Passthrough for destinations with offloading frontend
-
It worked !
Thanks one more time, you advice was insanely helpful. Made it work, and though I was about to give up I slept it up and once refreshed it sort of everything clicked it became so easy and logical, it's just all the looping around server to server that makes it seem more complicated than it is, huh?!
I also went a little further set it up to proxy internally as well to simplify web addresses. And the best yet is that I finally came up with a solution to both use the naked domain for Active Directory and to host a website in it without hosting it on the DCs.
I'm leaving some screenshots, hopefully I can help somebody else too. :)
BACKENDS
LOOPAROUND BACKEND
FRONTENDS
-
-
@zwck
There are always options to do the same things differently. But there should not be a 'need' to do so unless you like that way better. Its not like the package changed significantly. -
i'd really would love to see an updated tutorial from you, since you are by far the most advanced user of the package :D
-
@zwck
What would you like to see updated? Is there something specifically that is missing that should be explained to basic users to get started?. If some pages are 'outdated' i can give it a go at creating a few new screenshots.. but really almost nothing has changed with regard to the basic frontend+acl&action>backend configuration stuff.. from whats already explained on my wiki pages.. -
@Piba, well i am not sure, tbh as i am not to experienced with haproxy it self. I played around with map files, on a standalone system that seemed to work alright too. Not sure if that has an advantage in regards to sni vs offload.
I used haproxy mainly to serve a couple of webpages with subdomains, and i created a virtualip for haproxy 2.1.1.2, maybe you can check if i didnt build in some obvious mistakes or forgot to tick somethings on.
# Automaticaly generated, dont edit manually. # Generated on: 2018-09-25 10:17 global maxconn 10000 stats socket /tmp/haproxy.socket level admin expose-fd listeners gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets tune.ssl.maxrecord 1370 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend http-https-redirect bind 2.1.1.2:80 name 2.1.1.2:80 mode http log global option http-server-close timeout client 30000 #redirect scheme https code 301 if !{ ssl_fc } redirect scheme https code 301 frontend https_frontend bind 2.1.1.2:443 name 2.1.1.2:443 ssl crt-list /var/etc/haproxy/https_frontend.crt_list mode http log global option http-server-close option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 90000 acl chatACL var(txn.txnhost) -m reg -i ^chat.mydomain.io(?::443)?$ acl momACL var(txn.txnhost) -m reg -i ^mom.mydomain.io(?::443)?$ acl homeACL var(txn.txnhost) -m reg -i ^home.mydomain.io(?::443)?$ acl speedACL var(txn.txnhost) -m reg -i ^speed.mydomain.io(?::443)?$ acl restACL var(txn.txnhost) -m reg -i ^rest.mydomain.io(?::443)?$ http-request set-var(txn.txnhost) hdr(host) use_backend backend-chat_ipvANY if chatACL use_backend backend-test-copy_ipvANY if momACL use_backend backend-home_ipvANY if homeACL use_backend backend-speedtest_ipvANY if speedACL use_backend backend-rest_ipvANY if restACL backend backend-chat_ipvANY mode http id 105 log global timeout connect 30000 timeout server 30000 retries 3 server chat 192.168.0.21:3000 id 106 check inter 1000 backend backend-test-copy_ipvANY mode http id 123 log global http-response set-header Strict-Transport-Security max-age=31536000; timeout connect 30000 timeout server 30000 retries 3 http-response set-header Content-Security-Policy "default-src 'none'; font-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; media-src 'self' blob: data:; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self'" server test_34 192.168.0.112:8096 id 126 backend backend-home_ipvANY mode http id 113 log global timeout connect 30000 timeout server 30000 retries 3 server homepi 69.0.0.150:8123 id 114 check inter 1000 backend backend-speedtest_ipvANY mode http id 129 log global http-response set-header Strict-Transport-Security max-age=31536000; timeout connect 30000 timeout server 30000 retries 3 #http-request set-header X-Client-IP req.hdr_ip([X-Forwarded-For]) server speed 192.168.0.19:2020 id 130 check inter 1000 backend backend-rest_ipvANY mode http id 111 log global timeout connect 30000 timeout server 30000 retries 3 server rest 192.168.0.19:3580 id 112 check inter 1000 -
I have a specific question regarding the HAProxy setup, In your wiki https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends you forward your request that arrive on wan side on port 80 and 443 to the address 192.168.0.133, my question here is, what is this ip, is it an ipalias in your network outside of the dhcp range that haproxy is listening on, or a virtual ip on the lan interface that haproxy is listening on. Would you mind guiding me.
-
@zwck
In my case 192.168.0.133 a virtual-ip of type alias on the pfSense WAN interface, of a test VM that runs with its wan on a private network segment.. Usually you would use the wan-ip of pfSense for that listening. Or wherever you want that haproxy frontend to listen.. Some websites i run with haproxy listening on the lan-ip, as they only need to be accessible when connected to the company network.. So its really up to you, where are your clients going to connect to, and do you want haproxy to directly handle that traffic, or are your going to create a portforward (though imho thats kinda ugly.., but then again, ive heard of haproxy failing to listen directly on a pppoe interface iirc..). -
@piba I would like to do it the pretty way, right now i create a virtual ip (ip alias) on the wan interface that is an ip that is outside of my network (lan 192.168.0.0/24) my ip alias is 2.1.1.2/32 then i have a nat portforward from wanadress to 2.1.1.2 of port 80 and 443 and have haproxy listen on that. I guess thats the ugly part :D
-
@zwck
Yup sounds 'ugly'
But well, shouldn't be to difficult to change that and make the frontend listen on the wan-ip right.? add a firewall rule to allow the traffic, and remove the portforward. -
@PiBa Thanks for your time and help ! And for the nat rule you just say allow 80/443 to any (e.g. *** http *** and *** https ***)
-
@zwck
So the firewall-rule it would look like:interface: WAN
protocol: TCP
source-address: any
source-port: any
destination-address: wan-ip
destination-port: 80 (or 443.. or what you want to allow traffic to.) -
thanks !
