• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Access to HAPROXY Backend with and without OpenVPN

Scheduled Pinned Locked Moved Cache/Proxy
3 Posts 2 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    schweidj
    last edited by Sep 15, 2016, 4:34 PM

    Hi,

    i have two ssl-webservers in my local network, which work fine when i access them from the internet via different hostnames (using haproxy). But when I connect to my home network via a pfsense openvpn tunnel i cannot access them at all.

    Below is the haproxy config and a screenshot of the firewall rule.

    Any ideas, what´s wrong here?

    Regards,
    Joe

    global
    maxconn 10
    stats socket /tmp/haproxy.socket level admin
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    daemon

    listen HAProxyLocalStats
    bind 127.0.0.1:2369 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend MainFrontends
    bind 192.168.2.2:443 name 192.168.2.2:443 
    mode tcp
    log global
    option socket-stats
    timeout client 30000
    tcp-request inspect-delay 5s
    acl server1-acl req.ssl_sni -i server1.domain.com
    acl server2-acl req.ssl_sni -i server2.domain.com
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend server1_https_ipv4  if  server1-acl
    use_backend server2_https_ipv4  if  server2-acl
    default_backend server2_https_ipv4

    backend server1_https_ipv4
    mode tcp
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    option ssl-hello-chk
    server server1 192.168.3.32:443 check inter 1000

    backend server2_https_ipv4
    mode tcp
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    option ssl-hello-chk
    server server2 192.168.3.44:443 check inter 1000

    ![Ohne Titel.jpg](/public/imported_attachments/1/Ohne Titel.jpg)
    ![Ohne Titel.jpg_thumb](/public/imported_attachments/1/Ohne Titel.jpg_thumb)

    1 Reply Last reply Reply Quote 0
    • P
      PiBa
      last edited by Sep 15, 2016, 11:42 PM

      If you want to acces them over the VPN then the firewall rule should be on the VPN interface.

      Another thing that might complicate matters is that you use the 'transparent client ip' feature in the backend. This has a large warning for several reasons.. Can you try without it?

      Also the frontend seems to be listening on a private ip 192.168.2.2, did you substitute it for privacy? Or is it really listening on a private ip? And pfSense is behind another router then i presume? If thats the case thats probably part of the issue.. as client sends traffic to pfSense, then to the ISProuter which returns the traffic, which creates a short 'loop' where traffic could get lost.. blocked due to async routing..

      1 Reply Last reply Reply Quote 0
      • S
        schweidj
        last edited by Sep 16, 2016, 12:38 PM

        Unchecking the 'transparent client ip' feature solved my problem.

        Thank you very much,

        Regards,
        Joe

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received