How to set up routing based on subdomains using HAProxy?



  • English isn't my first language, please bear with me.  :'(

    I got a Multi-WAN-Multi-LAN setup using pfSense 2.3.3, three WAN connections in total, two LANs. Two WAN connections (WAN1, WAN2) are used in a failover Multi-GW for important, low bandwidth services like VoIP. The third WAN connection (WAN0) is used for everything else. Physical and virtual machines each have their own LAN (LAN, VMS). I utilize the dynamic DNS services of my domain name registrar to get around the lack of any static WAN IP addresses (e.g. service-a.example.org, service-b.example.org). I have set up a HTTPd on two different virtual machines on VMs (e.g. service-a.localdomain, service-b.localdomain). To this point everything works as expected and I'm grateful for the developers of pfSense to make it as easy as it is with the WebUI. But now I'd like to use HAProxy to serve both webservers to WAN0 as if they were running on the same machine based on the subdomain. I know I'm missing crucial terminology here, but I hope it's clear what I mean anyways. Until a few days ago I didn't even think this was possible, because HTTP is an application layer protocol and routing is done at a so much lower layer level, so maybe someone of you can give me ELI5 version of how it's done (similar to what follows) or just tell me where my mistakes are. Here is what I unsuccessfully have done so far…

    First attempt:

    • Create a new firewall rule
      -- Interface: WAN0
      -- Destination Port Range
      --- From: HTTP
    • Create a new HAProxy backend
      -- Name: Service_A_BE
      -- Server list
      --- Address: service-a.localdomain
      --- Port: 80
    • Create a new HAProxy frontend
      -- Name: Service_A_FE
      -- External address
      --- Listen address: WAN0 address (IPv4)
      --- Port: 80
      -- Access Control lists
      --- Name: Service_A
      --- Expression: Host matches
      --- Value: service-a.example.org
      -- Actions
      --- Action: Use Backend
      --- backend: Service_A_BE

    Second attempt:

    • Create a new virtual IP
      -- Type: IP Alias
      -- Interface: LAN
      -- Address(es): 10.10.0.1/32
    • Create a new Port Forwarding rule
      -- Interface: WAN0
      -- Redirect target IP: 10.10.0.1
      -- Redirect target port: HTTP
    • Create a new HAProxy backend
      -- Name: Service_A_BE
      -- Server list
      --- Address: service-a.localdomain
      --- Port: 80
    • Create a new HAProxy frontend
      -- Name: Service_A_FE
      -- External address
      --- Listen address: 10.10.0.1
      --- Port: 80
      -- Access Control lists
      --- Name: Service_A
      --- Expression: Host matches
      --- Value: service-a.example.org
      -- Actions
      --- Action: Use Backend
      --- backend: Service_A_BE

    Thank you for your time.



  • Hi Sysadmin,

    I cant spot any obvious error in your haproxy configuration looking over its description 'should work..' i think.

    For the haproxy config it seems like youve made a setup similar to whats described here: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/Single-frontend-serving-multiple-different-domains-using-http

    As for the firewall rule (a portforward should not be needed.. unless perhaps if your wan is using a ppp connection), make sure to allow all source ports.

    So rule would be something like:
    interface: WAN, source address:* source port:* , destination address: WAN-ip, destination port: 80

    That should allow access from outside to the listening port of haproxy.

    What does and or doesnt work sofar? Can you connect to haproxy but recieve a 503 http error? Have you enabled stats and are the servers shown 'down' in a red color? Can you share the haproxy.conf (at bottom of settings tab)?

    Regard,
    PiBa-NL