What came first - the firewall or the HAProxy?
I'm a newbie to pfSense and the load-balancing world but hopefully this is an easy one to answer.
I have installed HAProxy package onto my virtual pfSense. When configuring HAProxy to send requests from the frontend to the backend, do I use the NATed address for the frontend or do I use the public IP of the frontend? Or does either work? I'm a little confused as to whether I need to NAT before sending the request/packet to the frontend or do I just need ACLs (and no NAT) and configure HAProxy frontend to listen directly on the public IP.
- WAN IP 220.127.116.11
- LAN IP 10.0.0.1
- I advertise 18.104.22.168 and 22.214.171.124 out the WAN to upstream carrier internet via FRR and BGP
- 126.96.36.199 and 188.8.131.52 are the public addresses for two internal web servers - call them web2 and web3
- 184.108.40.206 is for example.com and 220.127.116.11 is for fubar.com
- The real IP of web2 is 10.0.0.2 and the real IP of web3 is 10.0.0.3
I want to create a single frontend and use SNI to send the requests to the appropriate backend.
- Create a VIP on the internal LAN 10.0.0.254
- Create a 1:1 NAT from "any" to 10.0.0.254
- Create firewall ACL on WAN interface to allow TCP/443 to 10.0.0.254
- Create a frontend listening on 10.0.0.254
- Configure SNI to send example.com to 10.0.0.2 and fubar.com to 10.0.0.3
- Create firewall ACL on WAN interface to allow TCP/443 from any to 18.104.22.168
- Create firewall ACL on WAN interface to allow TCP/443 from any to 22.214.171.124
- Create a frontend listening on 126.96.36.199 default backend 10.0.0.2
- Create a frontend listening on 188.8.131.52 default backend 10.0.0.3
Or is there another way of achieving the same thing?
@kilofoxtrotmike based on what you say and what I understand: that second example. No need to NAT because the reverse proxy would terminate the incoming connection from the internet and starts a new connection to your internal webserver.
Hi @surinameclubcard thanks for taking the time to answer! I will definitely try that second example then. FWIW, I am currently using the first example i.e. NAT then HAProxy, and can confirm that does work.