Haproxy - SNI + offloading backends from tutorial but it is not working



  • Hi, I implemented the HAproxy tutorial found at https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends with some modifications to get it working but I'm still not able to get the offloading section working.  Some help would be appreciated.

    Created the three front ends and associated backend but to make it work I had to forward (nat) port 80 and 443 to port 8080 and 4443. So instead of using the wan address I use the localhost port.  Both the HTTP and SNI frontend work perfectly.  The issue is when I get to the Offloading.  I have created 2 let's encrypt certificates for the two domains I need to offload.  Both certificates host several host names.  The backend for the offloading points to a http server (not https).  From my reading I do not think that I have to point it to a https server if I have the offloading properly configured.

    Below is part of my configuration, if somebody can tell me what i'm doing wrong it would be appreciated.

    frontend SecureServers-SNI-2
    bind 127.0.0.1:4443 name 127.0.0.1:4443 
    mode tcp
    log global
    option socket-stats
    option log-separate-errors
    option tcplog
    timeout client 30000
    tcp-request inspect-delay 5s
    acl ftpweb_acl req.ssl_sni -i ftpweb34.accra.ca
    acl dragonNAS_acl req.ssl_sni -i dragon.accra.ca
    acl secure2345_acl req.ssl_sni -i secure2345.accra.ca
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend SecureFTPWEB34_https_ipvANY  if  ftpweb_acl
    use_backend SecureNAS4_https_ipvANY  if  dragonNAS_acl
    use_backend Secure16_https_ipvANY  if  secure2345_acl
    default_backend frontend3-offloading_https_ipvANY

    frontend Secure-offloading-3
    bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required 
    bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    acl filoptoreg hdr(host) -i reg.filopto.com
    acl remotehelp hdr(host) -i remotehelp.accra.ca
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
    use_backend WebServer214_http_ipvANY  if  filoptoreg aclcrt_Secure-offloading-3
    use_backend RemoteHelp25_http_ipvANY  if  remotehelp aclcrt_Secure-offloading-3
    use_backend WEBServer14_http_ipvANY  if  aclcrt_Secure-offloading-3

    backend WebServer214_http_ipvANY
    mode http
    log global

    use mailers

    level  alert

    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server WebServer214 192.168.120.214:80 check inter 1000

    backend frontend3-offloading_https_ipvANY
    mode tcp
    log global

    use mailers

    level  alert

    timeout connect 30000
    timeout server 30000
    retries 3
    server frontend3-srv /Secure-offloading-3.socket send-proxy-v2-ssl-cn check inter 5000