HAproxy and some Beginner issues

zwck

Hey All,

firstly i like to say that I am quite new to pfsense and haproxying and would like to display what i have set up.

My overall system looks like the following and is setup to function in 1Gbit full duplex (no jumbo frames within the network, MTU 1500 MSS 1460)

WAN -- PFSENSE (DNS Resolver and HAProxy) -- SWITCH __ Webserver 1 -- Many Services on different Ports
                                                    \__Webserver 2 -- Many Services on differnt Ports
                                                     \__ Pc and Wifi things

Or in Ip Related Terms

W.A.N.IP -- PFSENSE (192.168.0.1) -- SWITCH __ Webserver 1 (192.168.0.19) -- Many Services on different Ports
                                            \__Webserver 2 (192.168.0.21) -- Many Services on differnt Ports
                                             \__ PC (192.168.0.172)

```                                                                     

On my Webserver 1 under port 2020 i have setup a html5 speedtest namely (https://github.com/adolfintel/speedtest) which works fairly nicely, i.e., if i visti 192.168.0.19:2020 i will be greeted with my speed test interface, and if i execute it i, i'll get upload and download rates close to the maximum of 1Gbit, its in the lan so that great! When i visit my W.A.N.IP:2021 which is forwarded to 192.168.0.19:2020 the same applies.

However, now the HAproxy part comes in, I also have a domain with speedtest.example.wtf and a vailid ssl certificate which is offloaded with HAproxy so when I visit https://speedtest.example.wtf i'll be greated with my speedtest interface. However when i execute the speedtest i'll get download rates of close and constant to 500Mbit (webservers uploadspeed) and Upload rates of 1000Mbit (servers downloadspeed)

Now to my questions:
It is weird to me that my down load rates are limited as soon as the HAproxy is inbetween, are there some stupid things i forgot to setup, does ssl offloading influence this at all?

My PFSENSE:

Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
Current: 1400 MHz, Max: 1601 MHz
4 Gig Ram
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
State table size    0.4% (1640/396000)
MBUF Usage 4% (10386/246072)

here my Ha.cfg

Automaticaly generated, dont edit manually.

Generated on: 2017-11-30 17:34

global
maxconn 10000
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
tune.ssl.maxrecord 1370
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend frontend1_http
bind 192.168.0.15:80 name 192.168.0.15:80 
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl acl-https hdr_beg(host) -i chat
acl acl-https hdr_beg(host) -i ombi
acl acl-https hdr_beg(host) -i mb
acl acl-https hdr_beg(host) -i rss
acl acl-https hdr_beg(host) -i latex
acl acl-https hdr_beg(host) -i blog
acl acl-https hdr_beg(host) -i plex
acl acl-https hdr_beg(host) -i jd
acl acl-https hdr_beg(host) -i home
acl acl-https hdr_beg(host) -i fab
acl acl-https hdr_beg(host) -i pf
acl acl-https hdr_beg(host) -i hydra
http-request redirect scheme https  if  acl-https

frontend frontend2_sni
bind 192.168.0.15:443 name 192.168.0.15:443 
mode tcp
log global
timeout client 30000
tcp-request inspect-delay 5s
acl cloud_sni req.ssl_sni -m beg -i cloud
tcp-request content accept if { req.ssl_hello_type 1 }

use_backend backend_cloud_https_ipvANY  if  cloud_sni 
default_backend backend_offloading_https_ipvANY

frontend frontend3_offloading
bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/frontend3_offloading.pem 
bind /tmp/haproxy_chroot/frontend3_offloading.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/frontend3_offloading.pem
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
#
rspidel ^Server:.$
rspidel ^X-Powered-By:.$
rspidel ^X-AspNet-Version:.$
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
#http-response set-header X-Frame-Options SAMEDOMAIN
http-response set-header X-Content-Type-Options nosniff
acl chatACL hdr_beg(host) -i chat
acl ombiACL hdr_beg(host) -i ombi
acl latexACL hdr_beg(host) -i latex
acl rssACL hdr_beg(host) -i rss
acl mbACL hdr_beg(host) -i mb
acl embyACL hdr_beg(host) -i emby
