HAProxy reverse proxy with host headers

pbnet

Hello,
I'm trying to setup HAProxy as reverse proxy.
I've successfully managed to to sub1.domain.com to point to 192.168.1.2 but I can't find a way to do sub2.domain.com to forward to server1.domain.local (local DNS/Domain).
Could somebody help me here ?

Thanks.

bepo

Hello,

please provide some screenshots of your configuration? Front- and backend config?

Kind regards

pbnet

@bepo Thanks
Here it is: https://pbnet.ro/pfs/HAPROXY1.pdf

I really don't know what to do to have u.domain.com point to u.domain.local.

Thanks.

PiBa

@pbnet
Whats the part you don't know.??

You have already 2 domains pointing to 2 backends>webservers
adding a 3rd should be more of the same?

• add backend with correct server
• add acl and action in the frontend

Done.?
Whats the problematic part?

Perhaps if you need dns, and the ip of the server changes from time to time, you want to configure dns on haproxy's settings tab?

pbnet

@piba
The scenario when x.domain.com points to an internal IP:port works.
The part that doesn’t work is y.domain.com points to site.local.
DNS works, since I can access site.local on my network.
Could you give me some clues on how to do scenario 2?

Thanks

PiBa

@pbnet
make a acl for the y.domain.com, and use a action to point it to a new backend that has a server thats defined with the address: site.local the package should then automatically resolve the name to the proper ip and use that in the config..

Assuming that pfSense knows how to resolve that name.. does it?

pbnet

@piba
OK,
This is what I did:

• FrontEnd side:

• Backend side:
  

What I'm asking is what should I put here, since the back-end server hosts multiple sites on the same IP (that's why I cannot use Address:Port).

Of course, DNS is working:

Now, since the back-end configuration doesn't know how to reach the specific host header, it's normal that I will get "The site can't be reached"

How should I configure the back-end ?

As I said before: I would like to have http://nginx1.rachita.net to point to http://lan.pbnet.local, and, of course, be accessible from the outside. Here I've already did the firewall Pass rule.

Thanks.

PiBa

@pbnet
The TCP connection between haproxy and webserver will be made to the IP address no matter if you configure a IP address or a FQDN..

That ping is not perfomed on pfSense itself, so doesnt actually answer my question..

But perhaps you want to overwrite the request Hostname in the http traffic?
In that case you can configure a action in the backend:

• Action: Header Set
• Name: Host
• fmt: lan.pbnet.local

And perhaps also in the healthcheck?
You can use the 'Version' field for that to add a host header in the checked host.

pbnet

@piba
It worked like a charm!!!! Thanks a lot !!!

May I dare to ask you if you could share an article, or tell me how to do a SSL scenario (like accessing https://site.com from the Internet and being forwarded to http://mysite.local). Is it hard to have Let's Encrypt certificates for the SSL site on PFSense ?

Thanks again.

PiBa

@pbnet
Using acme isn't very difficult, but does take a bit of configuration.. iirc there are several 'tutorials' online that explain how to do this with pfSense+haproxy+acme.. I don't have a link handy at present though..

The acme part depends a lot on how you can do 'validation' by using automatically added dns txt records, or using http request that needs be handled by the acme client script.. DNS would probably be the preferred method, but not all dns providers are supported.. You will need to investigate a bit.

Once youve got the certificate successfully issued you can just select it on the haproxy package, in the frontend create a 'bind' with SSL checked, then at the bottom of the page select the certificate to use..

And then the last part, making haproxy use 'http' on the backend is easy.. Unless if the website running there preforms redirects or issues absolute links in its 'body' contents.. Then you should try and find a setting in the webapplication that allows it to issue https:// links even when called over http:// .. other option is to run the webapplication with a cheap cipher and self signed certs between haproxy and the webserver.. That almost always works properly..

pbnet

@piba

Thanks a lot for all your help.