Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating from TMG 2010 to HA-PROXY as a reverse Proxy issues

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pbnet
      last edited by

      Hello everybody,

      I would need some help achieving my goal.
      I'm currently trying to migrate from a Microsoft TMG2010 Setup to using PFSense with HA-PROXY as reverse proxy.
      So far, I managed to make it work when accessing an Apache server on the backend, but I get "HTTP 503" when trying to access some SharePoint backends.

      I followed this tutorial:  https://blog.briantruscott.com/how-to-serve-multiple-domains-from-a-single-public-ip-using-haproxy-on-pfsense/

      So, here are some details:

      OLD Setup:
      Internet –> PFSense with NAT --> TMG2010 --> SharePoint Server

      NEW Setup:
      Internet --> PFSENSE with HAPROXY --> SharePoint Server.

      Here is the HAPROXY configuration

      Automaticaly generated, dont edit manually.

      Generated on: 2017-07-16 11:40

      global
      maxconn 10
      stats socket /tmp/haproxy.socket level admin
      gid 80
      nbproc 1
      chroot /tmp/haproxy_chroot
      daemon
      server-state-file /tmp/haproxy_server_state

      listen HAProxyLocalStats
      bind 127.0.0.1:2200 name localstats
      mode http
      stats enable
      stats refresh 10
      stats admin if TRUE
      stats uri /haproxy/haproxy_stats.php?haproxystats=1
      timeout client 5000
      timeout connect 5000
      timeout server 5000

      frontend SharedFrontEnd-merged
      bind WANIP:80 name WANIP:80 
      mode http
      log global
      option http-keep-alive
      option forwardfor
      acl https ssl_fc
      http-request set-header X-Forwarded-Proto http if !https
      http-request set-header X-Forwarded-Proto https if https
      timeout client 30000
      acl SPS2016Blog hdr(host) -i blogspsext.domain.net
      use_backend LookingGlass_http_ipv4  if  LG
      use_backend SPS2016_http_ipv4  if  SPS2016
      use_backend SPS2013Blog_http_ipv4  if  SPS2016Blog

      backend SPS2013Blog_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      source ipv4@ usesrc clientip
      option httpchk OPTIONS /
      server SPSBLOG 172.17.77.253:80 check inter 1000

      Thanks a lot for any help provided.

      1 Reply Last reply Reply Quote 0
      • P
        pbnet
        last edited by

        OK, I've also done a Fiddler trace and I got:

        GET http://mydomain.com/favicon.ico HTTP/1.1
        Accept: /
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
        Host: blogspsext.rachita.net
        DNT: 1
        Connection: Keep-Alive

        HTTP/1.0 503 Service Unavailable
        Cache-Control: no-cache
        Connection: close
        Content-Type: text/html

        503 Service Unavailable

        No server is available to handle this request.

        So it seems it doesn't even reach the backend server.
        Is there any special configuration to use if the backend server should also be accessed internally via a host-header ?

        Thanks.

        1 Reply Last reply Reply Quote 0
        • S
          Soyokaze
          last edited by

          Look like HAProxy doesn't see backend endpoint as alive.
          What it says on HAProxy -> Status page?

          Need full pfSense in a cloud? PM for details!

          1 Reply Last reply Reply Quote 0
          • P
            pbnet
            last edited by

            In the status page for the SharePoint backend I get: Unauthorized.
            The site on SharePoint does allow anonymous access.

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.