HAproxy issue after installing 2.3.5 (SOLVED)

killmasta93 · Nov 6, 2017, 4:12 AM

Hi,
I was wondering if someone else has had this issue that seems HAproxy is having issue to direct from cloud.mydomain.com and mydomain.com
i had it working perfectly on 2.2.6
The issue is that when i try to go to mydomain.com it somehow keeps going to cloud.mydomain.com i have no reason why did the same steps on the older pfSense. It keeps getting the backend2
Also after realizing it does not redirect the http to https :( i thought it was working but if i delete the cache and cookies and try to type mydomain.com it wont redirect to https://mydomain.com

See pictures

Thank you

# Automaticaly generated, dont edit manually.
# Generated on: 2017-11-06 04:02
global
	maxconn			500
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend SharedFrontend-merged
	bind			200.xxx.xxx.xxx:443 name 200.xxx.xxx.xxx:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			web	req.ssl_sni -i mydomain.com
	acl			cloud	req.ssl_sni -m sub -i cloud.mydomain.com
	tcp-request content accept if { req.ssl_hello_type 1 }

	tcp-request content accept if { req.ssl_hello_type 1 }

	default_backend Backend1_https_ipvANY
	default_backend Backend2_https_ipvANY

backend Backend1_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			Website 192.168.3.130:443 check inter 1000  

backend Backend2_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			Cloud 192.168.3.200:443 check inter 1000

PiBa · Nov 6, 2017, 3:06 PM

Seems youve got 2 default-backends ending up in the config, that wont work right.

What is needed is a 'action' that says to use_backend X if some acl matches.

Did you upgrade a existing configuration? It 'should' have automatically converted from the old frontend+acl to acl+action like backend selection.

killmasta93 · Nov 6, 2017, 3:28 PM

Thanks for the reply, i did not upgrade rather started from scratch.
So that part from the backend fix it instead of using default from what you said i added the cloud and web action from the ACL (see picture)
But i also been reading that HAproxy does not redirect http to https when its in TCP mode but if i delete history, cache , cookies and type mydomain.com i get the pfSense DNS rebind attack but if type https://mydomain.com it works and also https://cloud.mydomain.com

Then on the sharefrontend i tried on advance so it redirects traffic to https

redirect scheme https code 301 if !{ ssl_fc }

but on HAproxy gets this error

[WARNING] 309/152723 (70482) : parsing [/var/etc/haproxy/haproxy.cfg:33] : a 'tcp-request' rule placed after a 'redirect' rule will still be processed before.
[WARNING] 309/152723 (70482) : config : 'redirect' rules ignored for frontend 'SharedFrontend-merged' as they require HTTP mode.

Thank you

PiBa · Nov 6, 2017, 4:10 PM

Indeed haproxy cannot send a http redirect when operating in tcp mode.

The redirect that seems to happen anyway might be a cached hsts header (usually hard but possible to erase from the browser memory, take more then just deleting cookies though..)
Or also the 'webgui redirect' from pfSense System/Advanced/AdminAccess which will be listening on port 80.

killmasta93 · Nov 6, 2017, 4:37 PM

Thanks for the reply, as i changed the port to 81 so it wont listen but same concept because HTTP cannot be directed to HTTPS. Would there be any other way using the TCP mode on HAproxy? Rewriting the URL maybe?

The redirect that seems to happen anyway might be a cached hsts header (usually hard but possible to erase from the browser memory, take more then just deleting cookies though..)

what i did is on chrome crtl+shift+delete, deleted everything closed it and opened it and bam wont redirect. of Course on firefox did not delete anything and went perfect. The issue with that is when a user or client has never gone to the website there either going to error or it wont load unless they put https://

Thank you

PiBa · Nov 6, 2017, 4:49 PM

For the redirect from http to https to work you must have something that listens on :80 and performs the redirect. This could be done with a frontend specifically made for this and without any backends. It could have a single action that performs the redirect.

killmasta93 · Nov 6, 2017, 4:59 PM

Thanks for the quick reply,
So on HAproxy i added another frontend
But when i try to apply settings im getting this error

Errors found while starting haproxy
[ALERT] 309/165522 (51624) : parsing [/var/etc/haproxy_test/haproxy.cfg:45] : error detected in frontend 'HTTP' while parsing 'http-request redirect' rule : redirection type expected ('prefix', 'location', or 'scheme').
[ALERT] 309/165522 (51624) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg

see picture

Thank you

PiBa · Nov 6, 2017, 5:49 PM

Must tell it what type of redirect to perform "scheme https" in your case..

![2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png](/public/imported_attachments/1/2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png)
![2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png_thumb](/public/imported_attachments/1/2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png_thumb)

killmasta93 · Nov 6, 2017, 6:23 PM

Thank you for the quick reply, that did the trick. for anyone else having this issue here is the screen shot for working SSL, the only tiny issue is the www, if someone puts www.mydomain.com it wont direct it to mydomain. i tried adding on rule prefix https but no luck, was reading the manual HAproxy but did not find any other rule that would apply for the www

Thank you again

PiBa · Nov 6, 2017, 6:30 PM

The www prefix rule needs a bit more content in its action i think: "prefix https://mydomain.com"

killmasta93 · Nov 6, 2017, 6:52 PM

Thanks for the reply, as for the prefix i tried

prefix https://mydomain.com
prefix https://www.mydomain.com

I also changed ACL because realized that the web_acl www.mydomain.com wont work because all www on nginx gets redirect to mydomain.com

So instead redirect to mydomain.com but unfortunately did not work

Thank you

PiBa · Nov 6, 2017, 9:28 PM

well.. www only gets redirected by nginx webserver if the traffic gets to it as far as ive see the 443 frontend doesnt check for www to pass to the right backend.?.

anyhow using the "prefix https://mydomain.com" should work to redirect http://www.domain.com to https://domain.com, browser caches of previous followed redirects aside..

killmasta93 · Nov 6, 2017, 10:50 PM

Thanks for the reply, so after hours trail and error this is the config that worked to redirect the www to mydomain.com whats odd that every browser worked by putting the www.mydomain.com besides safari on the iphone but i guess who knows what safari does that wont let redirect, besides that internet explorer, chrome, firefox, puffin all worked well.
What i did is to create another acl web2 host start with www then below with the prefix

prefix https://mydomain.com

which points to web2

Thank you again for all the help hope this helps others see picture