HAProxy passthrough not working



  • Hi everyone

    I was settings up HAProxy on my PfSense (SG-8860 newest Version). And I already ran into a certain problem what I showed in this topic

    https://forum.pfsense.org/index.php?topic=137483.msg752004#msg752004

    It works now sometimes. But some Users say they have to load the page 2-10 times until it works. Towards that I was settings up Direct Access from Mircosoft and it is not connecting. HTTP is working fine only HTTPS is not working reliable. Now I'm wondering if passthrough is not setup correctly. Attached I have my Config file from PfSense (anonymised)

    # Automaticaly generated, dont edit manually.
    # Generated on: 2017-10-05 17:24
    global
    	maxconn			100000
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:8082 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Front-End-https
    	bind			publicIP:443 name publicIP:443   
    	mode			tcp
    	log			global
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			fc	req.ssl_sni -m sub -i fc.contoso.com
    	acl			franch	req.ssl_sni -m sub -i contoso.dyndns.org
    	acl			moe	req.ssl_sni -m sub -i moe.contoso.com
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	use_backend fc.contoso.com_https_ipvANY  if  fc 
    	use_backend contoso.dyndns.org_https_ipvANY  if  franch
    	use_backend moe.contoso.com_https_ipvANY  if  moe.da 
    
    frontend Front-End-http
    	bind			publicIP:80 name publicIP:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			fc.contoso.com	hdr_sub(host) -i fc.contoso.com
    	acl			contoso.dyndns.org	hdr_sub(host) -i contoso.dyndns.org
    	acl			testa.dyndns.org	hdr_sub(host) -i testa.dyndns.org
    	acl			moe.contoso.com	hdr_sub(host) -i moe.contoso.com
    	http-request redirect scheme https  if  fc.contoso.com 
    	http-request redirect scheme https code 301  if  contoso.dyndns.org
    	use_backend testa.dyndns.org_http_ipvANY  if  testa.dyndns.org
    	use_backend moe.contoso.com_http_ipvANY  if  moe.contoso.com
    
    backend fc.contoso.com_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			http-fc.contoso.com 192.168.13.37:80  
    	server			https-contoso.dyndns.org 192.168.13.37:443 check-ssl  verify none 
    
    backend contoso.dyndns.org_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			http-contoso.dyndns.org 192.168.13.37:443 check-ssl  verify none 
    	server			https-contoso.dyndns.org 192.168.13.37:80  
    
    backend moe.contoso.com_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			https-moe.contoso.com 192.168.13.35:80  
    	server			http-moe.contoso.com 192.168.13.35:443 check-ssl  verify none 
    
    backend testa.dyndns.org_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			testa.dyndns.org 192.168.13.10:7588 check inter 1000  
    
    backend moe.contoso.com_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			https-moe.contoso.com 192.168.13.35:80  
    	server			http-moe.contoso.com 192.168.13.35:443 ssl  verify none
    

    Any advice what could be wrong?

    Thanks!