HAProxy Query
-
Hello Hive-Mind!
I'm looking at an alternative to an Azure Application Gateway we are currently using, and noted that haproxy can be installed on pfSense.
Currently our AzAppGw simply sends traffic from our websites to our ERP system, which sits at the other end of a VPN terminated on a pfSense VM in Azure (due to limitations in how you can restrict traffic on an Azure Firewall, and the cost therein!).
Am I right in thinking that I can take a request in on our public ip on say port 8080, and squirt that down the VPN to the webserver on the other end.
Or is there an easier way I'm missing? I'm all ears!
Thanks in advance - Alexis.
-
@alexisphc
If you don't need information about the real source IP on the ERP, you can simply forward the traffic and masquerade its source to the VPN interface IP of pfSense, or any other, which the remote site has a route to.
On pfSense you can do this with an outbound NAT rule. -
@viragomann I tried that, but the other end sees the IP as being an internet address and then tries to send the reply out via it's local internet connection.
I should probably clarify here that the websites are hosted externally on the internet. I may be mis-understanding the different NAT rules of course, or missing something in the config, so if so, please tell me <3
-
@alexisphc said in HAProxy Query:
I tried that, but the other end sees the IP as being an internet address and then tries to send the reply out via it's local internet connection.
That's the reason, why you have to masquerade it.
Maybe we can elaborate this if you provide some details of your VPN.
-
@viragomann said in HAProxy Query:
@alexisphc said in HAProxy Query:
I tried that, but the other end sees the IP as being an internet address and then tries to send the reply out via it's local internet connection.
That's the reason, why you have to masquerade it.
Maybe we can elaborate this if you provide some details of your VPN.
What would you like to know? It's an IPSEC site-to-site VPN which terminates on the pfSense (which runs in a virtual machine in Azure), and terminates at the far end on a Cisco ASA private context which we have no control over.
-
@alexisphc
I guess, it's a policy-based IPSec (tunnel mode), which would be the worst case here.If so the only way to get this routed properly would, that the remote site (at least the ERP) sends the whole upstream traffic over the VPN, which is probably unwanted.
With all other VPNs like IPSec VTI or OpenVPN, masquerading would work.
-
@viragomann Yep, that's correct, hence I think I need to proxy the request.
-
@alexisphc
Yes, if you want to stick with the policy-based IPSec and don't want to route the upstream traffic from the remote over the VPN, a reverse proxy might be the only option. -
@viragomann yeah, it was enough of a nightmare to get this VPN setup originally, anytime you involve TCS in something IT related you can add an extra hundred hours!