Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy and some Beginner issues

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zwck
      last edited by

      Hey All,

      firstly i like to say that I am quite new to pfsense and haproxying and would like to display what i have set up.

      My overall system looks like the following and is setup to function in 1Gbit full duplex (no jumbo frames within the network, MTU 1500 MSS 1460)

      WAN -- PFSENSE (DNS Resolver and HAProxy) -- SWITCH __ Webserver 1 -- Many Services on different Ports
                                                    \__Webserver 2 -- Many Services on differnt Ports
                                                     \__ Pc and Wifi things

      Or in Ip Related Terms

      W.A.N.IP -- PFSENSE (192.168.0.1) -- SWITCH __ Webserver 1 (192.168.0.19) -- Many Services on different Ports
                                            \__Webserver 2 (192.168.0.21) -- Many Services on differnt Ports
                                             \__ PC (192.168.0.172)

```                                                                     

On my Webserver 1 under port 2020 i have setup a html5 speedtest namely (https://github.com/adolfintel/speedtest) which works fairly nicely, i.e., if i visti 192.168.0.19:2020 i will be greeted with my speed test interface, and if i execute it i, i'll get upload and download rates close to the maximum of 1Gbit, its in the lan so that great! When i visit my W.A.N.IP:2021 which is forwarded to 192.168.0.19:2020 the same applies.

However, now the HAproxy part comes in, I also have a domain with speedtest.example.wtf and a vailid ssl certificate which is offloaded with HAproxy so when I visit https://speedtest.example.wtf i'll be greated with my speedtest interface. However when i execute the speedtest i'll get download rates of close and constant to 500Mbit (webservers uploadspeed) and Upload rates of 1000Mbit (servers downloadspeed)

Now to my questions:
It is weird to me that my down load rates are limited as soon as the HAproxy is inbetween, are there some stupid things i forgot to setup, does ssl offloading influence this at all?

My PFSENSE:

      Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
      Current: 1400 MHz, Max: 1601 MHz
      4 Gig Ram
      4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
      State table size    0.4% (1640/396000)
      MBUF Usage 4% (10386/246072)

      
here my Ha.cfg

      Automaticaly generated, dont edit manually.

      Generated on: 2017-11-30 17:34

      global
      maxconn 10000
      stats socket /tmp/haproxy.socket level admin
      gid 80
      nbproc 1
      chroot /tmp/haproxy_chroot
      daemon
      tune.ssl.default-dh-param 2048
      server-state-file /tmp/haproxy_server_state
      tune.ssl.maxrecord 1370
      ssl-default-bind-options no-sslv3 no-tls-tickets
      ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

      listen HAProxyLocalStats
      bind 127.0.0.1:2200 name localstats
      mode http
      stats enable
      stats admin if TRUE
      stats uri /haproxy/haproxy_stats.php?haproxystats=1
      timeout client 5000
      timeout connect 5000
      timeout server 5000

      frontend frontend1_http
      bind 192.168.0.15:80 name 192.168.0.15:80 
      mode http
      log global
      option http-keep-alive
      option forwardfor
      acl https ssl_fc
      http-request set-header X-Forwarded-Proto http if !https
      http-request set-header X-Forwarded-Proto https if https
      timeout client 30000
      acl acl-https hdr_beg(host) -i chat
      acl acl-https hdr_beg(host) -i ombi
      acl acl-https hdr_beg(host) -i mb
      acl acl-https hdr_beg(host) -i rss
      acl acl-https hdr_beg(host) -i latex
      acl acl-https hdr_beg(host) -i blog
      acl acl-https hdr_beg(host) -i plex
      acl acl-https hdr_beg(host) -i jd
      acl acl-https hdr_beg(host) -i home
      acl acl-https hdr_beg(host) -i fab
      acl acl-https hdr_beg(host) -i pf
      acl acl-https hdr_beg(host) -i hydra
      http-request redirect scheme https  if  acl-https

      frontend frontend2_sni
      bind 192.168.0.15:443 name 192.168.0.15:443 
      mode tcp
      log global
      timeout client 30000
      tcp-request inspect-delay 5s
      acl cloud_sni req.ssl_sni -m beg -i cloud
      tcp-request content accept if { req.ssl_hello_type 1 }

      use_backend backend_cloud_https_ipvANY  if  cloud_sni 
default_backend backend_offloading_https_ipvANY

      frontend frontend3_offloading
      bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/frontend3_offloading.pem 
      bind /tmp/haproxy_chroot/frontend3_offloading.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/frontend3_offloading.pem
      mode http
      log global
      option http-keep-alive
      option forwardfor
      acl https ssl_fc
      http-request set-header X-Forwarded-Proto http if !https
      http-request set-header X-Forwarded-Proto https if https
      timeout client 30000
      #
      rspidel ^Server:.$
      rspidel ^X-Powered-By:.      $
      rspidel ^X-AspNet-Version:.$
      http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
