[SOLVED] pfSense + HAProxy – Reverse Proxy with multiple Services on one internal IP

Bioneye

currently I am using pfSense on my server with the HAProxy package, because I can easily configure it via the GUI.

I configured HAProxy to act as a reverse proxy corresponding to this guide: https://blog.devita.co/pfsense-to-proxy-traffic-for-websites-using-pfsense/

SSL offloading works like a charm. The problem I have is when I have more than one service (open port) on the same internal IP it seems not to be working.

Example:

• I configure service1.domain.com for Service1 with port 8000 (10.100.10.101:8000) and it works flawlessly.
• Now I need another port on the same machine (e.g. 10.100.10.101:8082) with another service. If I configure another backend pointing to the same IP but with a different port I can only reach the second servce (service2.domain.com) even if I access service1.domain.com.

My use case is that I am trying to set up Seafile which is using port 8000 for the web GUI and port 8082 for the fileserver. Right now I am able to access the web GUI but I am not able to upload, download or share files.

My configuration:

# Automaticaly generated, dont edit manually.
# Generated on: 2018-09-29 19:24
global
    maxconn    1000
    stats socket /tmp/haproxy.socket level admin 
    gid    80
    nbproc    1
    hard-stop-after    15m
    chroot    /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param    8192
    server-state-file /tmp/haproxy_server_state
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

frontend shared-frontend-merged
    bind    X.X.X.X:443 name X.X.X.X:443   ssl crt-list /var/etc/haproxy/shared-frontend.crt_list  
    mode    http
    log    global
    option    http-keep-alive
    option    forwardfor
    acl https ssl_fc
    http-request set-header    X-Forwarded-Proto http if !https
    http-request set-header    X-Forwarded-Proto https if https
    timeout client    30000
    http-response set-header Strict-Transport-Security max-age=15768000
    acl    aclcrt_shared-frontend    var(txn.txnhost) -m reg -i ^([^\.]*)\.domain\.com(:([0-9]){1,5})?$
    acl    ACL1    var(txn.txnhost) -m str -i test.domain.com
    acl    ACL2    var(txn.txnhost) -m str -i service1.domain.com
    acl    ACL3    var(txn.txnhost) -m str -i service2.domain.com
    http-request set-var(txn.txnhost) hdr(host)
    default_backend test.domain.com_ipv4
    default_backend service1.domain.com_ipvANY
    default_backend service2.domain.com_ipvANY

frontend http-to-https
    bind    X.X.X.X:80 name X.X.X.X:80   
    mode    http
    log    global
    option    http-keep-alive
    timeout client    30000
    http-request redirect scheme https 

backend test.domain.com_ipv4
    mode    http
    id    10100
    log    global
    timeout connect    30000
    timeout server    30000
    retries    3
    source ipv4@ usesrc clientip
    option    httpchk GET / 
    server    testvm-server01 10.100.10.101:54080 id 10101 check inter 1000  

backend service1.domain.com_ipvANY
    mode    http
    id    102
    log    global
    timeout connect    30000
    timeout server    30000
    retries    3
    option    httpchk GET / 
    server    seafile-vm-01 10.100.10.103:8000 id 101 check inter 1000  

backend service2.domain.com_ipvANY
    mode    http
    id    104
    log    global
    timeout connect    30000
    timeout server    30000
    retries    3
    option    httpchk GET / 
    server    seafile-vm-02 10.100.10.103:8082 id 103 check inter 1000

I would really be glad if anyone can point me in the right direction, thank you in advance and if you need further information please tell me.

Best regards,

Bioneye

P.S.: I also posted this question here: https://stackoverflow.com/questions/52576325/pfsense-haproxy-reverse-proxy-with-multiple-services-on-one-internal-ip

Bioneye

Hi everyone,

I was able to solve my problem with the help of one awesome user over on reddit.

For anyone who is interested how I solved it: https://www.reddit.com/r/PFSENSE/comments/9kezl3/pfsense_haproxy_reverse_proxy_with_multiple/?st=jmruoa9r&sh=26d24791

Greetings,

Bioneye

luciano_frc

Hello, how are you !
I'm having the problem that you, more in my case is the zimbra
the console console uses port 7071
and webmail uses port 443
you can put the screens of your HA-proxy.
Thank you so much