Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy - SNI + offloading backends from tutorial but it is not working

    Cache/Proxy
    1
    1
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cjbujold
      last edited by

      Hi, I implemented the HAproxy tutorial found at https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends with some modifications to get it working but I'm still not able to get the offloading section working.  Some help would be appreciated.

      Created the three front ends and associated backend but to make it work I had to forward (nat) port 80 and 443 to port 8080 and 4443. So instead of using the wan address I use the localhost port.  Both the HTTP and SNI frontend work perfectly.  The issue is when I get to the Offloading.  I have created 2 let's encrypt certificates for the two domains I need to offload.  Both certificates host several host names.  The backend for the offloading points to a http server (not https).  From my reading I do not think that I have to point it to a https server if I have the offloading properly configured.

      Below is part of my configuration, if somebody can tell me what i'm doing wrong it would be appreciated.

      frontend SecureServers-SNI-2
      bind 127.0.0.1:4443 name 127.0.0.1:4443 
      mode tcp
      log global
      option socket-stats
      option log-separate-errors
      option tcplog
      timeout client 30000
      tcp-request inspect-delay 5s
      acl ftpweb_acl req.ssl_sni -i ftpweb34.accra.ca
      acl dragonNAS_acl req.ssl_sni -i dragon.accra.ca
      acl secure2345_acl req.ssl_sni -i secure2345.accra.ca
      tcp-request content accept if { req.ssl_hello_type 1 }

      use_backend SecureFTPWEB34_https_ipvANY  if  ftpweb_acl
      use_backend SecureNAS4_https_ipvANY  if  dragonNAS_acl
      use_backend Secure16_https_ipvANY  if  secure2345_acl
      default_backend frontend3-offloading_https_ipvANY

      frontend Secure-offloading-3
      bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required 
      bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
      mode http
      log global
      option http-keep-alive
      timeout client 30000
      acl filoptoreg hdr(host) -i reg.filopto.com
      acl remotehelp hdr(host) -i remotehelp.accra.ca
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
      acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
      use_backend WebServer214_http_ipvANY  if  filoptoreg aclcrt_Secure-offloading-3
      use_backend RemoteHelp25_http_ipvANY  if  remotehelp aclcrt_Secure-offloading-3
      use_backend WEBServer14_http_ipvANY  if  aclcrt_Secure-offloading-3

      backend WebServer214_http_ipvANY
      mode http
      log global

      use mailers

      level  alert

      timeout connect 30000
      timeout server 30000
      retries 3
      option httpchk OPTIONS /
      server WebServer214 192.168.120.214:80 check inter 1000

      backend frontend3-offloading_https_ipvANY
      mode tcp
      log global

      use mailers

      level  alert

      timeout connect 30000
      timeout server 30000
      retries 3
      server frontend3-srv /Secure-offloading-3.socket send-proxy-v2-ssl-cn check inter 5000

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.