We are looking to Load Balance 3 x IIS Web Servers over HTTPS using HAProxy and need session persistence (Sticky Sessions), most users will come from a single external IP as they are office based.
From my reading so far it seems that this is possible but there are not many pfsense based guides out there.
The solution I have come to in my head is as follows
SSL Offload at the pfSense/HAProxy
Route to HTTP traffic internally
Use a cookie based session persistence
Does this sound anywhere near what we need to do in order to achieve our desired outcome?
Does anyone have a similar setups that they could screenshot so I can understand the setup better?
Hi, the solution you've thought up seems like it will work as far as i can tell.
Indeed sourceip stickyness isnt right with that single exteral ip as they would all end up on the same server.
SSL-Session-ID is kinda troublesome to get right, and even then doesnt always deliver the expected results afaik.
So that leaves the SSL passthrough options pretty much..
So SSL-Offloading and then going with a cookie based solution is probably the right call ;)
Depending on what behavior the webservers have (do they insert a cookie?) The easy option is probably to let haproxy insert the cookie. In the backend there is a section "Cookie persistence" where you can enable to usage of a cookie and configure its name, also choose the mode to use like "preserve insert" or one of the others.. Together with some server cookie values that should probably make it work. 8)
I don't sticky balance traffic between servers myself. So don't have screenshots ready to go.. Could probably make some on a testbox of mine if your having a hard time getting it working ;)
Thanks for the response :)
I now have a HTTPS Frontend with SSL Offload which redirects to HTTP internally and this is working fine.
However I am struggling to get sessions to stick to a particular server, after reading this blog
I think I need the solution in "Session cookie setup by the Load-Balancer"
The frontend setup looks straight forward but I am not sure where the Backend bits are configured, this is the extract
cookie SERVERID insert indirect nocache
server s1 192.168.10.11:80 check cookie s1
server s2 192.168.10.21:80 check cookie s2
I have Round Robin selected but not sure where lines 2-4 are entered in the GUI.
Any help is appreciated
Basically all settings are done on the backend edit page. Attached screenshots should get you pretty close to that config snippet. (Yes my ports are strange and ips different should be enough to get you started though , or so i think..)
![2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png](/public/imported_attachments/1/2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png)
![2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb](/public/imported_attachments/1/2016-08-26 00_45_36-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb)
![2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png](/public/imported_attachments/1/2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png)
![2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb](/public/imported_attachments/1/2016-08-26 00_49_00-pfSense.localdomain - Services_ HAProxy_ Backend server pool_ Edit.png_thumb)
Wow that saved me tons of time playing!
Thank you for your help PiBa much appreciated and in the lab it worked perfectly, now in a more production environment :)
I have tested in production now and this solution works well but I have 1 issue which redirecting to HTTP on the back end is causing.
I tried switching to passing through SSL traffic to the actual web server but this straight broke the config and I couldn't access the websites anymore.
Does anyone have a config example of HAProxy where the traffic is unencrypted at HAProxy and then forwarded to 443 on the backend servers as my setup doesn't seem to work?
If i understand correctly the webservers are returning a redirect to https as they are currently accessed over port 80? A possible solution for that is to change the server's ports on the backend to 443 and enable the ssl checkbox on them. Or change the website to nolonger send the redirect when traffic comes from haproxy.?.
Actually I managed to test this in the lab further and I can use 443 on the backend servers which are IIS 8.5 however I need to add a hostname to the IIS Binding (see screenshot of the setting I mean) then this is breaking the configuration.
If I run without the host name then everything works as expected, my thoughts are that HAProxy is not appearing from the connection URL and this is causing IIS to refuse the connection.
Any other thoughts and/or suggestions on how to work around this issue?
Are you filling in the hostname that the enduser is also using in his browser? And leaving the 'require sni' checkbox off on IIS?
Then i would expect it to work as the 'hostname' in the http request would still be what the enduser typed.
If you do want to enable the 'require SNI' there are probably two parts to take care of. (i have never done this so be prepared to check/try a few things :) )
- healthchecks must still succeed this might require to keep a 'dummy' website alive that doesn't check the sni value. (haproxys healtchecks dont support sni yet afaik)
- The server definition might need a advanced setting on each server (just under the cookie value) something like: sni ssl_fc_sni ,this so it will pass the requested sni name from the users original request also in the forwarded connection.
That's exactly the scenario, we fill in the hostname and leave SNI unchecked.
Just to clarify the request is as follows
HTTPS > HAPROXY > SSL Offload on Frontend > Forward to Backend Server via HTTPS
Any ideas why it might not work?
I found the problem, when I added the host name it caused the health check to fail using HTTP. I have switched to BASIC now and it is now working as expected.
Is there a way to keep the health check on HTTP but keep it on Port 80 rather than it doing a HTTPS (443) check?
For making the healthcheck succeed you could try setting the "Http check version" and putting the hostname in there like below?
Other than that you could try adding a advanced "port 80" option on the server definitions if you want the check to beformed on a different port than what is used for the usual traffic: http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#5.2-port