Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy Questions

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paraffin
      last edited by

      Hi

      We are looking to Load Balance 3 x IIS Web Servers over HTTPS using HAProxy and need session persistence (Sticky Sessions), most users will come from a single external IP as they are office based.

      From my reading so far it seems that this is possible but there are not many pfsense based guides out there.

      The solution I have come to in my head is as follows

      SSL Offload at the pfSense/HAProxy
      Route to HTTP traffic internally
      Use a cookie based session persistence

      Does this sound anywhere near what we need to do in order to achieve our desired outcome?

      Does anyone have a similar setups that they could screenshot so I can understand the setup better?

      Cheers

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Hi, the solution you've thought up seems like it will work as far as i can tell.

        Indeed sourceip stickyness isnt right with that single exteral ip as they would all end up on the same server.
        SSL-Session-ID is kinda troublesome to get right, and even then doesnt always deliver the expected results afaik.
        So that leaves the SSL passthrough options pretty much..

        So SSL-Offloading and then going with a cookie based solution is probably the right call ;)

        Depending on what behavior the webservers have (do they insert a cookie?) The easy option is probably to let haproxy insert the cookie. In the backend there is a section "Cookie persistence" where you can enable to usage of a cookie and configure its name, also choose the mode to use like "preserve insert" or one of the others.. Together with some server cookie values that should probably make it work.  8)

        I don't sticky balance traffic between servers myself. So don't have screenshots ready to go.. Could probably make some on a testbox of mine if your having a hard time getting it working  ;)

        1 Reply Last reply Reply Quote 0
        • P
          paraffin
          last edited by

          Hi PiBa

          Thanks for the response :)

          I now have a HTTPS Frontend with SSL Offload which redirects to HTTP internally and this is working fine.

          However I am struggling to get sessions to stick to a particular server, after reading this blog

          http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/

          I think I need the solution in "Session cookie setup by the Load-Balancer"

          The frontend setup looks straight forward but I am not sure where the Backend bits are configured, this is the extract

          backend bk_web
            balance roundrobin
            cookie SERVERID insert indirect nocache
            server s1 192.168.10.11:80 check cookie s1
            server s2 192.168.10.21:80 check cookie s2

          I have Round Robin selected but not sure where lines 2-4 are entered in the GUI.

          Any help is appreciated

          Cheers

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            Basically all settings are done on the backend edit page. Attached screenshots should get you pretty close to that config snippet. (Yes my ports are strange and ips different should be enough to get you started though , or so i think..)

            ![2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png](/public/imported_attachments/1/2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png)
            ![2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb](/public/imported_attachments/1/2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb)
            ![2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png](/public/imported_attachments/1/2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png)
            ![2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb](/public/imported_attachments/1/2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb)

            1 Reply Last reply Reply Quote 0
            • P
              paraffin
              last edited by

              Wow that saved me tons of time playing!

              Thank you for your help PiBa much appreciated and in the lab it worked perfectly, now in a more production environment :)

              1 Reply Last reply Reply Quote 0
              • P
                paraffin
                last edited by

                Hi

                I have tested in production now and this solution works well but I have 1 issue which redirecting to HTTP on the back end is causing.

                I tried switching to passing through SSL traffic to the actual web server but this straight broke the config and I couldn't access the websites anymore.

                Does anyone have a config example of HAProxy where the traffic is unencrypted at HAProxy and then forwarded to 443 on the backend servers as my setup doesn't seem to work?

                Cheers
                David

                1 Reply Last reply Reply Quote 0
                • P
                  PiBa
                  last edited by

                  If i understand correctly the webservers are returning a redirect to https as they are currently accessed over port 80? A possible solution for that is to change the server's ports on the backend to 443 and enable the ssl checkbox on them. Or change the website to nolonger send the redirect when traffic comes from haproxy.?.

                  1 Reply Last reply Reply Quote 0
                  • P
                    paraffin
                    last edited by

                    Actually I managed to test this in the lab further and I can use 443 on the backend servers which are IIS 8.5 however I need to add a hostname to the IIS Binding (see screenshot of the setting I mean) then this is breaking the configuration.

                    If I run without the host name then everything works as expected, my thoughts are that HAProxy is not appearing from the connection URL and this is causing IIS to refuse the connection.

                    Any other thoughts and/or suggestions on how to work around this issue?

                    Cheers

                    IIS1.png_thumb
                    IIS1.png

                    1 Reply Last reply Reply Quote 0
                    • P
                      PiBa
                      last edited by

                      Are you filling in the hostname that the enduser is also using in his browser? And leaving the 'require sni' checkbox off on IIS?
                      Then i would expect it to work as the 'hostname' in the http request would still be what the enduser typed.

                      If you do want to enable the 'require SNI' there are probably two parts to take care of. (i have never done this so be prepared to check/try a few things :) )

                      • healthchecks must still succeed this might require to keep a 'dummy' website alive that doesn't check the sni value. (haproxys healtchecks dont support sni yet afaik)
                      • The server definition might need a advanced setting on each server (just under the cookie value) something like: sni ssl_fc_sni  ,this so it will pass the requested sni name from the users original request also in the forwarded connection.
                      1 Reply Last reply Reply Quote 0
                      • P
                        paraffin
                        last edited by

                        That's exactly the scenario, we fill in the hostname and leave SNI unchecked.

                        Just to clarify the request is as follows

                        HTTPS > HAPROXY > SSL Offload on Frontend > Forward to Backend Server via HTTPS

                        Any ideas why it might not work?

                        1 Reply Last reply Reply Quote 0
                        • P
                          paraffin
                          last edited by

                          I found the problem, when I added the host name it caused the health check to fail using HTTP. I have switched to BASIC now and it is now working as expected.

                          Is there a way to keep the health check on HTTP but keep it on Port 80 rather than it doing a HTTPS (443) check?

                          1 Reply Last reply Reply Quote 0
                          • P
                            PiBa
                            last edited by

                            For making the healthcheck succeed you could try setting the "Http check version" and putting the hostname in there like below?

                            HTTP/1.1\r\nHost:\ www.example.org
                            

                            Other than that you could try adding a advanced "port 80" option on the server definitions if you want the check to beformed on a different port than what is used for the usual traffic: http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#5.2-port

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.