      #http-response set-header X-Frame-Options SAMEDOMAIN
      http-response set-header X-Content-Type-Options nosniff
      acl chatACL hdr_beg(host) -i chat
      acl ombiACL hdr_beg(host) -i ombi
      acl latexACL hdr_beg(host) -i latex
      acl rssACL hdr_beg(host) -i rss
      acl mbACL hdr_beg(host) -i mb
      acl embyACL hdr_beg(host) -i emby
      acl plexACL hdr_beg(host) -i plex
      acl jdACL hdr_beg(host) -i jd
      acl homeACL hdr_beg(host) -i home
      acl fabACL hdr_beg(host) -i fab
      acl pfACL hdr_beg(host) -i pf
      acl hydraACL hdr_beg(host) -i hydra
      acl aclcrt_frontend3_offloading hdr_reg(host) -i ^([^.]      ).example.de(:([0-9]){1,5})?$
      acl aclcrt_frontend3_offloading hdr_reg(host) -i ^example.de(:([0-9]){1,5})?$
      use_backend backend-chat_http_ipv4  if  chatACL aclcrt_frontend3_offloading
      use_backend backend-ombi_http_ipv4  if  ombiACL aclcrt_frontend3_offloading
      use_backend backend-latex_http_ipv4  if  latexACL aclcrt_frontend3_offloading
      use_backend backend-rss_http_ipv4  if  rssACL aclcrt_frontend3_offloading
      use_backend backend-emby_http_ipv4  if  embyACL aclcrt_frontend3_offloading
      use_backend backend-plex_http_ipv4  if  plexACL aclcrt_frontend3_offloading
      use_backend backend-jd_http_ipv4  if  jdACL aclcrt_frontend3_offloading
      use_backend backend-emby_http_ipv4  if  mbACL aclcrt_frontend3_offloading
      use_backend backend-home_http_ipv4  if  homeACL aclcrt_frontend3_offloading
      use_backend backend-fabian-blog_http_ipv4  if  fabACL aclcrt_frontend3_offloading
      use_backend backend-pf_http_ipv4  if  pfACL aclcrt_frontend3_offloading
      use_backend backend-hydra_http_ipv4  if  hydraACL aclcrt_frontend3_offloading
      use_backend backend-kai-blog_http_ipv4  if  aclcrt_frontend3_offloading

      backend backend_cloud_https_ipvANY
      mode tcp
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server cloud 192.168.0.21:2443 check-ssl  verify none

      backend backend_offloading_https_ipvANY
      mode tcp
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server backend-to-frontend /frontend3_offloading.socket send-proxy-v2-ssl-cn check inter 1000

      backend backend-chat_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server chat 192.168.0.21:3000 check inter 1000

      backend backend-ombi_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server ombi 192.168.0.19:3579 check inter 1000

      backend backend-latex_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server latex 192.168.0.21:5000 check inter 1000

      backend backend-rss_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server rss 192.168.0.21:2280 check inter 1000

      backend backend-emby_http_ipv4
      mode http
      log global
      rspadd Strict-Transport-Security:\ max-age=31536000;
      errorfile 503 /var/etc/haproxy/errorfile_backend-emby_http_ipv4_503_customerror
      timeout connect 30000
      timeout server 30000
      retries 3
      source ipv4@ usesrc clientip
      # add some security related headers
      # rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
      rspadd X-Frame-Options:\ SAMEORIGIN
      rspadd X-Content-Type-Options:\ nosniff
      rspadd X-Xss-Protection:\ 1;\ mode=block
      server emby_warden 192.168.0.102:8096 check inter 1000

      backend backend-plex_http_ipv4
      mode http
      log global
      rspadd Strict-Transport-Security:\ max-age=31536000;
      timeout connect 30000
      timeout server 30000
      retries 3
      server emby_warden 192.168.0.102:8096 check inter 1000 
      server emby_wardenssl 192.168.0.102:8920 ssl check inter 1000  verify none

      backend backend-jd_http_ipv4
      mode http
      log global
      rspadd Strict-Transport-Security:\ max-age=31536000;
      errorfile 503 /var/etc/haproxy/errorfile_backend-jd_http_ipv4_503_customerror
      timeout connect 30000
      timeout server 30000
      retries 3
      source ipv4@ usesrc clientip
      server jd 192.168.0.19:2020 check inter 1000

      backend backend-home_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server homepi 192.168.0.191:8123 check inter 1000

      backend backend-fabian-blog_http_ipv4
      mode http
      log global
      rspadd Strict-Transport-Security:\ max-age=31536000;
      timeout connect 30000
      timeout server 30000
      retries 3
      server chat 192.168.0.21:2370 check inter 1000

      backend backend-pf_http_ipv4
      mode http
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      server pf-rancherqnap 192.168.0.19:9001 check inter 1000

      backend backend-hydra_http_ipv4
      mode http
      log global
      rspadd Strict-Transport-Security:\ max-age=31536000;
      timeout connect 30000
      timeout server 30000
      retries 3
      server hydra 192.168.0.19:6050 check inter 1000

      backend backend-kai-blog_http_ipv4
      mode http
      log global
      rspadd Strict-Transport-Security:\ max-age=31536000;
      timeout connect 30000
      timeout server 30000
      retries 3
      server chat 192.168.0.21:2369 check inter 1000

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.