• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Passthrough for destinations with offloading frontend

Scheduled Pinned Locked Moved Cache/Proxy
17 Posts 3 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    senseivita
    last edited by Sep 15, 2018, 11:30 PM

    I didn't know about the client->server cert flow, thanks!! I will definitely do it because I do use certificates for identification.

    HAProxy in combination with pfSense and the ACME package unbelievable power though, I refuse to replace it by MSWAP. For instance, just to cover securing my domains I'd have to get 8 wildcard certs, just for starters, then it comes the fact that wildcards aren't that liked so next I'd have to hunt down the problematic sites which I do not remember anymore and issue more certificates. Then there's the load balancing ability that's just so freaking fast. I love it

    I have this piece of software to manage Linux servers akin to Webmin or cPanel, but only over SSH and it doesn't make major modifications on systems, it's called goPanel 2, as the others it can request LE certificates but using the connection method instead of the DNS methods--it failed over MSWAP, succeeded over HAProxy...it was when the connection attempts were spotty though.

    Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

    1 Reply Last reply Reply Quote 0
    • S
      senseivita
      last edited by Sep 17, 2018, 10:54 PM

      It worked !

      Thanks one more time, you advice was insanely helpful. Made it work, and though I was about to give up I slept it up and once refreshed it sort of everything clicked it became so easy and logical, it's just all the looping around server to server that makes it seem more complicated than it is, huh?! 🤓

      I also went a little further set it up to proxy internally as well to simplify web addresses. And the best yet is that I finally came up with a solution to both use the naked domain for Active Directory and to host a website in it without hosting it on the DCs.

      I'm leaving some screenshots, hopefully I can help somebody else too. :)

      BACKENDS
      0_1537223596787_Screen_Shot_2018-09-17_at_16_25_34.png

      LOOPAROUND BACKEND
      0_1537223985447_Screen Shot 2018-09-17 at 16.38.46.png

      FRONTENDS
      0_1537223584363_Screen_Shot_2018-09-17_at_16_22_39.png

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      1 Reply Last reply Reply Quote 0
      • Z
        zwck
        last edited by Sep 19, 2018, 7:20 AM

        @umademelosemyusernamepfsense
        @PiBa

        I have not updated my haproxy config in quite sometime and i used your @PiBa template for offloading and endpoint termination http config that's online in the wiki. is this still up to date or is could this be done differently now?

        P 1 Reply Last reply Sep 19, 2018, 5:35 PM Reply Quote 0
        • P
          PiBa @zwck
          last edited by Sep 19, 2018, 5:35 PM

          @zwck
          There are always options to do the same things differently. But there should not be a 'need' to do so unless you like that way better. Its not like the package changed significantly.

          Z 1 Reply Last reply Sep 21, 2018, 9:41 AM Reply Quote 1
          • Z
            zwck @PiBa
            last edited by Sep 21, 2018, 9:41 AM

            @piba

            i'd really would love to see an updated tutorial from you, since you are by far the most advanced user of the package :D

            P 1 Reply Last reply Sep 21, 2018, 5:40 PM Reply Quote 0
            • P
              PiBa @zwck
              last edited by Sep 21, 2018, 5:40 PM

              @zwck
              What would you like to see updated? Is there something specifically that is missing that should be explained to basic users to get started?. If some pages are 'outdated' i can give it a go at creating a few new screenshots.. but really almost nothing has changed with regard to the basic frontend+acl&action>backend configuration stuff.. from whats already explained on my wiki pages..

              1 Reply Last reply Reply Quote 0
              • Z
                zwck
                last edited by zwck Sep 25, 2018, 8:40 AM Sep 25, 2018, 8:31 AM

                @Piba, well i am not sure, tbh as i am not to experienced with haproxy it self. I played around with map files, on a standalone system that seemed to work alright too. Not sure if that has an advantage in regards to sni vs offload.

                I used haproxy mainly to serve a couple of webpages with subdomains, and i created a virtualip for haproxy 2.1.1.2, maybe you can check if i didnt build in some obvious mistakes or forgot to tick somethings on.

                # Automaticaly generated, dont edit manually.
                # Generated on: 2018-09-25 10:17
                global
                	maxconn			10000
                	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
                	gid			80
                	nbproc			1
                	nbthread			1
                	hard-stop-after		15m
                	chroot				/tmp/haproxy_chroot
                	daemon
                	tune.ssl.default-dh-param	2048
                	server-state-file /tmp/haproxy_server_state
                	ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
                	ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
                	tune.ssl.maxrecord 1370
                
                listen HAProxyLocalStats
                	bind 127.0.0.1:2200 name localstats
                	mode http
                	stats enable
                	stats admin if TRUE
                	stats show-legends
                	stats uri /haproxy/haproxy_stats.php?haproxystats=1
                	timeout client 5000
                	timeout connect 5000
                	timeout server 5000
                
                frontend http-https-redirect
                	bind			2.1.1.2:80 name 2.1.1.2:80   
                	mode			http
                	log			global
                	option			http-server-close
                	timeout client		30000
                	#redirect scheme https code 301 if !{ ssl_fc }
                	redirect scheme https code 301
                
