Haproxy setup help

rajbps

Hi team,

Can anyone assist in setting up haproxy with details please? I have a 3 websites different domains running on port 80 and 3 other sites running on 443 one of them is for exchange 2013 web access.

i am willing to buy a drink to someone who can assist with details.

Raj

PiBa

Hi Raj,

Where did you get stuck? What did you try?

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/Single-frontend-serving-multiple-different-domains-using-http
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Or try the Templates/create config button in the package to setup a basic 'example'.?.

Then post your haproxy.conf and describe what doesnt work yet.

Regards,
PiBa-NL

rajbps

Hiya,

Sorry for the late reply. This is the link that I used:

https://blog.briantruscott.com/how-to-serve-multiple-domains-from-a-single-public-ip-using-haproxy-on-pfsense/

I will try to follow your links and update shortly.

Cheers,

raj

rajbps

Ok I think I got it working

Created a backend for each server and 2 main front ends one for http for 80 and one for https.

Then created a few sub frontends that link to either http or https. Got owa and phones to sync for exchange and websites to work. Just have one last thing. Have a support site on https and I can load it good. When i try to open it on http it does not get redirected to https. Can anyone assist on how to get this done pls?

Rajbps

PiBa

You could make a 'action' in a frontend that listens on :80 and then performs a "http-request redirect scheme https" if the acl for the support domain matches.

rajbps

Could you provide a screenshot pls. Cant seem to get my head round it.

PiBa

Something like this.

![2016-10-26 21_16_17-pfSe.localdomain - HAProxy_ Frontend_ Edit.png](/public/imported_attachments/1/2016-10-26 21_16_17-pfSe.localdomain - HAProxy_ Frontend_ Edit.png)
![2016-10-26 21_16_17-pfSe.localdomain - HAProxy_ Frontend_ Edit.png_thumb](/public/imported_attachments/1/2016-10-26 21_16_17-pfSe.localdomain - HAProxy_ Frontend_ Edit.png_thumb)

rajbps

Hiya, the "scheme https" is that the main front end for https or the shared front end which uses https front end as primary please?

PiBa

It just redirects the client from http://support to https://support, so after that initial http request the 'usual route' for that website will end up on one of your frontends that listen on :443.

rajbps

is there a way for me to get the config out of pfsense and send it to you in private pls?

PiBa

The generated haproxy configuration can be seen at the bottom of the settings tab in the package, there is a button to show it.

As for getting it to me you could send me a PM through the forum if thats ok for you?. Anyhow replace passwords/public ip's/domainnames by similar but dummy values where needed. (do make sure to replace a name or ip you want to replace by the same value each time so it still makes sense..)

rajbps

pm sent

PiBa

Config recieved. Looks like you didnt configure the 'action' part from my screenshot above?

Is the redirect the only current issue.? Or are there others i should look at?

rajbps

thats the bit and if you can see anything to harden security thats always welcome

PiBa

Ok so add the redirect 'action' as in my screenshot ? I think that should fix the redirect part.

As a minor observation i'm wondering about for example 'email' and 'support' are using different acl's matches v.s. contains is that intentional? should othersubdomain.support.mydomain.com also be send to the same backend as support.mydomain.com ?

You passing https straight to the backend, and using transparent-client-ip, should work.. and i assume you have read the warning, and understand it can cause some issues.. (it might bite you later when you want to connect another way and cant seem to get it working, the 'transparent-client-ip' might be the culprit..) Though there arn't really much other options for some backends.. Just saying ;)

rajbps

when I add the second bit and try to save and apply, I get the following error :

Errors found while starting haproxy
[ALERT] 299/234604 (87967) : parsing [/var/etc/haproxy_test/haproxy.cfg:39] : error detected in frontend 'Loki-merged' while parsing 'http-request redirect' rule : expects 'code', 'prefix', 'location', 'scheme', 'set-cookie', 'clear-cookie', 'drop-query' or 'append-slash' (was 'Support').
[ALERT] 299/234604 (87967) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg

rajbps

http-request redirect See below httpsredirect

rule: Support

rajbps

"As a minor observation i'm wondering about for example 'email' and 'support' are using different acl's matches v.s. contains is that intentional? should othersubdomain.support.mydomain.com also be send to the same backend as support.mydomain.com ?"

In regards to the email and support, if i got it correctly, i have a different backend for each url as they go to different servers. Then I have one https frontend and sub frontend that share the primary https front end. If there is a better more efficient way to do it please advise as I am very new to haproxy and this is a learning curve for me .

Cheers for all the help though.

Rajbps

PiBa

@rajbps:

http-request redirect See below httpsredirect

rule: Support

For a simple https redirect the 'rule' should be:

scheme https

no more no less :)

rajbps

yep error gone :-)