Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy not working with SSL.

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    2
    917
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Foloder
      last edited by Foloder

      Hello folks,
      I cannot achieve a proper way to make HAProxy working.
      What I want to achieve is to make multiple websites on different server who are inside my DMZ (with their own IP Address and own SSL certificate) available on the internet. I can make this work for my http (port 80) website but not for my https (port 443) websites.
      So something like this.

      WAN -> virtual (PFsense) -> virtual (DMZ) -> virtual (oneOfMyWebsite):443

      I deleted my actual configuration file, but I made one with what to think to be correct:

              maxconn                 10000
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        hard-stop-after         15m
        chroot                          /tmp/haproxy_chroot
        daemon
        server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
        bind 127.0.0.1:4444 name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats show-legends
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend FrontEnd-SNI
        bind                    192.168.1.101:443 name 192.168.1.101:443
        mode                    tcp
        log                     global
        timeout client          30000
        tcp-request inspect-delay       5s
        acl                     portalsni       req.ssl_sni -i portal.example.org
        tcp-request content accept if { req.ssl_hello_type 1 }
        use_backend backendSNI_ipvANY  if  portalsni

backend backendSNI_ipvANY
        mode                    tcp
        id                      100
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  portal 1.2.3.4:443 id 101 check inter 1000

      I don't want to use SSL offloading, I prefer to manage everything on the webservers.
      My Pfsense is not running on the 443 ports so it should not interfere with the HAProxy utility.
      I've a rule that opens in the WAN the 443 port.

      Thanks for your help.

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @Foloder
        last edited by

        @Foloder
        So i presume portal.example.org resolves to the IP 192.168.1.101 on the client machine your testing from?
        Also check haproxy's stats page to verify that the server shows as 'up', it probably needs 'ssl-checks' enabled on the backend server if it isn't.

        Other that that the config seems fine..

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.