Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HaProxy with 2 websites

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 3 Posters 883 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slim2016
      last edited by

      I've been trying figure out how to deal with this for a few days and I can't figure it out.

      I have 2 websites hosted on my home server, both have ssl certificates installed on my server.

      one of the website is using port 443 and the other is 4234 (virtual host) on my server.

      I can get one of the website to work if i use tcp, the other methods http/https offloading and ssl/https don't seem to working. If I however add another website to tcp then my seconds website starts using the first website certificate and it come up an ssl mismatch error.

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @slim2016
        last edited by

        @slim2016
        Configure a backend for each, and use mode ssl/tcp and configure the proper acl's the SNI name to match and then the action use-backend to use the desired backend.
        If it aint working please post your haproxy.cfg (from bottom of settings tab) and probably i can spot where the issue is.

        p.s. if you dont want to use 'offloading' then don't use certificates in haproxy frontend, and do NOT select SSL-encryption checkbox on the server configuration, but do still use ssl-checks.

        1 Reply Last reply Reply Quote 1
        • S
          slim2016
          last edited by

          Thanks, your advise worked. This is my current config, if any advice in improving it then please let me know, thanks.

          global
          	maxconn			1000
          	log			/var/run/log	local0	info
          	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
          	uid			80
          	gid			80
          	nbproc			1
          	nbthread			1
          	hard-stop-after		15m
          	chroot				/tmp/haproxy_chroot
          	daemon
          	tune.ssl.default-dh-param	2048
          	server-state-file /tmp/haproxy_server_state
          
          listen HAProxyLocalStats
          	bind 127.0.0.1:3976 name localstats
          	mode http
          	stats enable
          	stats admin if TRUE
          	stats show-legends
          	stats uri /haproxy/haproxy_stats.php?haproxystats=1
          	timeout client 5000
          	timeout connect 5000
          	timeout server 5000
          
          frontend frontend-https
          	bind			88.88.88.88:443 name 88.88.88.88:443   
          	mode			tcp
          	log			global
          	timeout client		30000
          	tcp-request inspect-delay	5s
          	acl			acl1	req.ssl_sni -i site1.co.uk
          	acl			acl2	req.ssl_sni -i site2.co.uk
          	tcp-request content accept if { req.ssl_hello_type 1 }
          	use_backend backend1_ipvANY  if  acl1 
          	use_backend backend2_ipvANY  if  acl2
          
          frontend http-https
          	bind			88.88.88.88:80 name 88.88.88.88:80   
          	mode			http
          	log			global
          	option			http-keep-alive
          	timeout client		30000
          	http-request redirect scheme https 
          
          backend backend1_ipvANY
          	mode			tcp
          	id			102
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	server			backend1 172.217.5.35:443 id 103 check inter 1000  
          
          backend backend2_ipvANY
          	mode			tcp
          	id			101
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	server			backend2 172.217.5.35:4172 id 104 check inter 1000
          	
          	#port 4172 is SSL
          
          P 1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            Have you checked https://www.netgate.com/resources/videos/server-load-balancing-on-pfsense-24.html ?

            -Rico

            S 1 Reply Last reply Reply Quote 1
            • S
              slim2016 @Rico
              last edited by

              @Rico

              Thanks, looks interesting, will have to go through the video and take some notes when I have a bit more time.

              1 Reply Last reply Reply Quote 0
              • P
                PiBa @slim2016
                last edited by

                @slim2016
                Few things.

                • health-checks , currently only a Layer 4 check is performed (if the connection is accepted on TCP level.) , if possible try and make that a http-check to verify that Layer7 actually provides a expected/valid http response.
                • your servers are using IP's in the 172.217 range, are those the actual IP's you use? Or just replaced to anonymize the config a bit before posting? You are aware that these are not supposed to be used on private networks right? If they are truly your public-ip's of the server its okay, if you use this network on your private lan, then you might get into issues using certain webservices that really 'own' these public ip's. private IPv4 space is defined as: 192.168/16 , 172.16/12 , 10/8 where the 172.16/12 does not include 172.217.x.x.
                S 1 Reply Last reply Reply Quote 1
                • S
                  slim2016 @PiBa
                  last edited by

                  @PiBa

                  i will change to http from basic, thanks for the advice.

                  I was using fake ip's - even my fake ip's were wrong LOL, nice catch.

                  1 Reply Last reply Reply Quote 0
                  • RicoR
                    Rico LAYER 8 Rebel Alliance
                    last edited by

                    You don't need to fake RFC1918 addresses when posting, anyone can use them anyway. 😁

                    -Rico

                    S 1 Reply Last reply Reply Quote 1
                    • S
                      slim2016 @Rico
                      last edited by

                      @Rico

                      Good point.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.