Haproxy - bind abstract namespaces addresses (abns@)
-
Hi everyone,
I'm new here and i hope i can have some help.
I have several domain names hosted on my network with the same wan ip address. Some need to verify client certificates while others not.
I found a solution here: https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3
But I need recirculation between frontend and backend using abstract namespaces (abns@) adresses but it seems to not exist in haproxy package in pfsense? (it doesn't work in custom address field)
Am I wrong? How could I make it without abstract namespaces? Can we use like virtual IPs?Thanks!
Benoit. -
The error when using abns@ in externa address is: "The external address 'abns@haproxy-clientcert' is not a valid source IP address or alias"
-
@benoithcc
Afaik, its not possible to use abns@ on freebsd.
It is however possible to select a frontend for your 'recirculation' in the backend webgui options. It will then use a unixsocket unix@ on the filesystem to make the required round-trip 'automatically'. -
@PiBa
Thanks for your answer!I found and selected the frontends in the backends options, and I have the unixsockets now.
Tell me if I 'm right, now in the recirculated frontends, I have to choose localhost in the listen address without any port? I tried it and it seems to be correct in the haproxy.cfg because if I add the 443 ports on boths frontends it duplicates the bind lines with local address plus the unixsocketI now have this warning now but no error when I apply the config: Multiple primary frontends (ssl-clientCert-frontend, ssl-default-frontend) with IP:Port "127.0.0.1:", use Shared-Frontends instead.
The haproxy.cfg is now as bellow, is everything looks good?
frontend http-to-https bind WAN_IP:80 name WAN_IP:80 mode http http-request redirect scheme https frontend https bind WAN_IP:443 name WAN_IP:443 mode tcp acl clientcertenabled req_ssl_sni -i WEBSITE_WITH_CLIENT_CERT tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend redirection_clientCertEnabled_ipvANY if clientcertenabled default_backend redirection_default_ipvANY frontend ssl-clientCert-frontend bind /tmp/haproxy_chroot/ssl-clientCert-frontend.socket name unixsocket uid 80 accept-proxy ssl crt-list /var/etc/haproxy/ssl-clientCert-frontend.crt_list ca-file /var/etc/haproxy/clientca_ssl-clientCert-frontend.pem verify required mode http acl name1 var(txn.txnhost) -m str -i WEBSITE_WITH_CLIENT_CERT http-request set-var(txn.txnhost) hdr(host) use_backend WEBSITE_WITH_CLIENT_CERT_ipv4 if name1 frontend ssl-default-frontend bind /tmp/haproxy_chroot/ssl-default-frontend.socket name unixsocket uid 80 accept-proxy ssl crt-list /var/etc/haproxy/ssl-default-frontend.crt_list mode http acl name2 var(txn.txnhost) -m str -i WEBSITE_WITHOUT_CLIENT_CERT http-request set-var(txn.txnhost) hdr(host) use_backend WEBSITE_WITHOUT_CLIENT_CERT_ipv4 if name2 backend redirection_clientCertEnabled_ipvANY mode tcp id 105 server loopback-for-tls /ssl-clientCert-frontend.socket send-proxy-v2-ssl-cn id 106 backend redirection_default_ipvANY mode tcp id 104 server loopback-for-tls /ssl-default-frontend.socket send-proxy-v2-ssl-cn id 107 backend WEBSITE_WITH_CLIENT_CERT_ipv4 mode http id 10100 server server1 LAN_IP_SRV1:443 id 10101 ssl verify none backend WEBSITE_WITHOUT_CLIENT_CERT_ipv4 mode http id 10102 server server2 LAN_IP_SRV2:80 id 10101
Thanks again for your help,
Benoit. -
@benoithcc
Config seems to look good to me. I usually bind the 'loopback-frontend' to a 'unused' port, this avoids the webgui 'warning'. But does make haproxy bind to that port, while then also getting a bind for the unix socket, your solution is a bit cleaner actually. -
Thanks for your help @PiBa everything is clear to me now!
Benoit