Haproxy - SNI + offloading backends from tutorial but it is not working

cjbujold

Hi, I implemented the HAproxy tutorial found at https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends with some modifications to get it working but I'm still not able to get the offloading section working.  Some help would be appreciated.

Created the three front ends and associated backend but to make it work I had to forward (nat) port 80 and 443 to port 8080 and 4443. So instead of using the wan address I use the localhost port.  Both the HTTP and SNI frontend work perfectly.  The issue is when I get to the Offloading.  I have created 2 let's encrypt certificates for the two domains I need to offload.  Both certificates host several host names.  The backend for the offloading points to a http server (not https).  From my reading I do not think that I have to point it to a https server if I have the offloading properly configured.

Below is part of my configuration, if somebody can tell me what i'm doing wrong it would be appreciated.

frontend SecureServers-SNI-2
bind 127.0.0.1:4443 name 127.0.0.1:4443 
mode tcp
log global
option socket-stats
option log-separate-errors
option tcplog
timeout client 30000
tcp-request inspect-delay 5s
acl ftpweb_acl req.ssl_sni -i ftpweb34.accra.ca
acl dragonNAS_acl req.ssl_sni -i dragon.accra.ca
acl secure2345_acl req.ssl_sni -i secure2345.accra.ca
tcp-request content accept if { req.ssl_hello_type 1 }

use_backend SecureFTPWEB34_https_ipvANY  if  ftpweb_acl
use_backend SecureNAS4_https_ipvANY  if  dragonNAS_acl
use_backend Secure16_https_ipvANY  if  secure2345_acl
default_backend frontend3-offloading_https_ipvANY

frontend Secure-offloading-3
bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required 
bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
mode http
log global
option http-keep-alive
timeout client 30000
acl filoptoreg hdr(host) -i reg.filopto.com
acl remotehelp hdr(host) -i remotehelp.accra.ca
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
use_backend WebServer214_http_ipvANY  if  filoptoreg aclcrt_Secure-offloading-3
use_backend RemoteHelp25_http_ipvANY  if  remotehelp aclcrt_Secure-offloading-3
use_backend WEBServer14_http_ipvANY  if  aclcrt_Secure-offloading-3

backend WebServer214_http_ipvANY
mode http
log global

use mailers

level  alert

timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server WebServer214 192.168.120.214:80 check inter 1000

backend frontend3-offloading_https_ipvANY
mode tcp
log global

use mailers

level  alert

timeout connect 30000
timeout server 30000
retries 3
server frontend3-srv /Secure-offloading-3.socket send-proxy-v2-ssl-cn check inter 5000