Squid Reverse Proxy or HAProxy?

PiBa · Sep 19, 2016, 11:05 PM

I recommend haproxy.. but i'm a little biased 8)
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

killmasta93 · Sep 21, 2016, 3:23 AM

Thanks for the reply, Really nice guide you have there Will try it out this week and let you know Thank you again :)

killmasta93 · Sep 26, 2016, 8:59 PM

Hi,
So I was trying to follow your guide got a little lost i was wondering if you guide me?

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/Single-frontend-serving-multiple-different-domains-using-http

So I have 123.com port 80

I also have another domain which is only the webmail mail.321.com Before I had it on port 85 now That i want to change it on port 80 so users dont have to mail.321.com:85

So this is what i got see pictures

Thank you

PiBa · Sep 26, 2016, 9:11 PM

Looks like you have two 'seperate' frontends both listening on the same ip:port, for that to work properly you should use the 'shared frontend' option. So that only 1 frontend will be in haproxy.conf, and 1 bind will listen on the port.

Can you then perhaps post the haproxy.conf? (its at the bottom of the settings tab)

killmasta93 · Sep 26, 2016, 11:17 PM

Hi,
Thank you for the reply,

So i think i got it working i did was you said to share but forgot to mention that the website is using ngnix not sure if that makes a difference
Also I dont see the haproxy.conf
see pictures

Thank you

PiBa · Sep 27, 2016, 5:20 PM

The 'show' is a link you can click ;) But its working alright now?

![2016-09-27 19_18_00-Squid Reverse Proxy or HAProxy_.png_thumb](/public/imported_attachments/1/2016-09-27 19_18_00-Squid Reverse Proxy or HAProxy_.png_thumb)
![2016-09-27 19_18_00-Squid Reverse Proxy or HAProxy_.png](/public/imported_attachments/1/2016-09-27 19_18_00-Squid Reverse Proxy or HAProxy_.png)

killmasta93 · Sep 28, 2016, 12:33 AM

ooOOOO wow thank you did not see that

global
	maxconn			500
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 5
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend website-merged
	bind			200.116.XX.XX:80 name 200.116.XX.XX:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			aclusr_host_matches_123.com	hdr(host) -i 123.com
	acl			aclusr_host_matches_mail.321.com_2fsquirrelmail	hdr(host) -i mail.321.com/squirrelmail
	use_backend		Website_http_ipvANY if aclusr_host_matches_123.com 
	use_backend		webemail_http_ipvANY if aclusr_host_matches_mail.321.com_2fsquirrelmail 

backend Website_http_ipvANY
	mode			http
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webiste 192.168.3.130:80 check inter 1000  

backend webemail_http_ipvANY
	mode			http
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webemail 192.168.3.150:80 check inter 1000

Thank you

PiBa · Sep 28, 2016, 5:14 PM

You havn't exactly specified what is and isn't working currently so i'm gonna make a few assumptions..

I think the website http://321.com/ is working, is that correct?
If not check what the stats page says for the LastChk column. Something like L7OK ? Or perhaps an error status.?

But the second one "hdr(host) -i mail.321.com/squirrelmail" cannot work like that, as the "/squirrelmail" part is not in the host header. You will need to specify another acl for it and then maybe combine the host and path if thats required for your setup. Perhaps only use the "mail.321.com" domain name to match the host header against and leave it at that.

killmasta93 · Sep 29, 2016, 2:19 AM

Thank you for the reply,
So fixed on what you commented, the issue in hand is that when I change the webmail port to 80 it ignores the website because the orden of the firewall rules so when i type 123.com it goes to mail.321.com

Thank you again see pictures

global
	maxconn			500
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 5
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend website-merged
	bind			200.116.XX.XX:80 name 200.116.XX.XX:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			aclusr_host_matches_123.com	hdr(host) -i 123.com
	acl			aclusr_host_matches_mail.321.com	hdr(host) -i mail.321.com
	use_backend		Website_http_ipvANY if aclusr_host_matches_123.com 
	use_backend		webemail_http_ipvANY if aclusr_host_matches_mail.321.com 

backend Website_http_ipvANY
	mode			http
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webiste 192.168.3.130:80 check inter 1000  

backend webemail_http_ipvANY
	mode			http
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webemail 192.168.3.150:80 check inter 1000

PiBa · Sep 29, 2016, 6:24 PM

Delete the (relevant) NAT rules, and add a regular firewall rule to allow people from outside access to haproxy. You dont need to use pf to forward the traffic, as haproxy should do that.

Check on the haproxy stats that you are actually seeing connections counted as going through haproxy.

Then if firewallrules are allowing access to haproxy you 'should' receive a 503 error for the website backend when visiting that website with a browser as the server is 'down' according to haproxy. Due to the 405 HTTP response.
For this change the healthcheck on that website to something other than OPTIONS as it apparently does not support that.. Try HEAD or perhaps GET.. That might make the server green on stats instead of red.. Otherwise also try adding a Host header in the version field..

killmasta93 · Sep 30, 2016, 3:19 AM

Hi,
Thank you so much that did the trick only on the website on the backend at the bottom instead of http I used the option basic and now it works, But whats odd when i type 123.com it loads but if i Type www.123.com shows the 503 service unavailable, i tried adding the www.123.com but then that just takes down the site so no luck there

Thank you again :)

PiBa · Sep 30, 2016, 5:41 PM

The

acl			aclusr_host_matches_123.com	hdr(host) -i 123.com

Does not exactly 'match' www.123.com so that that doesnt work is correct.

Adding a second acl line with the same aclname should work though.

killmasta93 · Sep 30, 2016, 11:01 PM

Thanks for the reply,
when you mean adding a second acl line something like this?
see picture

But not sure what you mean?

Thank you

PiBa · Oct 1, 2016, 12:23 PM

Does your hostname 'match www' ? or was it 'www.123.com' ? If your configuring it to 'match' then it must match, perhaps you want it only to 'contain www', or 'start with www'? Though that would prevent you from forwarding multiple sites that contain www to different backends.. Probably best to just write the whole domain name you want it to match.

Yes what youve configured in that screenshot looks like what i asked. Wondering though if maybe the acl name should be different, things have changed a little in the acl/action parts. And reading that little text about 'acls with same name will be combined' makes me think your running an old haproxy package version, i havent used that one for a while.

killmasta93 · Oct 1, 2016, 4:01 PM

Thank you so much It was something with the acl i fixed see picture, Yea its version 1.5 Haproxy im still using pfSense 2.2.4

Thank you