HAproxy issue after installing 2.3.5 (SOLVED)



  • Hi,
    I was wondering if someone else has had this issue that seems HAproxy is having issue to direct from cloud.mydomain.com and mydomain.com
    i had it working perfectly on 2.2.6
    The issue is that when i try to go to mydomain.com it somehow keeps going to cloud.mydomain.com i have no reason why did the same steps on the older pfSense. It keeps getting the backend2
    Also after realizing it does not redirect the http to https :( i thought it was working but if i delete the cache and cookies and try to type mydomain.com it wont redirect to https://mydomain.com

    See pictures

    Thank you

    # Automaticaly generated, dont edit manually.
    # Generated on: 2017-11-06 04:02
    global
    	maxconn			500
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend SharedFrontend-merged
    	bind			200.xxx.xxx.xxx:443 name 200.xxx.xxx.xxx:443   
    	mode			tcp
    	log			global
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			web	req.ssl_sni -i mydomain.com
    	acl			cloud	req.ssl_sni -m sub -i cloud.mydomain.com
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	default_backend Backend1_https_ipvANY
    	default_backend Backend2_https_ipvANY
    
    backend Backend1_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			Website 192.168.3.130:443 check inter 1000  
    
    backend Backend2_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			Cloud 192.168.3.200:443 check inter 1000
    
















  • Seems youve got 2 default-backends ending up in the config, that wont work right.

    What is needed is a 'action' that says to use_backend X if some acl matches.

    Did you upgrade a existing configuration? It 'should' have automatically converted from the old frontend+acl to acl+action like backend selection.



  • Thanks for the reply, i did not upgrade rather started from scratch.
    So that part from the backend fix it instead of using default from what you said i added the cloud and web action from the ACL (see picture)
    But i also been reading that HAproxy does not redirect http to https when its in TCP mode but if i delete history, cache , cookies and type mydomain.com i get the pfSense DNS rebind attack but if type https://mydomain.com it works and also https://cloud.mydomain.com

    Then on the sharefrontend i tried on advance so it redirects traffic to https

    redirect scheme https code 301 if !{ ssl_fc }
    

    but on HAproxy gets this error

    [WARNING] 309/152723 (70482) : parsing [/var/etc/haproxy/haproxy.cfg:33] : a 'tcp-request' rule placed after a 'redirect' rule will still be processed before.
    [WARNING] 309/152723 (70482) : config : 'redirect' rules ignored for frontend 'SharedFrontend-merged' as they require HTTP mode. 
    

    Thank you








  • Indeed haproxy cannot send a http redirect when operating in tcp mode.

    The redirect that seems to happen anyway might be a cached hsts header (usually hard but possible to erase from the browser memory, take more then just deleting cookies though..)
    Or also the 'webgui redirect' from pfSense System/Advanced/AdminAccess which will be listening on port 80.



  • Thanks for the reply, as i changed the port to 81 so it wont listen but same concept because HTTP cannot be directed to HTTPS. Would there be any other way using the TCP mode on HAproxy? Rewriting the URL maybe?

    The redirect that seems to happen anyway might be a cached hsts header (usually hard but possible to erase from the browser memory, take more then just deleting cookies though..)

    what i did is on chrome crtl+shift+delete, deleted everything closed it and opened it and bam wont redirect. of Course on firefox did not delete anything and went perfect. The issue with that is when a user or client has never gone to the website there either going to error or it wont load unless they put https://

    Thank you



  • For the redirect from http to https to work you must have something that listens on :80 and performs the redirect. This could be done with a frontend specifically made for this and without any backends. It could have a single action that performs the redirect.



  • Thanks for the quick reply,
    So on HAproxy i added another frontend
    But when i try to apply settings im getting this error

    Errors found while starting haproxy
    [ALERT] 309/165522 (51624) : parsing [/var/etc/haproxy_test/haproxy.cfg:45] : error detected in frontend 'HTTP' while parsing 'http-request redirect' rule : redirection type expected ('prefix', 'location', or 'scheme').
    [ALERT] 309/165522 (51624) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg 
    

    see picture

    Thank you








  • Must tell it what type of redirect to perform "scheme https" in your case..

    ![2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png](/public/imported_attachments/1/2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png)
    ![2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png_thumb](/public/imported_attachments/1/2017-11-06 18_48_03-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png_thumb)



  • Thank you for the quick reply, that did the trick. for anyone else having this issue here is the screen shot for working SSL, the only tiny issue is the www, if someone puts www.mydomain.com it wont direct it to mydomain. i tried adding on rule prefix https but no luck, was reading the manual HAproxy but did not find any other rule that would apply for the www

    Thank you again




  • The www prefix rule needs a bit more content in its action i think: "prefix https://mydomain.com"



  • Thanks for the reply, as for the prefix i tried

    prefix https://mydomain.com
    prefix https://www.mydomain.com

    I also changed ACL because realized that the web_acl www.mydomain.com wont work because all www on nginx gets redirect to mydomain.com

    So instead redirect to mydomain.com but unfortunately did not work

    Thank you




  • well.. www only gets redirected by nginx webserver if the traffic gets to it as far as ive see the 443 frontend doesnt check for www to pass to the right backend.?.

    anyhow using the "prefix https://mydomain.com" should work to redirect http://www.domain.com to https://domain.com, browser caches of previous followed redirects aside..



  • Thanks for the reply, so after hours trail and error this is the config that worked to redirect the www to mydomain.com whats odd that every browser worked by putting the www.mydomain.com besides safari on the iphone but i guess who knows what safari does that wont let redirect, besides that internet explorer, chrome, firefox, puffin all worked well.
    What i did is to create another acl web2 host start with www then below with the prefix

    prefix https://mydomain.com
    

    which points to web2

    Thank you again for all the help hope this helps others see picture



Log in to reply