Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shared frontend for two websites with one for SSL on HaProxy

    Cache/Proxy
    2
    9
    5.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiekar
      last edited by

      Hello,
      I’m currently trying to setup haproxy to use a shared frontend  for two websites sharing the same wan public IP where one site will use an letsencrypt SSL cert on port 443 which I imported from IIS 8.5 and the other site will use only standard port 80.
      I created two backends

      Backend (a) for SSL site:

      Mode=active, name=domain1, Forwardto = Address+Port, Port= 443 and SSL=yes. I also included Backend Pass thru = http-request redirect scheme https if !{ ssl_fc }.

      Backend (b) for non SSL site:

      Mode=active, name=domain2, Forwardto=Address+Port, Port=80, and SSL=no.

      I created 1 default frontend and two shared frontends.

      Frontend default:

      Listen Address=WAN static public IP, Port=80, SSL Offloading unchecked, Type= http/https (offloading) and default backend= none.

      Shared frontend for SSL Website:
      Primary Frontend= default frontend.

      ACL: name= domain1-ACL, Expression=Host matches:, Not=no, value= domain1
      ACL actions:
      Actions=backend: Backend (a) and Conditional acl names= domain1-ACL

      Shared Frontend for NON SSL Website:
      Primary Frontend= default frontend.
      ACL: name= domain2-ACL, Expression=Host matches:, Not=no, value= domain2
      ACL actions:
      Actions=backend: Backend (b) and Conditional acl names= domain2-ACL

      I tried adding another external address to the default frontend external address able by selecting the same WAN public IP and using Port 443 and SSL Offloading checked then in the SSL Offloading section selecting the cert.

      Unfortunately, I’m not able to get this to work. I would very much appreciate it if some can help me configure the current setup of mine to make this work.

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        The description 'sounds' good..
        Can you share the haproxy.conf from bottom of settings tab?

        Does any part work? What part doesn't? How are you requesting it? What (doesn't) happen exactly?

        1 Reply Last reply Reply Quote 0
        • K
          kiekar
          last edited by

          Hello and thanks for your reply, much appreciated.

          The non SSL site works but the SSL site I receive a 503 service unavailable when using url www.sslsite.com where the green padlock shows and when using url sslsite.com I receive your connection is not private . I'm using my mobile network with the chrome browser.

          below is the haproxy. config

          
          # Automaticaly generated, dont edit manually.
          # Generated on: 2018-01-04 17:21
          global
          	stats socket /tmp/haproxy.socket level admin
          	uid			80
          	gid			80
          	nbproc			1
          	chroot			/tmp/haproxy_chroot
          	daemon
          	tune.ssl.default-dh-param	1024
          	server-state-file /tmp/haproxy_server_state
          
          listen HAProxyLocalStats
          	bind 127.0.0.1:2200 name localstats
          	mode http
          	stats enable
          	stats admin if TRUE
          	stats uri /haproxy/haproxy_stats.php?haproxystats=1
          	timeout client 5000
          	timeout connect 5000
          	timeout server 5000
          
          
          
          frontend Default-Listener-merged
          	bind			xx.xxx.xxx.xxx:80 name xx.xxx.xxx.xxx:80   
          	bind			xx.xxx.xxx.xxx:443 name xx.xxx.xxx.xxx:443 ssl  crt /var/etc/haproxy/Default-Listener.pem  
          	mode			http
          	log			global
          	option			http-keep-alive
          	timeout client		30000
          	acl			DS-ACL1	hdr(host) -i domain1.com
          	acl			DS-ACL	hdr(host) -i www.domain1.com
          	acl			Tech-ACL1	hdr(host) -i domain2.com
          	acl			Tech-ACL	hdr(host) -i www.domain2.com
          	use_backend DS-Backend_http_ipvANY  if  DS-ACL1 
          	use_backend DS-Backend_http_ipvANY  if  DS-ACL 
          	use_backend Tech-Backend_http_ipvANY  if  Tech-ACL1 
          	use_backend Tech-Backend_http_ipvANY  if  Tech-ACL 
          
          
          
          backend DS-Backend_http_ipvANY
          	mode			http
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	option			httpchk OPTIONS / 
          	http-request redirect scheme https if !{ ssl_fc }
          	server			DS-Website 172.16.0.7:443 ssl check inter 1000  verify none 
          
          backend Tech-Backend_http_ipvANY
          	mode			http
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	option			httpchk OPTIONS / 
          	server			techWebsite 172.16.0.8:80 check inter 1000
          
          
          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?
            If its 'down' then check what the LastCheck column says, maybe the server returns a authentication request.? Or some other error? Try changing 'OPTIONS' to 'GET' for the health-check , or add a "Host: webserver" in the request ?

            As for the certificate error, probably the top domain is not included in the certificate as a valid alternative name.? (With some CA's you must specifically ask for this..)

            p.s. Please just copy paste the text of the config and obfuscate where needed.. And put it inside some code tags instead of a image.
            
            1 Reply Last reply Reply Quote 0
            • K
              kiekar
              last edited by

              For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?

              The STAT's page shows red and down for the backend.

              The LastChk displays L6RSP "connection error during SSL Handshake" when the SNI is checked in the bindings for 443 in IIS. and L7STS/404 "Layer 7 wrong status: not found" when SNI is unchecked.

              I also tried with GET instead of OPTIONS but I did not see any difference. The STAT page is something I'm not familiar with.

              1 Reply Last reply Reply Quote 0
              • P
                PiBa
                last edited by

                Does https://172.16.0.7/ work when requested with a browser? Or is some page/url needed behind it? If so add that to the url used for the health check.

                1 Reply Last reply Reply Quote 0
                • K
                  kiekar
                  last edited by

                  Thanks again PiBa for your patience and help, much appreciated.

                  Well I got it to work externally now by modifying the bindings in IIS by changing the ip  address from * to 172.16.0.7  for http and https  and also deselecting the SNI checkbox and leaving the Host Name blank for https.

                  So I'm happy it's working externally but still need to work out why now internally it's pointing to the default webpage from my internal network.

                  One other thing, if one was to enter mydomain.com in the browser would i need to make a second certificate for mydomain.com so to redirect to https://www.mydomain.com?

                  1 Reply Last reply Reply Quote 0
                  • P
                    PiBa
                    last edited by

                    By default haproxy does not send SNI to the webserver.. Needs 1.8 to fully support those configuration options.. If you can do without for now at least wait for 1.8.3 to become available on pfSense before trying that…
                    http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni
                    http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-sni

                    A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

                    Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

                    As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

                    1 Reply Last reply Reply Quote 0
                    • K
                      kiekar
                      last edited by

                      Thanks for the links,

                      A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

                      Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

                      As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

                      Will look further into it.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.