HAproxy and some Beginner issues



  • Hey All,

    firstly i like to say that I am quite new to pfsense and haproxying and would like to display what i have set up.

    My overall system looks like the following and is setup to function in 1Gbit full duplex (no jumbo frames within the network, MTU 1500 MSS 1460)

    WAN -- PFSENSE (DNS Resolver and HAProxy) -- SWITCH __ Webserver 1 -- Many Services on different Ports
                                                        \__Webserver 2 -- Many Services on differnt Ports
                                                         \__ Pc and Wifi things
    
    

    Or in Ip Related Terms

    W.A.N.IP -- PFSENSE (192.168.0.1) -- SWITCH __ Webserver 1 (192.168.0.19) -- Many Services on different Ports
                                                \__Webserver 2 (192.168.0.21) -- Many Services on differnt Ports
                                                 \__ PC (192.168.0.172)
    
    ```                                                                     
    
    On my Webserver 1 under port 2020 i have setup a html5 speedtest namely (https://github.com/adolfintel/speedtest) which works fairly nicely, i.e., if i visti 192.168.0.19:2020 i will be greeted with my speed test interface, and if i execute it i, i'll get upload and download rates close to the maximum of 1Gbit, its in the lan so that great! When i visit my W.A.N.IP:2021 which is forwarded to 192.168.0.19:2020 the same applies.
    
    However, now the HAproxy part comes in, I also have a domain with speedtest.example.wtf and a vailid ssl certificate which is offloaded with HAproxy so when I visit https://speedtest.example.wtf i'll be greated with my speedtest interface. However when i execute the speedtest i'll get download rates of close and constant to 500Mbit (webservers uploadspeed) and Upload rates of 1000Mbit (servers downloadspeed)
    
    Now to my questions:
    It is weird to me that my down load rates are limited as soon as the HAproxy is inbetween, are there some stupid things i forgot to setup, does ssl offloading influence this at all?
    
    My PFSENSE:
    

    Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
    Current: 1400 MHz, Max: 1601 MHz
    4 Gig Ram
    4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
    State table size    0.4% (1640/396000)
    MBUF Usage 4% (10386/246072)

    
    here my Ha.cfg
    

    Automaticaly generated, dont edit manually.

    Generated on: 2017-11-30 17:34

    global
    maxconn 10000
    stats socket /tmp/haproxy.socket level admin
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 2048
    server-state-file /tmp/haproxy_server_state
    tune.ssl.maxrecord 1370
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend frontend1_http
    bind 192.168.0.15:80 name 192.168.0.15:80 
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    acl acl-https hdr_beg(host) -i chat
    acl acl-https hdr_beg(host) -i ombi
    acl acl-https hdr_beg(host) -i mb
    acl acl-https hdr_beg(host) -i rss
    acl acl-https hdr_beg(host) -i latex
    acl acl-https hdr_beg(host) -i blog
    acl acl-https hdr_beg(host) -i plex
    acl acl-https hdr_beg(host) -i jd
    acl acl-https hdr_beg(host) -i home
    acl acl-https hdr_beg(host) -i fab
    acl acl-https hdr_beg(host) -i pf
    acl acl-https hdr_beg(host) -i hydra
    http-request redirect scheme https  if  acl-https

    frontend frontend2_sni
    bind 192.168.0.15:443 name 192.168.0.15:443 
    mode tcp
    log global
    timeout client 30000
    tcp-request inspect-delay 5s
    acl cloud_sni req.ssl_sni -m beg -i cloud
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend backend_cloud_https_ipvANY  if  cloud_sni 
    default_backend backend_offloading_https_ipvANY
    

