Can pfsense detect requests and routing to set hostname
-
What do you expect that port forward to do? Is that for the webservers?
When you use a proxy for the web traffic you should not have a port forward, the traffic is proxied instead of forwarded.
-
Ok, in that can so how does it work?
Can you please explain ?If Firewall / NAT / Port Forward does not have any active rule, how can HAProxy know what to do?
Because before I decided to write anything and ask for help to solve this lab i tried so many options.
But not successful any time request web1.domain.com to open content from VM1 and when i wont to visit web2.domain.com to see content from VM2
-
@sysbitnet
The HAproxy service is running on pfSense itself and is listening on the interface IPs, you've configured in the frontend.So why you want to forward the traffic and to where, which is meant to be treated by pfSense itself?
-
HAProxy runs on the firewall and listens for incoming requests on the WAN dircetly. It looks at the request and depending on how it's configured it opens a connection to one of the backend hosts and sends the request to it.
You need to have firewall rules to allow that.
You usually need to move the webgui to a different port so that HAProxy is able to use ports 443 and 80 to listen on.
-
Ok, I understand what you mean.
Sow what I do and how can function what is shown in the lab case photo.
Inside Firewall / NAT / Port Forward
I removed all I moved to manage inside HAProxy how can allow or not allow addresses or ports.
Inside Firewall / Rules / WAN create one rules with status PASS
Protocol: TCP/UDP
Source Address: Any
Source Ports: Any
Dest. Address: ! Local address
Dest. Ports: Any
And enable Log packets that are handled by this ruleInside Services / HAProxy / Backend
Name: Back_VM1_443
Mode: active
Name: web1
Forward to: Address+Port
Address: 192.168.100.1
Port: 443
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: basicName: Back_VM2_443
Mode: active
Name: web2
Forward to: Address+Port
Address: 192.168.100.2
Port: 443
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: HTTP===============
Name: Back_VM1_80
Mode: active
Name: web1
Forward to: Address+Port
Address: 192.168.100.1
Port: 80
And in the Health check method set: basicName: Back_VM2_80
Mode: active
Name: web2
Forward to: Address+Port
Address: 192.168.100.2
Port: 80
And in the Health check method set: HTTPInside Back_VM2_443 and Back_VM2_80 I set it up on purpose And in the Health check method set: HTTP
How can testing HTTP protocol to check on the servers' health be used for HTTPS servers(requires checking the SSL box for the servers).How i configure On the Frontend part.
Services / HAProxy / Frontend
Name: Front_Port_443
External address
Listen address: WAN address (IPv4)
Port: 443
SSL Offloading: yesIn Access Control lists inside the same
Name: web1
Expression: Host matches
CS: empty
Not: empty
Value: web1.domain.comName: web2
Expression: Host matches
CS: empty
Not: empty
Value: web2.domain.comIn part Actions inside the same
Action Use Backend the name that i set on Back_VM1_443
Condition acl names: the same name that i set in Access Control lists web1And second Use Backend the name that i set on Back_VM2_443
Condition acl names: the same name that i set in Access Control lists web2And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates
And create one more rules for port 80
Name: Front_Port_80
External address
Listen address: WAN address (IPv4)
Port: 80
SSL Offloading: noIn Access Control lists inside the same
Name: web1
Expression: Host matches
CS: empty
Not: empty
Value: web1.domain.comName: web2
Expression: Host matches
CS: empty
Not: empty
Value: web2.domain.comIn part Actions inside the same
Action Use Backend the name that i set on Back_VM1_80
Condition acl names: the same name that i set in Access Control lists web1And second Use Backend the name that i set on Back_VM2_80
Condition acl names: the same name that i set in Access Control lists web2And i need to say i did not set a custom TCP port to access on pfsense inside System / Advanced / Admin Access TCP port "Enter a custom port number for the webConfigurator above to override the default (80 for HTTP, 443 for HTTPS). Changes will take effect immediately after save."
And with this configuration finally, lab it is working, what do you think guys?
-
I would set the destination on the WAN firewall rule to something that contains only the IPs you expect HAProxy to receive connections on. So maybe an alias with those IPs in it or set it to the WAN subnet if the VIPs are inside that.
-
You man inside Firewall / Rules / WAN where i create one rule with status PASS
Protocol: TCP/UDP
Source Address: ! WAN address
Source Ports: Any
Dest. Address: ! Local address
Dest. Ports: Any
And enable Log packets that are handled by this ruleI plan to test and create an inside Firewall / Aliases / Ports list of only ports that who lab user or service can use.
