Haproxy - Reverse Proxy to subdomain.exemple.com
-
Hello everyone.
I'm trying to do the same thing, I followed this tutorial
Https://blog.briantruscott.com/how-to-serve-multiple-domains-from-a-single-public-ip-using-haproxy-on-pfsense/
But when trying to access I get the error
Does anyone have any suggestions?
My configs HA
# Automaticaly generated, dont edit manually. # Generated on: 2017-03-02 20:26 global maxconn 10000 stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state frontend HTTP-merged bind 168.56.172.241:80 name 168.56.172.241:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl ACL_Portal hdr(host) -i subdomain.exemple.com use_backend Portal_http_ipv4 if ACL_Subdomain default_backend Subdomain_http_ipv4 backend Subdomain_http_ipv4 mode http log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip option httpchk OPTIONS / server Subdomain 172.16.0.250:80 check inter 1000My Firewall Rules
-
can you upload screen shot of your frontend and backend?
-
Of course, I'll leave the screens below.
First I create the backend
All other backend options left as default
I only change this
Saved and now I'm going to my frontend
How will I have other subdomains
I'm going to use shared front end, however my first frontend is sudomains_frontend_shared
I leave all the options as default and only change that of the screen
Now I'm going to create my first frontend for for subdomain1.example.com
I leave my settings like this, but when trying to access externally I get the error 503
I left my firewall rules like this, with everything open so I had no problem blocking it.
Content of the var/etc/haproxy/haproxy.cfg
# Automaticaly generated, dont edit manually. # Generated on: 2017-03-02 21:50 global stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state frontend sudomains_frontend_shared-merged bind xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl ACL_SUB_1 hdr(host) -i subdomain.exemple.com use_backend Subdomain_http_ipv4 if ACL_SUB_1 default_backend Subdomain_http_ipv4 backend Subdomain_http_ipv4 mode http log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip option httpchk OPTIONS / server Subdomain 172.16.0.250:80 check inter 1000But I really can not access subdomain1.example.com :(
Thank you all for your help. :)
-
You do notice that you have typed "exemple" i/o "example" in your browser, right?
It also looks like the ip you're referring to isn't serving anything at port 80 or the firewall can't reach it.
What happens if you replace your ip 172.16.0.250 with something like 172.217.17.68 (Which is a google server)The config seems to be ok from my perspective.
Mind you that exemple.com is registered (well it has a webserver behind it) so should you want to test it internally make sure it's internally resolved to the Firewall.
Are the IP addresses you are using actually internal and does your firewall know how to reach them?
One of them actually seems to be external and not having an HTTP server running which will definately end up in the error you get if your firewall tries to reach it through HAProxy. -
By the way; please don't open up your firewall like this.
It's best to open up port 80 only if your main purpose is Proxying for internal servers.
Doing this is almost as good as leaving out your firewall and just reverse proxying on Nginx. -
This is actually, I am using the exemple.com domain and subdomain.example.com just illustrate how I configured it, that domain is fake, actually my HAProxy settings are pointing to my real domain.
When I type my real domain, the error I have in the browser is this 503
Already the rules of my firewall, are exactly like the image above, ie all open ports -
By the way; please don't open up your firewall like this.
It's best to open up port 80 only if your main purpose is Proxying for internal servers.
Doing this is almost as good as leaving out your firewall and just reverse proxying on Nginx.Exactly, that my pfsense is only for testing with HAProxy, but my intention when it goes into production is to fine tune all these firewall rules…
-
Ok the 503 normally means your HAProxy has pickedup the incoming request, attempted to contact the backend but failed to connect to it.
So in this case double check your backend because it seems to be off.
-
Sorry for my dumb question.
But how do I check if the backend is active or not?
My backend is exactly like the images above -
Well according to your configuration you should have a backend running on
http://172.16.0.250:80Now this will -at least- need to give a response when going to it with a web-browser.
Usually the backend will have a multi-domain structure so it will return a different page, depending on the hostname you are redirecting for.Technically you can have several websites running on the same server on the same port.
This is e.g. how webshops often do it. -
Check stats page like explained here: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_troubleshooting
Make sure the servers are seen as 'up'.Also disable the transparent-client-ip on the backend, or at least understand what it affects. It 'breaks' things some expect to 'just work'..
-
Hello everyone.
Thanks for the posts posted, but I really can not make HAProxy work recursively.
I've been trying this for over 30 days and with no success.
If someone has the HAProxy configured, and can leave the prints of the settings I thank -
At the risk of stating the obvious: exemple is NOT the same thing as example. You keep producing that typo over and over and over again. When you keep obfuscating your setup and producing collateral typos in the way, it's impossible for others to debug anyway.
You've already been told how to debug in the post directly above.