• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy reverse proxy with host headers

Scheduled Pinned Locked Moved Cache/Proxy
11 Posts 3 Posters 8.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bepo
    last edited by Aug 2, 2018, 11:36 AM

    Hello,

    please provide some screenshots of your configuration? Front- and backend config?

    Kind regards

    Please use the thumbs up button if you received a helpful advice. Thank you!

    P 1 Reply Last reply Aug 2, 2018, 11:54 AM Reply Quote 0
    • P
      pbnet @bepo
      last edited by Aug 2, 2018, 11:54 AM

      @bepo Thanks
      Here it is: https://pbnet.ro/pfs/HAPROXY1.pdf

      I really don't know what to do to have u.domain.com point to u.domain.local.

      Thanks.

      P 1 Reply Last reply Aug 2, 2018, 5:59 PM Reply Quote 0
      • P
        PiBa @pbnet
        last edited by PiBa Aug 2, 2018, 6:01 PM Aug 2, 2018, 5:59 PM

        @pbnet
        Whats the part you don't know.??

        You have already 2 domains pointing to 2 backends>webservers
        adding a 3rd should be more of the same?

        • add backend with correct server
        • add acl and action in the frontend

        Done.?
        Whats the problematic part?

        Perhaps if you need dns, and the ip of the server changes from time to time, you want to configure dns on haproxy's settings tab?

        P 1 Reply Last reply Aug 2, 2018, 6:21 PM Reply Quote 0
        • P
          pbnet @PiBa
          last edited by Aug 2, 2018, 6:21 PM

          @piba
          The scenario when x.domain.com points to an internal IP:port works.
          The part that doesn’t work is y.domain.com points to site.local.
          DNS works, since I can access site.local on my network.
          Could you give me some clues on how to do scenario 2?

          Thanks

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by Aug 2, 2018, 8:48 PM

            @pbnet
            make a acl for the y.domain.com, and use a action to point it to a new backend that has a server thats defined with the address: site.local the package should then automatically resolve the name to the proper ip and use that in the config..

            Assuming that pfSense knows how to resolve that name.. does it?

            P 1 Reply Last reply Aug 3, 2018, 5:53 AM Reply Quote 0
            • P
              pbnet @PiBa
              last edited by Aug 3, 2018, 5:53 AM

              @piba
              OK,
              This is what I did:

              • FrontEnd side:

              FrontEnd

              • Backend side:
                backend

              What I'm asking is what should I put here, since the back-end server hosts multiple sites on the same IP (that's why I cannot use Address:Port).

              Of course, DNS is working:

              DNS Resolution

              Now, since the back-end configuration doesn't know how to reach the specific host header, it's normal that I will get "The site can't be reached"

              How should I configure the back-end ?

              As I said before: I would like to have http://nginx1.rachita.net to point to http://lan.pbnet.local, and, of course, be accessible from the outside. Here I've already did the firewall Pass rule.

              Thanks.

              1 Reply Last reply Reply Quote 0
              • P
                PiBa
                last edited by Aug 3, 2018, 7:35 PM

                @pbnet
                The TCP connection between haproxy and webserver will be made to the IP address no matter if you configure a IP address or a FQDN..

                That ping is not perfomed on pfSense itself, so doesnt actually answer my question..

                But perhaps you want to overwrite the request Hostname in the http traffic?
                In that case you can configure a action in the backend:

                • Action: Header Set
                • Name: Host
                • fmt: lan.pbnet.local

                And perhaps also in the healthcheck?
                You can use the 'Version' field for that to add a host header in the checked host.

                P 1 Reply Last reply Aug 4, 2018, 6:11 AM Reply Quote 0
                • P
                  pbnet @PiBa
                  last edited by Aug 4, 2018, 6:11 AM

                  @piba
                  It worked like a charm!!!! Thanks a lot !!!

                  BACKEND1
                  BACKEND2

                  May I dare to ask you if you could share an article, or tell me how to do a SSL scenario (like accessing https://site.com from the Internet and being forwarded to http://mysite.local). Is it hard to have Let's Encrypt certificates for the SSL site on PFSense ?

                  Thanks again.

                  P 1 Reply Last reply Aug 4, 2018, 12:32 PM Reply Quote 0
                  • P
                    PiBa @pbnet
                    last edited by Aug 4, 2018, 12:32 PM

                    @pbnet
                    Using acme isn't very difficult, but does take a bit of configuration.. iirc there are several 'tutorials' online that explain how to do this with pfSense+haproxy+acme.. I don't have a link handy at present though..

                    The acme part depends a lot on how you can do 'validation' by using automatically added dns txt records, or using http request that needs be handled by the acme client script.. DNS would probably be the preferred method, but not all dns providers are supported.. You will need to investigate a bit.

                    Once youve got the certificate successfully issued you can just select it on the haproxy package, in the frontend create a 'bind' with SSL checked, then at the bottom of the page select the certificate to use..

                    And then the last part, making haproxy use 'http' on the backend is easy.. Unless if the website running there preforms redirects or issues absolute links in its 'body' contents.. Then you should try and find a setting in the webapplication that allows it to issue https:// links even when called over http:// .. other option is to run the webapplication with a cheap cipher and self signed certs between haproxy and the webserver.. That almost always works properly..

                    P 1 Reply Last reply Aug 5, 2018, 4:40 PM Reply Quote 0
                    • P
                      pbnet @PiBa
                      last edited by Aug 5, 2018, 4:40 PM

                      @piba

                      Thanks a lot for all your help.

                      1 Reply Last reply Reply Quote 0
                      • D danwize referenced this topic on Feb 9, 2024, 4:25 PM
                      11 out of 11
                      • First post
                        11/11
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received