-
@sysbitnet said in Can pfsense detect requests and routing to set hostname:
Dest. Address: ! Local address
I mean that is too wide a match. It would match a lot of traffic that shouldn't be allowed. Though I don't know exactly what 'Local' is there. The only traffic you should allow into the WAN should have a destination of the IPs HAProxy is listening on. So at most the WAN address and/or the VIPs on the WAN.
And yes the destination ports should probably be an alias of 443 and 80 only.
-
In the lab case, i have only one public IP but if I understand your suggestion.
I plan to see you for testing on Firewall / Aliases / IP
Name: web1
IP: 192.168.100.1Name: web2
IP: 192.168.100.2And create an inside Firewall / Aliases / Ports list of only ports that who lab user or service can use like.
Name: WWW
Ports: 80, 443And to inside Firewall / Rules / WAN where i create a rule with the status PASS
Protocol: TCP/UDP
Source Address: ! WAN address
Source Ports: Any
Dest. Address: web1
Dest. Ports: WWW
And enable Log packets that are handled by this rule -
I just tried to add like new service wowza and when visited VM3 with http://192.168.100.3:8088 in the local host i saw see login page, but when i try to access wowza with a set domain name like http://wowza.domain.com:8088 i get this result
503 Service Unavailable
No server is available to handle this request.when i check with the LISTEN port like this
root@dev:~# lsof -i -P -n | grep LISTEN systemd 1 root 40u IPv6 8353844 0t0 TCP *:22 (LISTEN) systemd-r 96 systemd-resolve 14u IPv4 8354932 0t0 TCP 127.0.0.53:53 (LISTEN) java 123 root 25u IPv4 8347558 0t0 TCP *:8088 (LISTEN) java 287 root 8u IPv4 8355219 0t0 TCP *:41183 (LISTEN) java 287 root 164u IPv4 8353064 0t0 TCP *:8087 (LISTEN) java 287 root 172u IPv4 8358134 0t0 TCP *:8083 (LISTEN) java 287 root 187u IPv4 8358172 0t0 TCP *:1935 (LISTEN) java 287 root 191u IPv4 8358176 0t0 TCP *:8086 (LISTEN) master 358 root 13u IPv4 8347603 0t0 TCP 127.0.0.1:25 (LISTEN) master 358 root 14u IPv6 8347604 0t0 TCP [::1]:25 (LISTEN)I created the same as i did earlier for port 80 and port 443 but is not working.
I know i need to add SSL, but as i write this is lab testing, not production.
-
@sysbitnet said in Can pfsense detect requests and routing to set hostname:
Dest. Address: web1
That destination on the WAN would be the WAN address if you don't have any VIPs on it. web1 is an internal IP that could never be reached by an external host.
-
Do you maybe know what can be a problem why i get
503 Service Unavailable
No server is available to handle this request.When i try to use another service like Wowza?
Port 80,443 its working perfect, but when i wont to add on the same case other port or services i get the same error
503 Service Unavailable
No server is available to handle this request.Thank you
-
I don't know what Wowza is. What exactly have you added? How are you testing it? What do you expect to see?
-
Wowza is a video platform with industry-leading technology that delivers quality live and VOD streaming with integrated CMS, analytics, and more.
But i have the same problem when i try another service, like access on proxmox or any other service who requests another port number but is not port 443 and port 80
Any time i get
503 Service Unavailable
No server is available to handle this request. -
Sounds like HAProxy it not configured to use that port so it just returns that 503 error.
-
@stephenw10
I agree with you.How can testing what is the problem only leave this service, for example, i used to test proxmox.
Inside Services / HAProxy / Backend
Name: PM_8006
Mode: active
Name: pm
Forward to: Address+Port
Address: 192.168.100.3
Port: 8006
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: basicHow i configure On the Frontend part.
Services / HAProxy / Frontend
Name: PM_Front
External address
Listen address: WAN address (IPv4)
Port: 8006
SSL Offloading: yesIn Access Control lists inside the same
Name: pm
Expression: Host matches
CS: empty
Note: empty
Value: pm.domain.comIn part Actions inside the same
Action Use Backend the name that i set on PM_8006
Condition acl names: the same name that i set in Access Control lists pmAnd inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates
The same certificate and added inside proxmox, because is letsencrypt wildcard certificate
And when i try to visit https://pm.domain.com:8006/ the result is like this below message.
503 Service Unavailable
No server is available to handle this request. -
What do you logged?
Do you see states created on port 8006? For both front and back end?
-
This post is deleted! -
I do the same as how i explained in my last post.
I tried many other services that request custom ports and got the same.
503 Service Unavailable
No server is available to handle this request. -
So do you see states created?
