HAPROXY config Help !
-
Hello everyone,
I am trying to implement a solution haproxy (with this tutorial: http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate) and I take my head because nothing works :-)
If anyone can look at my config file and help me … I would be very grateful.
I wonder if there is not an error with the dummy backend set to disable?
if I do not pass through the HTTPS Reverse Proxy, it works (Removing pass thru Per server: send-proxy)
thank you in advance for your help
global stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK tune.ssl.default-dh-param 2048 tune.ssl.maxrecord 1370 frontend WAN_HTTPS bind 127.0.0.1:2043 name 127.0.0.1:2043 ssl no-sslv3 crt /var/etc/haproxy/WAN_HTTPS.pem accept-proxy npn http/1.1 mode http log global option http-keep-alive option forwardfor acl https ssl_fc reqadd X-Forwarded-Proto:\ http if !https reqadd X-Forwarded-Proto:\ https if https timeout client 7200000 rspidel ^Server:.*$ rspidel ^X-Powered-By:.*$ rspidel ^X-AspNet-Version:.*$ default_backend none_http_ipvANY frontend WAN_443-merged bind 192.168.1.112:443 name 192.168.1.112:443 mode tcp log global timeout client 7200000 tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 } acl aclusr_custom_req.ssl_hello_type_201 req.ssl_hello_type 1 acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20syno.mydomain.com req.ssl_sni -m end -i syno.mydomain.com acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20vcenter.mydomain.com req.ssl_sni -m end -i vcenter.mydomain.com acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20swiss.mydomain.com req.ssl_sni -m end -i swiss.mydomain.com use_backend WAN_HTTPS_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 use_backend syno_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20syno.mydomain.com use_backend vcenter_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20vcenter.mydomain.com use_backend swiss_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20swiss.mydomain.com default_backend none_tcp_ipvANY frontend WAN_HTTP bind 192.168.1.112:80 name 192.168.1.112:80 mode http log global option http-keep-alive timeout client 30000 default_backend ssl-redirect_http_ipvANY backend none_http_ipvANY mode http timeout connect 30000 timeout server 30000 retries 3 option httpchk server none 127.0.0.1:80 disabled backend none_tcp_ipvANY mode tcp timeout connect 30000 timeout server 30000 retries 3 option httpchk server none 127.0.0.1:80 disabled backend WAN_HTTPS_tcp_ipvANY mode tcp timeout connect 30000 timeout server 7200000 retries 3 option httpchk server WAN_HTTPS 127.0.0.1:2043 check-ssl verify none send-proxy backend syno_tcp_ipvANY mode tcp timeout connect 30000 timeout server 7200000 retries 3 option httpchk server syno 192.168.200.50:5001 check-ssl verify none send-proxy backend vcenter_tcp_ipvANY mode tcp timeout connect 30000 timeout server 720000 retries 3 option httpchk server vcenter.mydomain.com 192.168.200.20:9443 check-ssl verify none send-proxy backend swiss_tcp_ipvANY mode tcp timeout connect 30000 timeout server 720000 retries 3 option httpchk server swiss 192.168.200.254:80 send-proxy backend ssl-redirect_http_ipvANY mode http timeout connect 30000 timeout server 30000 retries 3 option httpchk redirect scheme https code 301 -
Hi lololo,
If i understand correctly everything 'works' alright when you do not have the "send-proxy" server settings?
So if you do want the backend to know the actual ip of the client then you must make sure it is expecting the proxy-protocol to be used around the tcp connection.. So the webserver/mailserver/yourserver, must be configured to accept the proxy-protocol header.
For nginx for example you would put something like this in the configuration: "listen 80 proxy_protocol;" for apache it seems to need "ProxyProtocol On".. There are other pieces of software that have implemented support for this protocol as well, but always needs support and some configuration on the server side as well it wont work by only changing the haproxy configuration..
Hope this helps you somewhat..
Another thing i would do is enable the stats pages (fill in a local port in the settings tab), and enable health checking on the backends. It helps diagnose if haproxy sees the servers properly..
Greets,
PiBa-NL -
ok I understand I will try
thank you for your help
-
yes that's right, in the stats page if I put "send-proxy" backend server is down … if I did not put, the server is up!
it is the login page synology (DSM) suddenly, I can not change anything to accept the proxy_protocol :-(
-
Hi lololo,
Yep in case of such a custom appliance there isn't much to configure for proxy-protocol..
Other question is do you 'need' the client-ip in the synology device?
If so perhaps using transparent-client-ip option in the backend configuration can help you with that? It will mess up direct access to the device when trying to directly connect from lan to opt1 networks for example, and connections from the same local network that are routed through haproxy. So be sure to test all your required scenarios if your going that route…
Greets
PiBa-NL -
Hi,
I can not find the problem (finally I wonder if this is a SNI problem I change the configuration and no longer uses the tcp.
Everything works perfectly now!
Thank you for your help
have a good daylaurent