HA-Proxy, how to set correctly a shared fronted with Offloading and TCP
-
Hi,
i'm new to haproxy
i have two local server, one have an internal certficate and another one will sign/renew with pfsense. i need to create a shared frontend to work with 443 with these two server, i followed and search some guide to set up haproxy correctly but i found nothing about a shared fronted.
I endend up setting all like you see in the attachment and it works because i can reach endpoint without problem and all have the certificate seen correctly when i try to enter from outside.
The problem is the warning you see, i don't know how to set up properly a shared frontend, if i shutdwon the two that are working for offloading and tcp everything stop working.
Which guide i can follow or what yuo suggest to adjust for the shared frontend to work properly.
Thank you.
-
It looks like your setup is mostly working, but the warning could indicate a misconfiguration in HAProxy's frontend/backend handling. Since you're using a shared frontend on port 443, you might need to adjust your ACLs and SNI rules properly.
A few things to check:
Ensure that HAProxy is correctly routing traffic based on SNI (Server Name Indication).
If you're using TCP mode, make sure that SSL passthrough is configured correctly for both backends.
If you're offloading SSL at HAProxy, ensure that the certificates are properly assigned and that backend communication is happening over HTTP or correctly re-encrypted HTTPS.
If your setup involves a shared proxy, check that HAProxy is correctly handling multiple backend servers and not conflicting with SSL termination.
For guides, you might find these helpful:
HAProxy SNI Routing
HAProxy with pfSense
If you can share the exact warning message, it’ll be easier to troubleshoot further!"
Let me know if you need any more refinements!
-
If you're using TCP mode, make sure that SSL passthrough is configured correctly for both backends.
If you're offloading SSL at HAProxy, ensure that the certificates are properly assigned and that backend communication is happening over HTTP or correctly re-encrypted HTTPS.
I'm using every of this two option because one server have the certificate inside it, the other one is certified by HA Proxy and the cert is on Pfsense.
I need to mix this two mode or tell me another way to do this correctly, i can't find anything for this case scenario.
Thank you
-
The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option
Shared Frontend
on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mixhttp/https (offloading)
withssl/https (TCP mode)
.This is how I set up HAProxy to support mixed offloading and passthrough:
-
Create a Backend called
tcp_to_https
which goes to server127.0.0.1:4443
and Encrypt(SSL) is set to No. -
Create a Frontend called
SSL_Termination
that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal. -
Create a Frontend called
SSL_Passthrough
that listens on port 443 but do not enable SSL Offloading. Set it tossl / https (TCP mode)
.
Add ACLs usingServer Name Indication TLS extension ends with
for the hostnames that you want to pass through directly to the backends. Set the Default Backend totcp_to_https
.
The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend
tcp_to_https
, which connects to the frontendSSL_Termination
, where the connections are processed a second time, this time performing SSL offloading. -