Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy on 1.2.3-RELEASE - Successful!!!

    Scheduled Pinned Locked Moved pfSense Packages
    24 Posts 11 Posters 29.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rkelleyrtp
      last edited by

      Itwerx:

      So, are you asking if haproxy can read the incoming http header and forward to the appropriate back-end server(s) when a single IP Address is used?  I think what you are looking for are ACLs inside haproxy.  Here is a quick link:

      http://agiletesting.blogspot.com/2009/02/load-balancing-in-amazon-ec2-with.html

      Essentially, you have a single IP address on the outside (your "listen" address) and multiple servers on the back-end.  Since haproxy can read the http header request, it can make intelligent decisions as to where the requests should go.  From that link above, you define your frontend section like this:

      frontend myfrontend *:80
      log    global
      maxconn 25000
      option forwardfor
      acl acl_example1 url_sub example1
      acl acl_example2 url_sub example2
      use_backend example1_farm if acl_example1
      use_backend example2_farm if acl_example2
      default_backend default_farm

      This creates ACLs (access-control-lists) that match the incoming HTTP header.  Next, setup your back-end section to route the requests:

      backend example1_farm
      mode http
      balance roundrobin
      server server1 192.168.1.1:80 check
      server server2 192.168.1.2:80 check
      backend example2_farm
      mode http
      balance roundrobin
      server server3 10.0.0.3:80 check
      server server4 10.0.0.4:80 check
      backend default_farm
      mode http
      balance roundrobin
      server server5 192.168.1.5:80 check
      server server6 192.168.1.6:80 check
      
      

      Hope this helps…

      -Ron

      1 Reply Last reply Reply Quote 0
      • K
        Koti
        last edited by

        Yup its working fine for me also.

        1 Reply Last reply Reply Quote 0
        • S
          SyRenity
          last edited by

          Hi.

          Can anyone using haproxy comment how well it compares to inbound Load Balancing?

          What is the improvement in concurrent connections, used CPU, etc…

          Thanks!

          1 Reply Last reply Reply Quote 0
          • I
            Itwerx
            last edited by

            For anyone installing this on a clean load of pfSense there's actually one additional rule needed allowing HTTP (or whatever), in to the internal servers.  I.e. the same rule you would have for a standard NAT even though there is no NAT defined.  (This is contrary to what is stated in the first post in this thread.)

            1 Reply Last reply Reply Quote 0
            • A
              Arjen
              last edited by

              Any support for full transparent proxy mode ? :

              aka: source 0.0.0.0 use src client

              Regards.

              Arjen

              1 Reply Last reply Reply Quote 0
              • S
                sam_son
                last edited by

                Single IP address - multiple back end servers.

                Is it possible for me to do the following.

                I thought it best to add it to this post rather than start another.

                Basically the 192.168.5.2 server has a combination of both http & https for authentication. It is an appliance box and when initially logging in via an http url having done so this then changes to https.

                I have no clue at this point how to proceed with the configuration so if someone could enlighten me with some configuration example that would be great. I appreciate you are all busy but getting the answer to this question would help my little office out no end.

                I would ideally like if possible the url access to be

                http://81.81.81.81/server1 to redirect to  192.168.5.1 back end server
                http://81.81.81.81/server2 to redirect to  192.168.5.2 back end server

                Is this similar to port forwarding or can haproxy forward all ports using the url. This may be on the vague side but I'm sure there will be someone equally as clueless as myself with haproxy.

                ![HAproxy single IP address.png](/public/imported_attachments/1/HAproxy single IP address.png)
                ![HAproxy single IP address.png_thumb](/public/imported_attachments/1/HAproxy single IP address.png_thumb)

                1 Reply Last reply Reply Quote 0
                • S
                  sam_son
                  last edited by

                  Ok having read the initial post would this be correct? I have a little test rig in the office and between my daily work I sometimes have time to tinker with this kit. I have been scouring google and not come up with anything concrete with regards to overcoming the https question. Other posts have mentioned about using stunnel but the link here

                  http://agiletesting.blogspot.com/2009/02/load-balancing-in-amazon-ec2-with.html

                  says

                  SSL

                  To handle SSL traffic in HAProxy, you need 3 things:

                  1. Define a frontend with a unique name which handles *:443
                  2. Send traffic to real_server_IP_1:443 through real_server_IP_N:443 in the backend(s) associated with the frontend
                  3. Specify 'mode tcp' instead of 'mode http' both in the frontend section and in the backend section(s) which handle port 443. Otherwise you won't see any SSL traffic hitting your real servers, and you'll wonder why….