    frontend frontend3_offloading
    bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/frontend3_offloading.pem 
    bind /tmp/haproxy_chroot/frontend3_offloading.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/frontend3_offloading.pem
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    #
    rspidel ^Server:.$
    rspidel ^X-Powered-By:.
    $
    rspidel ^X-AspNet-Version:.$
    http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
    #http-response set-header X-Frame-Options SAMEDOMAIN
    http-response set-header X-Content-Type-Options nosniff
    acl chatACL hdr_beg(host) -i chat
    acl ombiACL hdr_beg(host) -i ombi
    acl latexACL hdr_beg(host) -i latex
    acl rssACL hdr_beg(host) -i rss
    acl mbACL hdr_beg(host) -i mb
    acl embyACL hdr_beg(host) -i emby
    acl plexACL hdr_beg(host) -i plex
    acl jdACL hdr_beg(host) -i jd
    acl homeACL hdr_beg(host) -i home
    acl fabACL hdr_beg(host) -i fab
    acl pfACL hdr_beg(host) -i pf
    acl hydraACL hdr_beg(host) -i hydra
    acl aclcrt_frontend3_offloading hdr_reg(host) -i ^([^.]
    ).example.de(:([0-9]){1,5})?$
    acl aclcrt_frontend3_offloading hdr_reg(host) -i ^example.de(:([0-9]){1,5})?$
    use_backend backend-chat_http_ipv4  if  chatACL aclcrt_frontend3_offloading
    use_backend backend-ombi_http_ipv4  if  ombiACL aclcrt_frontend3_offloading
    use_backend backend-latex_http_ipv4  if  latexACL aclcrt_frontend3_offloading
    use_backend backend-rss_http_ipv4  if  rssACL aclcrt_frontend3_offloading
    use_backend backend-emby_http_ipv4  if  embyACL aclcrt_frontend3_offloading
    use_backend backend-plex_http_ipv4  if  plexACL aclcrt_frontend3_offloading
    use_backend backend-jd_http_ipv4  if  jdACL aclcrt_frontend3_offloading
    use_backend backend-emby_http_ipv4  if  mbACL aclcrt_frontend3_offloading
    use_backend backend-home_http_ipv4  if  homeACL aclcrt_frontend3_offloading
    use_backend backend-fabian-blog_http_ipv4  if  fabACL aclcrt_frontend3_offloading
    use_backend backend-pf_http_ipv4  if  pfACL aclcrt_frontend3_offloading
    use_backend backend-hydra_http_ipv4  if  hydraACL aclcrt_frontend3_offloading
    use_backend backend-kai-blog_http_ipv4  if  aclcrt_frontend3_offloading

    backend backend_cloud_https_ipvANY
    mode tcp
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server cloud 192.168.0.21:2443 check-ssl  verify none

    backend backend_offloading_https_ipvANY
    mode tcp
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server backend-to-frontend /frontend3_offloading.socket send-proxy-v2-ssl-cn check inter 1000

    backend backend-chat_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server chat 192.168.0.21:3000 check inter 1000

    backend backend-ombi_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server ombi 192.168.0.19:3579 check inter 1000

    backend backend-latex_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server latex 192.168.0.21:5000 check inter 1000

    backend backend-rss_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server rss 192.168.0.21:2280 check inter 1000

    backend backend-emby_http_ipv4
    mode http
    log global
    rspadd Strict-Transport-Security:\ max-age=31536000;
    errorfile 503 /var/etc/haproxy/errorfile_backend-emby_http_ipv4_503_customerror
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    # add some security related headers
    # rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
    rspadd X-Frame-Options:\ SAMEORIGIN
    rspadd X-Content-Type-Options:\ nosniff
    rspadd X-Xss-Protection:\ 1;\ mode=block
    server emby_warden 192.168.0.102:8096 check inter 1000

    backend backend-plex_http_ipv4
    mode http
    log global
    rspadd Strict-Transport-Security:\ max-age=31536000;
    timeout connect 30000
    timeout server 30000
    retries 3
    server emby_warden 192.168.0.102:8096 check inter 1000 
    server emby_wardenssl 192.168.0.102:8920 ssl check inter 1000  verify none

    backend backend-jd_http_ipv4
    mode http
    log global
    rspadd Strict-Transport-Security:\ max-age=31536000;
    errorfile 503 /var/etc/haproxy/errorfile_backend-jd_http_ipv4_503_customerror
    timeout connect 30000
    timeout server 30000
    retries 3
    source ipv4@ usesrc clientip
    server jd 192.168.0.19:2020 check inter 1000

    backend backend-home_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server homepi 192.168.0.191:8123 check inter 1000

    backend backend-fabian-blog_http_ipv4
    mode http
    log global
    rspadd Strict-Transport-Security:\ max-age=31536000;
    timeout connect 30000
    timeout server 30000
    retries 3
    server chat 192.168.0.21:2370 check inter 1000

    backend backend-pf_http_ipv4
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server pf-rancherqnap 192.168.0.19:9001 check inter 1000

    backend backend-hydra_http_ipv4
    mode http
    log global
    rspadd Strict-Transport-Security:\ max-age=31536000;
    timeout connect 30000
    timeout server 30000
    retries 3
    server hydra 192.168.0.19:6050 check inter 1000

    backend backend-kai-blog_http_ipv4
    mode http
    log global
    rspadd Strict-Transport-Security:\ max-age=31536000;
    timeout connect 30000
    timeout server 30000
    retries 3
    server chat 192.168.0.21:2369 check inter 1000


Log in to reply