Haproxy - SNI + offloading backends from tutorial but it is not working
-
Hi, I implemented the HAproxy tutorial found at https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends with some modifications to get it working but I'm still not able to get the offloading section working. Some help would be appreciated.
Created the three front ends and associated backend but to make it work I had to forward (nat) port 80 and 443 to port 8080 and 4443. So instead of using the wan address I use the localhost port. Both the HTTP and SNI frontend work perfectly. The issue is when I get to the Offloading. I have created 2 let's encrypt certificates for the two domains I need to offload. Both certificates host several host names. The backend for the offloading points to a http server (not https). From my reading I do not think that I have to point it to a https server if I have the offloading properly configured.
Below is part of my configuration, if somebody can tell me what i'm doing wrong it would be appreciated.
frontend SecureServers-SNI-2
bind 127.0.0.1:4443 name 127.0.0.1:4443
mode tcp
log global
option socket-stats
option log-separate-errors
option tcplog
timeout client 30000
tcp-request inspect-delay 5s
acl ftpweb_acl req.ssl_sni -i ftpweb34.accra.ca
acl dragonNAS_acl req.ssl_sni -i dragon.accra.ca
acl secure2345_acl req.ssl_sni -i secure2345.accra.ca
tcp-request content accept if { req.ssl_hello_type 1 }use_backend SecureFTPWEB34_https_ipvANY if ftpweb_acl
use_backend SecureNAS4_https_ipvANY if dragonNAS_acl
use_backend Secure16_https_ipvANY if secure2345_acl
default_backend frontend3-offloading_https_ipvANYfrontend Secure-offloading-3
bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
mode http
log global
option http-keep-alive
timeout client 30000
acl filoptoreg hdr(host) -i reg.filopto.com
acl remotehelp hdr(host) -i remotehelp.accra.ca
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
use_backend WebServer214_http_ipvANY if filoptoreg aclcrt_Secure-offloading-3
use_backend RemoteHelp25_http_ipvANY if remotehelp aclcrt_Secure-offloading-3
use_backend WEBServer14_http_ipvANY if aclcrt_Secure-offloading-3backend WebServer214_http_ipvANY
mode http
log globaluse mailers
level alert
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server WebServer214 192.168.120.214:80 check inter 1000backend frontend3-offloading_https_ipvANY
mode tcp
log globaluse mailers
level alert
timeout connect 30000
timeout server 30000
retries 3
server frontend3-srv /Secure-offloading-3.socket send-proxy-v2-ssl-cn check inter 5000