HAproxy issue after installing 2.3.5 (SOLVED)

PiBa

Seems youve got 2 default-backends ending up in the config, that wont work right.

What is needed is a 'action' that says to use_backend X if some acl matches.

Did you upgrade a existing configuration? It 'should' have automatically converted from the old frontend+acl to acl+action like backend selection.

killmasta93

Thanks for the reply, i did not upgrade rather started from scratch.
So that part from the backend fix it instead of using default from what you said i added the cloud and web action from the ACL (see picture)
But i also been reading that HAproxy does not redirect http to https when its in TCP mode but if i delete history, cache , cookies and type mydomain.com i get the pfSense DNS rebind attack but if type https://mydomain.com it works and also https://cloud.mydomain.com

Then on the sharefrontend i tried on advance so it redirects traffic to https

redirect scheme https code 301 if !{ ssl_fc }

but on HAproxy gets this error

[WARNING] 309/152723 (70482) : parsing [/var/etc/haproxy/haproxy.cfg:33] : a 'tcp-request' rule placed after a 'redirect' rule will still be processed before.
[WARNING] 309/152723 (70482) : config : 'redirect' rules ignored for frontend 'SharedFrontend-merged' as they require HTTP mode.

Thank you

Clipboarder.2017.11.06.png
Clipboarder.2017.11.06.png_thumb
Clipboarder.2017.11.06-002.png

Clipboarder.2017.11.06-003.png

PiBa

Indeed haproxy cannot send a http redirect when operating in tcp mode.

The redirect that seems to happen anyway might be a cached hsts header (usually hard but possible to erase from the browser memory, take more then just deleting cookies though..)
Or also the 'webgui redirect' from pfSense System/Advanced/AdminAccess which will be listening on port 80.

killmasta93

Thanks for the reply, as i changed the port to 81 so it wont listen but same concept because HTTP cannot be directed to HTTPS. Would there be any other way using the TCP mode on HAproxy? Rewriting the URL maybe?

The redirect that seems to happen anyway might be a cached hsts header (usually hard but possible to erase from the browser memory, take more then just deleting cookies though..)

what i did is on chrome crtl+shift+delete, deleted everything closed it and opened it and bam wont redirect. of Course on firefox did not delete anything and went perfect. The issue with that is when a user or client has never gone to the website there either going to error or it wont load unless they put https://

Thank you

PiBa

For the redirect from http to https to work you must have something that listens on :80 and performs the redirect. This could be done with a frontend specifically made for this and without any backends. It could have a single action that performs the redirect.

killmasta93

Thanks for the quick reply,
So on HAproxy i added another frontend
But when i try to apply settings im getting this error

Errors found while starting haproxy
[ALERT] 309/165522 (51624) : parsing [/var/etc/haproxy_test/haproxy.cfg:45] : error detected in frontend 'HTTP' while parsing 'http-request redirect' rule : redirection type expected ('prefix', 'location', or 'scheme').
[ALERT] 309/165522 (51624) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg

see picture

Thank you

Clipboarder.2017.11.06-004.png

Clipboarder.2017.11.06-005.png

Clipboarder.2017.11.06-006.png

PiBa

Must tell it what type of redirect to perform "scheme https" in your case..

![2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png](/public/imported_attachments/1/2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png)
![2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png_thumb](/public/imported_attachments/1/2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png_thumb)

killmasta93

Thank you for the quick reply, that did the trick. for anyone else having this issue here is the screen shot for working SSL, the only tiny issue is the www, if someone puts www.mydomain.com it wont direct it to mydomain. i tried adding on rule prefix https but no luck, was reading the manual HAproxy but did not find any other rule that would apply for the www

Thank you again

Clipboarder.2017.11.06-008.png

PiBa

The www prefix rule needs a bit more content in its action i think: "prefix https://mydomain.com"

killmasta93

Thanks for the reply, as for the prefix i tried

prefix https://mydomain.com
prefix https://www.mydomain.com

I also changed ACL because realized that the web_acl www.mydomain.com wont work because all www on nginx gets redirect to mydomain.com

So instead redirect to mydomain.com but unfortunately did not work

Thank you

Clipboarder.2017.11.06-009.png

PiBa

well.. www only gets redirected by nginx webserver if the traffic gets to it as far as ive see the 443 frontend doesnt check for www to pass to the right backend.?.

anyhow using the "prefix https://mydomain.com" should work to redirect http://www.domain.com to https://domain.com, browser caches of previous followed redirects aside..

killmasta93

Thanks for the reply, so after hours trail and error this is the config that worked to redirect the www to mydomain.com whats odd that every browser worked by putting the www.mydomain.com besides safari on the iphone but i guess who knows what safari does that wont let redirect, besides that internet explorer, chrome, firefox, puffin all worked well.
What i did is to create another acl web2 host start with www then below with the prefix

prefix https://mydomain.com

which points to web2

Thank you again for all the help hope this helps others see picture

Clipboarder.2017.11.06-010.png