                  ------ Would the follwing be correct?

                  • Configure HAProxy using default values except the following:
                      --> On Settings Tab:
                            --> Enable HAProxy
                            --> DO NOT USE REMOTE SYSLOG HOST (bug in current version of pfSense haproxy package)

                  -->  On Frontend Tab:
                          --> 10.10.10.1 (fictitious VIP)

                  --> On Servers Tab:
                        --> 192.168.5.1
                        --> 192.168.5.2

                  • Configure the firewall rule - very impt!
                      --> On the Firewall-->Rules tab
                          --> New rule -
                                --> Protocol=any
                                --> Source=Any
                                --> Port=80
                                --> Destination=CARP VIP 10.10.10.1
                      --> On the Firewall-->Rules tab
                          --> New rule -
                                --> Protocol=any
                                --> Source=Any
                                --> Port=443
                                --> Destination=CARP VIP 10.10.10.1

                  ACL
                  frontend myfrontend *:80
                  log    global
                  maxconn 25000
                  option forwardfor
                  acl acl_example1 server1 example1
                  acl acl_example2 server2 example2
                  use_backend example1_farm if acl_example1
                  use_backend example2_farm if acl_example2
                  default_backend default_farm

                  I’m a little confused, will haproxy take the http header and pass both http&https requests.
                  I have assumed that I would need to add the 443 port rule to pfsense is this correct?

                  1 Reply Last reply Reply Quote 0
                  • X
                    xeress
                    last edited by

                    I'm also trying haproxy out. Though for some reason it's very slow looking at download speeds. A file of 2 mb is downloading with 15 kb/s thru haproxy though when i enter a simple NAT rule it's downloads with 1 MB/s . Latency on haproxy is very low (15ms).

                    For now it's an experimental cluster so no other traffic is going thru. Can someone help me out on this? HaProxy seems to be alot better then the build in load balancer looking at features.

                    (i do use a carp vip to the internet, and my webservers are using apache on a 192.168.2.0/24 network. All settings are pretty basic.)

                    1 Reply Last reply Reply Quote 0
                    • N
                      nmaupu
                      last edited by

                      Hi,

                      I also try to configure my pfsense box to reach my LAN backend webservers but it does not work as expected.
                      It seems my pfsense haproxy doesn't see my backends servers (unreachable from VIP, displayed in red in haproxy stats page).

                      I configured a public VIP (I tried IP alias and CARP configuration) with a port and 3 backends servers (reachable on LAN subnet) associated with this frontend.
                      I added a rule to allow traffic to go through the public VIP.

                      I can reach the stats page on the public VIP but all backends servers are desperatly red (as attached) :(

                      Here is my haproxy configuration :

                      global
                      maxconn 200
                      uid 80
                      gid 80
                      nbproc 2
                      chroot /var/empty
                      daemon

                      listen web-frontends
                      bind xxx.xxx.xxx.xxx:8080
                      mode http
                      log global
                      option dontlognull
                      option forwardfor
                      maxconn 200
                      clitimeout 120000
                      balance roundrobin
                      contimeout 120000
                      srvtimeout 30000
                      option httpchk HEAD  HTTP/1.0
                      stats enable
                      stats uri /haproxy?stats
                      stats realm haproxyqstats
                      stats auth user:pass
                      server web1 192.168.0.1:80  check inter 1000 weight 1
                      server web2 192.168.0.2:80  check inter 1000 weight 1
                      server web3 192.168.0.3:80  check inter 1000 weight 1

                      Are there some more rules I have to add ?

                      Thanks,
                      Nicolas Maupu

                      haproxy-pfsense.png
                      haproxy-pfsense.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • N
                        nmaupu
                        last edited by

                        For the record, I found my mistake and now, it is working like a charm !
                        I just forgot to add a non mandatory field : monitor URI - fail

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.