haproxy - what could go wrong?

smokers

hello dears,
having the following haproxy.cfg which does not seem to work.

# Automaticaly generated, dont edit manually.
# Generated on: 2024-03-05 14:33
global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 3
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend CasaOs-porkbun
	bind			WAN-IP:80 name WAN-IP:80   ssl crt-list /var/etc/haproxy/CasaOs-porkbun.crt_list  
	mode			http
	log			global
	option			socket-stats
	option			http-keep-alive
	timeout client		30000
	acl			casaos	var(txn.txnhost) -m str -i FQDN-2.xyz
	acl			aclcrt_CasaOs-porkbun	var(txn.txnhost) -m reg -i ^casaos\.FQDN-2\.xyz(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend Casaos-porkbun_ipvANY  if  casaos aclcrt_CasaOs-porkbun

backend Casaos-porkbun_ipvANY
	mode			http
	id			105
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			casaos 192.168.1.11:88 id 104  

firewall rule for WAN is to allow 80 and 443 on WAN ADDRESS.

when trying to access the respective casaos, i am redirected to my router port which is xx443, with the dnsbind error.

are these settings enough?

viragomann

@smokers said in haproxy - what could go wrong?:

firewall rule for WAN is to allow 80 and 443 on WAN ADDRESS.

when trying to access the respective casaos, i am redirected to my router port which is xx443, with the dnsbind error.

If you want to use these port for HAproxy, configure the GUI to listen on somewhat else.
In System > Advanced > Admin Access state another port for the webConfigurator and also check "WebGUI redirect" to disable redirecting from port 80.

In the HAproxy frontend you've stated port 80 for listening with SSL, which makes no sense. The client might not expecting an SSL certificate, when accessing port 80.
So remove the SSL check there and add port 443 with SSL checked.

smokers

thx for the info, from this perspective is fine.
now, regrardless of this.. haproxy does not seem to do the redirect.
In statistics I am seeing things changing for frontend section when trying to refresh, but for backend nothing changes.

smokers

i have recreated the setup as below:

# Automaticaly generated, dont edit manually.
# Generated on: 2024-03-06 22:30
global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 3
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend subdomain-domain
	bind			WAN_IP:443 name WAN_IP:443   ssl crt-list /var/etc/haproxy/subdomain-domain.crt_list  
	mode			http
	log			global
	option			socket-stats
	option			http-keep-alive
	timeout client		30000
	acl			subdomain	var(txn.txnhost) -m str -i subdomain.domaincom
	acl			aclcrt_subdomain-domain	var(txn.txnhost) -m reg -i ^([^\.]*)\.domain\com(:([0-9]){1,5})?$
	acl			aclcrt_subdomain-domain	var(txn.txnhost) -m reg -i ^domain\com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend subdomain_ipvANY  if  subdomain aclcrt_subdomain-domain

backend subdomain_ipvANY
	mode			http
	id			103
	log			global
	stats			enable
	stats			uri /
	stats			realm .
	stats			show-node NODE1
	stats			refresh 10
	stats			scope .
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			subdomain 192.168.1.11:443 id 104 ssl  verify none crt /var/etc/haproxy/server_clientcert_65e855fb67c29.pem 

but now when trying subdomain.domain.com, all i get is the haproxy statistic page.

not sure what is going on there so if anywone has any advice, i would really appreciate.

smokers

after some resetting i've created the following config that works:

# Automaticaly generated, dont edit manually.
# Generated on: 2024-03-11 21:50
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 3
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend shared-https-merged
	bind			WAN_IP:443 name WAN_IP:443   ssl crt-list /var/etc/haproxy/shared-https.crt_list  
	mode			http
	log			global
	option			socket-stats
	option			http-keep-alive
	timeout client		30000
	acl			<subdomain-2>	var(txn.txnhost) -m str -i <subdomain-2>.<domain-name>.<com>
	acl			aclcrt_shared-https	var(txn.txnhost) -m reg -i ^([^\.]*)\.<domain-name>\.<com>(:([0-9]){1,5})?$
	acl			aclcrt_shared-https	var(txn.txnhost) -m reg -i ^<domain-name>\.<com>(:([0-9]){1,5})?$
	acl			<subdomain>	var(txn.txnhost) -m str -i <subdomain>.<domain-name>.<com>
	acl			<subdomain-3>	var(txn.txnhost) -m str -i <subdomain-3>.<domain-name>.<com>
	acl			<subdomain-4>	var(txn.txnhost) -m str -i <subdomain-4>.<domain-name>.<com>
	http-request set-var(txn.txnhost) hdr(host)
	use_backend <subdomain-2>-<domain-name>_ipvANY  if  <subdomain-2> 
	use_backend <subdomain>-<domain-name>_ipvANY  if  <subdomain> 
	use_backend <subdomain-3>-<domain-name>_ipvANY  if  <subdomain-3> 
	use_backend <subdomain-4>-<domain-name>_ipvANY  if  <subdomain-4> 

frontend http-redirect
	bind			WAN_IP:80 name WAN_IP:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	http-request redirect scheme https 

backend <subdomain-2>-<domain-name>_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			<subdomain-2> 192.168.1.11:444 id 101  

backend <subdomain>-<domain-name>_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			<subdomain> 192.168.1.1:10443 id 101 ssl  verify none 

backend <subdomain-3>-<domain-name>_ipvANY
	mode			http
	id			103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			<subdomain-3> 192.168.1.7:443 id 101 ssl  verify none 

backend <subdomain-4>-<domain-name>_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			<subdomain-4> 192.168.1.5:443 id 101  

Letting this one here in case someone needs it.
As a sidenote to whole experience i find pfsense much more instable than it was few years ago when i used it first time . If i'd knew this ... And netgate presence is kinda zero, documentation is also in a very poor state. Anyway its working now ...