                frontend https_frontend
                	bind			2.1.1.2:443 name 2.1.1.2:443   ssl crt-list /var/etc/haproxy/https_frontend.crt_list  
                	mode			http
                	log			global
                	option			http-server-close
                	option			forwardfor
                	acl https ssl_fc
                	http-request set-header		X-Forwarded-Proto http if !https
                	http-request set-header		X-Forwarded-Proto https if https
                	timeout client		90000
                	acl			chatACL	var(txn.txnhost) -m reg -i ^chat.mydomain.io(?::443)?$
                	acl			momACL	var(txn.txnhost) -m reg -i ^mom.mydomain.io(?::443)?$
                	acl			homeACL	var(txn.txnhost) -m reg -i ^home.mydomain.io(?::443)?$
                	acl			speedACL	var(txn.txnhost) -m reg -i ^speed.mydomain.io(?::443)?$
                	acl			restACL	var(txn.txnhost) -m reg -i ^rest.mydomain.io(?::443)?$
                	http-request set-var(txn.txnhost) hdr(host)
                	use_backend backend-chat_ipvANY  if  chatACL 
                	use_backend backend-test-copy_ipvANY  if  momACL 
                	use_backend backend-home_ipvANY  if  homeACL 
                	use_backend backend-speedtest_ipvANY  if  speedACL 
                	use_backend backend-rest_ipvANY  if  restACL 
                
                backend backend-chat_ipvANY
                	mode			http
                	id			105
                	log			global
                	timeout connect		30000
                	timeout server		30000
                	retries			3
                	server			chat 192.168.0.21:3000 id 106 check inter 1000  
                
                backend backend-test-copy_ipvANY
                	mode			http
                	id			123
                	log			global
                	http-response set-header Strict-Transport-Security max-age=31536000;
                	timeout connect		30000
                	timeout server		30000
                	retries			3
                	http-response set-header Content-Security-Policy  "default-src 'none'; font-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; media-src 'self' blob: data:; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self'  https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self'"
                	server			test_34 192.168.0.112:8096 id 126  
                
                backend backend-home_ipvANY
                	mode			http
                	id			113
                	log			global
                	timeout connect		30000
                	timeout server		30000
                	retries			3
                	server			homepi 69.0.0.150:8123 id 114 check inter 1000  
                
                backend backend-speedtest_ipvANY
                	mode			http
                	id			129
                	log			global
                	http-response set-header Strict-Transport-Security max-age=31536000;
                	timeout connect		30000
                	timeout server		30000
                	retries			3
                	#http-request set-header X-Client-IP req.hdr_ip([X-Forwarded-For])
                	server			speed 192.168.0.19:2020 id 130 check inter 1000  
                
                backend backend-rest_ipvANY
                	mode			http
                	id			111
                	log			global
                	timeout connect		30000
                	timeout server		30000
                	retries			3
                	server			rest 192.168.0.19:3580 id 112 check inter 1000
                
                1 Reply Last reply Reply Quote 0
                • Z
                  zwck
                  last edited by Oct 2, 2018, 8:00 AM

                  @Piba,

                  I have a specific question regarding the HAProxy setup, In your wiki https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends you forward your request that arrive on wan side on port 80 and 443 to the address 192.168.0.133, my question here is, what is this ip, is it an ipalias in your network outside of the dhcp range that haproxy is listening on, or a virtual ip on the lan interface that haproxy is listening on. Would you mind guiding me.

                  P 1 Reply Last reply Oct 2, 2018, 5:54 PM Reply Quote 0
                  • P
                    PiBa @zwck
                    last edited by PiBa Oct 2, 2018, 5:55 PM Oct 2, 2018, 5:54 PM

                    @zwck
                    In my case 192.168.0.133 a virtual-ip of type alias on the pfSense WAN interface, of a test VM that runs with its wan on a private network segment.. Usually you would use the wan-ip of pfSense for that listening. Or wherever you want that haproxy frontend to listen.. Some websites i run with haproxy listening on the lan-ip, as they only need to be accessible when connected to the company network.. So its really up to you, where are your clients going to connect to, and do you want haproxy to directly handle that traffic, or are your going to create a portforward (though imho thats kinda ugly.., but then again, ive heard of haproxy failing to listen directly on a pppoe interface iirc..).

                    Z 1 Reply Last reply Oct 2, 2018, 8:41 PM Reply Quote 0
                    • Z
                      zwck @PiBa
                      last edited by Oct 2, 2018, 8:41 PM

                      @piba I would like to do it the pretty way, right now i create a virtual ip (ip alias) on the wan interface that is an ip that is outside of my network (lan 192.168.0.0/24) my ip alias is 2.1.1.2/32 then i have a nat portforward from wanadress to 2.1.1.2 of port 80 and 443 and have haproxy listen on that. I guess thats the ugly part :D

                      P 1 Reply Last reply Oct 2, 2018, 10:05 PM Reply Quote 0
                      • P
                        PiBa @zwck
                        last edited by Oct 2, 2018, 10:05 PM

                        @zwck
                        Yup sounds 'ugly' 😉
                        But well, shouldn't be to difficult to change that and make the frontend listen on the wan-ip right.? add a firewall rule to allow the traffic, and remove the portforward.

                        1 Reply Last reply Reply Quote 0
                        • Z
                          zwck
                          last edited by Oct 3, 2018, 11:19 AM

                          @PiBa Thanks for your time and help ! And for the nat rule you just say allow 80/443 to any (e.g. *** http *** and *** https ***)

                          P 1 Reply Last reply Oct 3, 2018, 6:14 PM Reply Quote 0
                          • P
                            PiBa @zwck
                            last edited by Oct 3, 2018, 6:14 PM

                            @zwck
                            So the firewall-rule it would look like:

                            interface: WAN
                            protocol: TCP
                            source-address: any
                            source-port: any
                            destination-address: wan-ip
                            destination-port: 80 (or 443.. or what you want to allow traffic to.)

                            1 Reply Last reply Reply Quote 0
                            • Z
                              zwck
                              last edited by Oct 3, 2018, 7:06 PM

                              thanks !

                              1 Reply Last reply Reply Quote 0
                              17 out of 17
                              • First post
                                17/17
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received