Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy setup help needed

    Scheduled Pinned Locked Moved Cache/Proxy
    7 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cjbujold
      last edited by

      Hi
      Trying to learn how to use Haproxy but can't seem to get it working.  I created a config (see below) and activated Haproxy.  The widget seems to indicate that nothing is being processed by Haproxy.  Not certain what I'm missing.  Some help would be appreciated

      Basically I have 4 backend servers, one of which is for HTTPS and I basically want to route certain web site to a specific server.  I have created HTTP frontends which point to each backend server but its like its not intercepting the wan port 80.  What am i missing?

      The HTTPS server is giving errors when I activate it so I know I have a configuration error in it.  But The HTTP servers seem to be OK. Trying to get them working first and then will concentrate on the HTTPS server.

      Any help would be appreciated.

      Thanks

      Config file:

      global
      maxconn 10000
      stats socket /tmp/haproxy.socket level admin
      uid 80
      gid 80
      nbproc 1
      chroot /tmp/haproxy_chroot
      daemon
      tune.ssl.default-dh-param 2048
      log-send-hostname HaproxyMasterNode

      listen HAProxyLocalStats
      bind 127.0.0.1:2200 name localstats
      mode http
      stats enable
      stats refresh 10
      stats admin if TRUE
      stats uri /haproxy/haproxy_stats.php?haproxystats=1
      timeout client 5000
      timeout connect 5000
      timeout server 5000

      resolvers globalresolvers
      nameserver ns1 192.168.120.14:53
      nameserver ns 192.168.120.1:53
      resolve_retries 3
      timeout retry 1s
      hold valid 10s

      frontend httpWEBdomains-merged
      bind 156.134.21.14:80 name 156.134.21.14:80 
      mode http
      log global
      option http-keep-alive
      timeout client 30000
      acl remotehelp_acl hdr(host) -i remotehelp.accra.ca
      acl accra_acl hdr_end(host) -i accra.ca
      acl filopto_acl hdr_end(host) -i filopto.com
      acl dragondreams_acl hdr_end(host) -i dragondreams.ca
      acl dragondoodles_acl hdr_end(host) -i dragondoodles.ca
      acl ajefnb_acl hdr_end(host) -i ajefnb.nb.ca
      acl famille.accra.ca hdr(host) -i NASbackend
      use_backend RemoteHelpServer25_http_ipvANY  if  remotehelp_acl
      use_backend WebServer14_http_ipvANY  if  accra_acl
      use_backend WebServer14_http_ipvANY  if  filopto_acl
      use_backend WebServer14_http_ipvANY  if  dragondreams_acl
      use_backend WebServer14_http_ipvANY  if  dragondoodles_acl
      use_backend WebServer14_http_ipvANY  if  ajefnb_acl
      default_backend WebServer14_http_ipvANY
      default_backend NASWebServer4_http_ipvANY
      default_backend NASWebServer4_http_ipvANY

      backend RemoteHelpServer25_http_ipvANY
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      option httpchk OPTIONS /
      server remotehelpserver 192.168.120.125:80 check inter 1000  resolvers globalresolvers

      backend WebServer14_http_ipvANY
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      option httpchk OPTIONS /
      server AccraWEBServer 192.168.120.114:80 check inter 1000  resolvers globalresolvers

      backend NASWebServer4_http_ipvANY
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      option httpchk OPTIONS /
      acl famille.accra.ca hdr(host) -i famille
      server Accranas 192.168.120.224:80 check inter 1000  resolvers globalresolvers

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Config looks alright to me.
        Firewallrule on the wan is passing :80 ?

        I tried some of those domains, and it seems i am getting to different websites.. Did you figure it out already ? ;D .

        Regards,
        PiBa-NL

        1 Reply Last reply Reply Quote 0
        • C
          cjbujold
          last edited by

          No still working on it, moved it to another network for testing.  Saw in one web site that I cannot point Haproxy to the wan IP but must create a virtual IP and use it for HaProxy.  Is this correct? This might be the piece I'm missing?

          cjb

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            Haproxy can normally listen on the wan-ip, but ive seen a problem reported with it when the wan connection is a PPP connection.In which case a virtual-ip + portforward can work around that.

            If you look at the stats page, all backend servers are 'up' and does it count a request on the frontend when you try to connect?
            b.t.w. the NASWebServer4 does seem to be missing a acl..

            1 Reply Last reply Reply Quote 0
            • S
              Soyokaze
              last edited by

              @cjbujold:

              No still working on it, moved it to another network for testing.  Saw in one web site that I cannot point Haproxy to the wan IP but must create a virtual IP and use it for HaProxy.  Is this correct? This might be the piece I'm missing?

              cjb

              Not exactly.
              Port 80 is below 1024, so sometimes it easier to bind haproxy/squid to localhost:8080 or some other port > 1024, and just NAT from WAN to it.
              Also, check stats page - if your backends are reported as unavailable (though they are live and well, and can be reached from pfsense) - you should change health check metod (for some sites OPTIONS method just don't work)

              Need full pfSense in a cloud? PM for details!

              1 Reply Last reply Reply Quote 0
              • C
                cjbujold
                last edited by

                Made progress, Thank for the help, But still having some issues. Got the http sorted and everything is working properly.

                Trying to get the HTTPS working and not quite certain on the SSL certificate.  Is it better to install it in pfsense or is still better to leave that on the webs server?

                Thanks
                cjb

                1 Reply Last reply Reply Quote 0
                • P
                  PiBa
                  last edited by

                  Hi cjb,

                  Its both possible each with its own (dis)-advantage..

                  If you leave the certificates on the webservers then haproxy only has to forward the tcp traffic which is a pretty simple job so little cpu usage on haproxy.
                  -only a few acl conditions that are available in 'mode tcp' (basically only the SNI name can be checked among a few others L4 fetches.)
                  -Higher cpu usage for decryption on webservers (probably easy to add more webservers in case cpu usage reaches 100% cpu..)
                  -Lower cpu usage on haproxy

                  If you put the crertificates on haproxy
                  -'mode http' with all advantages that come with that:
                    -allows inserting/rewriting http headers (x-forwarded-for header)
                    -and allows writing acl's for specific paths or other conditions with full access to all L7 information.
                    -more detailed logging
                  -centralized certificate management. (1 place to upgrade every X time.)
                  -Higher cpu usage on haproxy (hard to scale up once haproxy reaches 100% cpu..)
                  -Lower cpu usage for decryption on webservers
                  -might cause issues with website if forwarded over :80 where it will try to redirect the client to :443 even though the actual request was already made over 443, as a workaround you could then reencrypt the communication on backend side, this would then increase cpu usage on haproxy even more, and the lower cpu on the webserver wouldn't be applicable, though for that last part you could use a 'easy' cipher on backend..

                  There might be some other differences i'm forgetting to mention a.t.m. … Anyway youl have to decide if you want more features on haproxy, or need to be conservative with cpu resources.

                  Regards,
                  PiBa-NL

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.