Access to HAPROXY Backend with and without OpenVPN



  • Hi,

    i have two ssl-webservers in my local network, which work fine when i access them from the internet via different hostnames (using haproxy). But when I connect to my home network via a pfsense openvpn tunnel i cannot access them at all.

    Below is the haproxy config and a screenshot of the firewall rule.

    Any ideas, what´s wrong here?

    Regards,
    Joe


    global
    maxconn 10
    stats socket /tmp/haproxy.socket level admin
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    daemon

    listen HAProxyLocalStats
    bind 127.0.0.1:2369 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend MainFrontends
    bind 192.168.2.2:443 name 192.168.2.2:443 
    mode tcp
    log global
    option socket-stats
    timeout client 30000
    tcp-request inspect-delay 5s
    acl server1-acl req.ssl_sni -i server1.domain.com
    acl server2-acl req.ssl_sni -i server2.domain.com
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend server1_https_ipv4  if  server1-acl
    use_backend server2_https_ipv4  if  server2-acl
    default_backend server2_https_ipv4

    backend server1_https_ipv4
    mode tcp
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    option ssl-hello-chk
    server server1 192.168.3.32:443 check inter 1000

    backend server2_https_ipv4
    mode tcp
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    option ssl-hello-chk
    server server2 192.168.3.44:443 check inter 1000


    ![Ohne Titel.jpg](/public/imported_attachments/1/Ohne Titel.jpg)
    ![Ohne Titel.jpg_thumb](/public/imported_attachments/1/Ohne Titel.jpg_thumb)



  • If you want to acces them over the VPN then the firewall rule should be on the VPN interface.

    Another thing that might complicate matters is that you use the 'transparent client ip' feature in the backend. This has a large warning for several reasons.. Can you try without it?

    Also the frontend seems to be listening on a private ip 192.168.2.2, did you substitute it for privacy? Or is it really listening on a private ip? And pfSense is behind another router then i presume? If thats the case thats probably part of the issue.. as client sends traffic to pfSense, then to the ISProuter which returns the traffic, which creates a short 'loop' where traffic could get lost.. blocked due to async routing..



  • Unchecking the 'transparent client ip' feature solved my problem.

    Thank you very much,

    Regards,
    Joe