HAproxy - configuration help - Beginner



  • Hello all who might be reading this,

    i am brand new to this forum and pfsense for that matter. I used to have a normal router with simple port-forwarding to do what i needed it to do. However now i would like to explore the possibilities with pfsense and HAproxy (which is also new to me).  I have the pfsense up and running now for a week after dealing with the initial setup, also with simple port forwarding to replicate what my old router did.

    I attached an image to show what is currently happening and see  if what i am hoping for is actually possible.

    I'd like to get rid of my freebsd nginx setup and just use HAproxy to redirect my incoming traffic.

    ![Untitled presentation (2).jpg_thumb](/public/imported_attachments/1/Untitled presentation (2).jpg_thumb)
    ![Untitled presentation (2).jpg](/public/imported_attachments/1/Untitled presentation (2).jpg)



  • After reading some parts, and surfing the internet for quite some time i could manage to set it up for my self :) Eureka!

    Anyway I wanted to share my setup, maybe someone has some input.

    First setting:
    Portforwarding

    NATrules

    Virtual IP

    Overview of Frontends, most of the stuff i host is fine with ssl offloading, while for example nextcloud12 is not, here is what i came out with maybe there is a more elegant way.

    Detail Frontends

    Backends

    copy paste for the different webservices you want to server that support offloading

    Backend for offloading

    Backend that needed SLI (in my case nextcloud12)

    What all this does is:

    TLDR:

    if something connects to port 80 and belongs to rss,blog,etc (except the ones that need ssl termination)  will be redirected to 127.0.0.1:1443 with ssl offloading (change of scheme as well)
    if something connects to port 80 and belongs to cloud the SLi backend will beused and ssl termination happens but default is redirect to 127.0.0.1443

    thats it i guess.
































  • @zwck:

    After reading some parts, and surfing the internet for quite some time i could manage to set it up for my self :) Eureka!

    Anyway I wanted to share my setup, maybe someone has some input.

    First setting:
    Portforwarding

    NATrules

    Virtual IP

    Overview of Frontends, most of the stuff i host is fine with ssl offloading, while for example nextcloud12 is not, here is what i came out with maybe there is a more elegant way.

    Detail Frontends

    Backends

    copy paste for the different webservices you want to server that support offloading

    Backend for offloading

    Backend that needed SLI (in my case nextcloud12)

    What all this does is:

    TLDR:

    if something connects to port 80 and belongs to rss,blog,etc (except the ones that need ssl termination)  will be redirected to 127.0.0.1:1443 with ssl offloading (change of scheme as well)
    if something connects to port 80 and belongs to cloud the SLi backend will beused and ssl termination happens but default is redirect to 127.0.0.1443

    thats it i guess.

    This looks pretty good to me.  Here I do much the same. I will note a few things here:

    In my firewall I enabled NAT reflection in order to allow me to access the resources while on the local LAN.

    Also, I disable deprecated or near deprecated cryptographic protocols and ciphers in:
    Settings - Global Advanced pass thru -Custom options
    this allows me to globally block: SSL 2, SSL3, and TLS1 as well as forcing modern cipher compatibility listed here: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

    Be careful this is a double edged sword.  if you have legacy devices you are still supporting setting your browser to moden compatibility only may cause those devices to not function properly.

    I use ACL and Action rules on the front end to determine:
    1.  Which backend resources the source is requesting

    2.  Whether the source is on one of my local LANS or the public Internet. 
        A.  if the source is on one of my local LANs i do not forward the source IP address to the backend server. 
        B.  If the source is on the public internet, I forward the source IP address to the backend server. 
        Note: I do this because there are some features that can be dynamically turned on or off based on whether the client is a public or internal source.  Also, some software has brute force attack protection and would need to know if the source is on the public Internet to function properly.

    3. I use a separate publicly fully trusted SSL cert for each of my subdomains that ties to a separate backend server.  this means I don't need to stand up a CA locally and deploy to my clients systems.  based on the SNI I dynamically hand out the appropriate SSL cert using SSL offloading on the front end.

    Lastly, in my Action rule if the request does not match any of the ACL action rules I have setup the requester is redirected to a dead node.  I learned this from a friend that used it to address IP block port scanning and brute-force attacks that found his WAN.  The only other thing I think you could do is setup HTTP monitoring on your backend resources in order stop forwarding in the event that it goes down.



  • @Kerat:

    Lastly, in my Action rule if the request does not match any of the ACL action rules I have setup the requester is redirected to a dead node.  I learned this from a friend that used it to address IP block port scanning and brute-force attacks that found his WAN.  The only other thing I think you could do is setup HTTP monitoring on your backend resources in order stop forwarding in the event that it goes down.

    Very nice. Can you tell how to achieve this? TIA.

    One more thing. Why use a Virtual IP?



  • @Kerat

    If i have to allow 100 Ip address which is in internet to access specific backend server.. how can i achive this.. can you guide me in this topic?



  • @nabil-lamichhane said in HAproxy - configuration help - Beginner:

    @Kerat

    If i have to allow 100 Ip address which is in internet to access specific backend server.. how can i achive this.. can you guide me in this topic?

    Create 100 NAT rules, or create an Alias which contains these 100 IP's, and use this alias in a NAT rule.

    Read https://www.netgate.com/docs/pfsense/firewall/aliases.html



  • @gertjan Thank you for your reply.. i will study further to get the ans ...