acl plexACL hdr_beg(host) -i plex
acl jdACL hdr_beg(host) -i jd
acl homeACL hdr_beg(host) -i home
acl fabACL hdr_beg(host) -i fab
acl pfACL hdr_beg(host) -i pf
acl hydraACL hdr_beg(host) -i hydra
acl aclcrt_frontend3_offloading hdr_reg(host) -i ^([^.]).example.de(:([0-9]){1,5})?$
acl aclcrt_frontend3_offloading hdr_reg(host) -i ^example.de(:([0-9]){1,5})?$
use_backend backend-chat_http_ipv4  if  chatACL aclcrt_frontend3_offloading
use_backend backend-ombi_http_ipv4  if  ombiACL aclcrt_frontend3_offloading
use_backend backend-latex_http_ipv4  if  latexACL aclcrt_frontend3_offloading
use_backend backend-rss_http_ipv4  if  rssACL aclcrt_frontend3_offloading
use_backend backend-emby_http_ipv4  if  embyACL aclcrt_frontend3_offloading
use_backend backend-plex_http_ipv4  if  plexACL aclcrt_frontend3_offloading
use_backend backend-jd_http_ipv4  if  jdACL aclcrt_frontend3_offloading
use_backend backend-emby_http_ipv4  if  mbACL aclcrt_frontend3_offloading
use_backend backend-home_http_ipv4  if  homeACL aclcrt_frontend3_offloading
use_backend backend-fabian-blog_http_ipv4  if  fabACL aclcrt_frontend3_offloading
use_backend backend-pf_http_ipv4  if  pfACL aclcrt_frontend3_offloading
use_backend backend-hydra_http_ipv4  if  hydraACL aclcrt_frontend3_offloading
use_backend backend-kai-blog_http_ipv4  if  aclcrt_frontend3_offloading

backend backend_cloud_https_ipvANY
mode tcp
log global
timeout connect 30000
timeout server 30000
retries 3
server cloud 192.168.0.21:2443 check-ssl  verify none

backend backend_offloading_https_ipvANY
mode tcp
log global
timeout connect 30000
timeout server 30000
retries 3
server backend-to-frontend /frontend3_offloading.socket send-proxy-v2-ssl-cn check inter 1000

backend backend-chat_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server chat 192.168.0.21:3000 check inter 1000

backend backend-ombi_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server ombi 192.168.0.19:3579 check inter 1000

backend backend-latex_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server latex 192.168.0.21:5000 check inter 1000

backend backend-rss_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server rss 192.168.0.21:2280 check inter 1000

backend backend-emby_http_ipv4
mode http
log global
rspadd Strict-Transport-Security:\ max-age=31536000;
errorfile 503 /var/etc/haproxy/errorfile_backend-emby_http_ipv4_503_customerror
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
# add some security related headers
# rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
rspadd X-Frame-Options:\ SAMEORIGIN
rspadd X-Content-Type-Options:\ nosniff
rspadd X-Xss-Protection:\ 1;\ mode=block
server emby_warden 192.168.0.102:8096 check inter 1000

backend backend-plex_http_ipv4
mode http
log global
rspadd Strict-Transport-Security:\ max-age=31536000;
timeout connect 30000
timeout server 30000
retries 3
server emby_warden 192.168.0.102:8096 check inter 1000 
server emby_wardenssl 192.168.0.102:8920 ssl check inter 1000  verify none

backend backend-jd_http_ipv4
mode http
log global
rspadd Strict-Transport-Security:\ max-age=31536000;
errorfile 503 /var/etc/haproxy/errorfile_backend-jd_http_ipv4_503_customerror
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server jd 192.168.0.19:2020 check inter 1000

backend backend-home_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server homepi 192.168.0.191:8123 check inter 1000

backend backend-fabian-blog_http_ipv4
mode http
log global
rspadd Strict-Transport-Security:\ max-age=31536000;
timeout connect 30000
timeout server 30000
retries 3
server chat 192.168.0.21:2370 check inter 1000

backend backend-pf_http_ipv4
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server pf-rancherqnap 192.168.0.19:9001 check inter 1000

backend backend-hydra_http_ipv4
mode http
log global
rspadd Strict-Transport-Security:\ max-age=31536000;
timeout connect 30000
timeout server 30000
retries 3
server hydra 192.168.0.19:6050 check inter 1000

backend backend-kai-blog_http_ipv4
mode http
log global
rspadd Strict-Transport-Security:\ max-age=31536000;
timeout connect 30000
timeout server 30000
retries 3
server chat 192.168.0.21:2369 check inter 1000