need to add to haproxy.

Maybe I'm closer than I think but lack of knowledge and examples is making it impossible.

lewis · Jan 3, 2024, 4:59 PM

What's the chances?

stephenw10 · Jan 3, 2024, 5:01 PM

You are accessing that via the proxy?

lewis · Jan 3, 2024, 5:02 PM

@stephenw10 said in SSL certs handling and HAproxy:

You are accessing that via the proxy?

I was searching Google which gave a link to these forums and this is what I got, repeatedly.
When we forward a domain, we typically maintain the old domain's cert also, just for this reason.

kiokoman · Jan 4, 2024, 8:38 AM

@lewis
must be an old entry because the forum is forum.netgate.com and not forum.pfsense.com
or they forgot to add the DNS

stephenw10 · Jan 4, 2024, 10:38 AM

Oh well spotted! Yeah that's just an old link.

lewis · Jan 4, 2024, 5:01 PM

I wish I could figure this thing out. I very badly need a cache server for all of the web sites on the back end.
I appreciate the help you've all provided.

lewis · Jan 4, 2024, 11:48 PM

And today, another random thing happens on pfsense which I'm sure no dev will say 'oh ya, we're working on that one' to.

When I created my first acme cert and generated it, it should the dates of the cert start/end in Last renewed.
Today, I create a new cert, generate it and see nothing, just 'Issued Certificate Dates;' and nothing.

stephenw10 · Jan 5, 2024, 12:50 AM

You have a screenshot?

lewis · Jan 5, 2024, 2:39 AM

lewis · Jan 6, 2024, 8:22 PM

In the end, the point is to have two new things;

1: varnish server to handle caching

2: fixing the haproxy configuration so that it's actually load balancing those web servers.
That was an interesting find. I don't know how pfsense was sending traffic to the web servers without haproxy actually working.
Maybe it automatically round robins since the servers are listed in an alias?