HAProxy Port Redirect Internal
-
@spiker Can you access your firewall by going directly to https://10.10.0.1:10433 ?
If you change the health check for the backend to HTTP, does it still show as UP?Also, try adding
load-server-state-from-file noneto the Advanced Settings > Backend pass thru section of each backend, as by default HAProxy will save the backend server state, and any changes will not take effect. -
I can directly access the FWL from https://10.10.0.1:10443
let me change the health check and take a look.
-
Ok change the backend health check from Basic to HTTP and also checked SSL checks per the notes in the health check method field. It looks down now
-
@spiker
Did you even add the proper certificate to the frontend? -
So I turned off SSL Offloading, but yes I have a proper cert on the front end.
Really I an misusing haproxy here by just trying to get it to port redirect for one of my networks from 443 to 10443.
-
@spiker
If you turn off SSL offloading, you cannot access HAproxy using https. So the error in the browser, you shown above is plausible. -
@spiker Mouse over L7STS/405 and see what it says.
I am doing the same thing that you are trying, and it works for me.
I do see that myHttp check methodis set to GET instead of OPTIONS, so try that and see if that fixes the health check status. -
Ok turned SSL offloading back on, and selected the valid cert I set up with Acme/letsencrypt.
I set the new front end to listen on 2443 and killed all the ACL's and set the default backend to PFsense_FWL
did not blur out my domain but I do not plan on opening any services from WAN anyway.
-
"I am doing the same thing that you are trying, and it works for me.
I do see that my Http check method is set to GET instead of OPTIONS, so try that and see if that fixes the health check status."
-
@spiker
This is the web UI directly accessed.What do you get without the port stated?
Edit:
Oh well, your frontend ist listening on port 2443 now. -
As the error message indicates, your web UI is forced to use https, but HAproxy uses http for accessing it.
-
Yeah directly accessed would be on port 10443, and that works just fine, cert and all.
I do have a rule on all other interfaces/networks to block port 10443, but I am on the network that is stated in the front end and that interface has no rule to block 10443 to the FWL address.
-
Yeah I am using https to access it, crome will redirect to https anyway even if I try http.
-
@spiker
I was talking about the backend.
Do you still have "Encrypt (SSL)" checked and "SSL checks" unchecked in the backend? -
-
Hey that worked....
Thank you for your time here guys, I am new to all of this but you guys were amazing.
-
I put back on the ACL and moved the front end listener to 443 and it all works... Pushed the cert for the web management page back to the self signed one and HAProxy is SSL offloading with the signed cert! Man cant thank you guys enough.
-
@spiker
Great!Remember, "Encrypt (SSL)" means, that HAproxy uses HTTPS to connect to the backend.
"SSL checks" means, that it checks the SSL certificate of the backend server. I.e. the certificate has to be valid. -
Thank you, I had that a bit flipped in my mind!
