Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL certs handling and HAproxy

    Scheduled Pinned Locked Moved General pfSense Questions
    136 Posts 3 Posters 26.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lewis
      last edited by

      These are some headers I have set in the Apache configuration.
      I'm reading that haproxy also needs to have custom headers for some of these to work.

      
              # Add X-Forwarded-For header to log the original client IP
              RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e
      
              # Add X-Real-IP header
              RequestHeader set X-Real-IP %{REMOTE_ADDR}e
      
              # Add X-Forwarded-Proto header to identify the protocol used by the client
              RequestHeader set X-Forwarded-Proto https
      
              # Use Vary header for content negotiation
              <Location />
                  Header append Vary Accept-Encoding
              </Location>
      
      

      I would need to add custom configs in haproxy, like under the frontend or backend sections, depending on specific requirements.
      The actual syntax for these directives will typically look like http-request set-header X-Forwarded-For %[src] for X-Forwarded-For, as an example.
      But that's the problem, I can't find enough information to even understand what I would need to add to haproxy.

      Maybe I'm closer than I think but lack of knowledge and examples is making it impossible.

      1 Reply Last reply Reply Quote 0
      • L
        lewis
        last edited by

        What's the chances?

        8dd2000d-05d6-4868-b944-e706da125448-image.png

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          You are accessing that via the proxy?

          L 1 Reply Last reply Reply Quote 0
          • L
            lewis @stephenw10
            last edited by

            @stephenw10 said in SSL certs handling and HAproxy:

            You are accessing that via the proxy?

            I was searching Google which gave a link to these forums and this is what I got, repeatedly.
            When we forward a domain, we typically maintain the old domain's cert also, just for this reason.

            kiokomanK 1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8 @lewis
              last edited by kiokoman

              @lewis
              must be an old entry because the forum is forum.netgate.com and not forum.pfsense.com
              or they forgot to add the DNS 😁
              d12da92d-097e-4fb2-b91d-7d61dcb1ef06-image.png

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              1 Reply Last reply Reply Quote 1
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Oh well spotted! Yeah that's just an old link.

                1 Reply Last reply Reply Quote 0
                • L
                  lewis
                  last edited by

                  I wish I could figure this thing out. I very badly need a cache server for all of the web sites on the back end.
                  I appreciate the help you've all provided.

                  1 Reply Last reply Reply Quote 0
                  • L
                    lewis
                    last edited by

                    And today, another random thing happens on pfsense which I'm sure no dev will say 'oh ya, we're working on that one' to.

                    When I created my first acme cert and generated it, it should the dates of the cert start/end in Last renewed.
                    Today, I create a new cert, generate it and see nothing, just 'Issued Certificate Dates;' and nothing.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      You have a screenshot?

                      1 Reply Last reply Reply Quote 0
                      • L
                        lewis
                        last edited by

                        fb0405b3-28fd-40f0-ad1e-dd47018e19a7-image.png

                        1 Reply Last reply Reply Quote 0
                        • L
                          lewis
                          last edited by

                          In the end, the point is to have two new things;

                          1: varnish server to handle caching

                          2: fixing the haproxy configuration so that it's actually load balancing those web servers.
                          That was an interesting find. I don't know how pfsense was sending traffic to the web servers without haproxy actually working.
                          Maybe it automatically round robins since the servers are listed in an alias?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.