Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    haproxy configuration generation hiccup

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 289 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • junicastJ
      junicast
      last edited by junicast

      Hi,

      I've been tinkering with haproxy and I like it very much. My system is virtualized (KVM) with two instances and CARP and pfSense 2.4.4-RELEASE-p3. Haproxy version is 0.59_19.
      Please have a look at my attached config. There's this domain ip.domain1.net which should use regex ^ip.domain1.net(:([0-9]){1,5})?$ but instead is uses ^images.domain1.net(:([0-9]){1,5})?$
      I don't know how exactly this is possible. Even if I remove the images.domain1.net backend completely, the regex still says ^images even there is no occurence of images in the WebGUI.
      This might be a bug, right? Is this maybe due to my ha sync?

      global
              maxconn                 10000
              stats socket /tmp/haproxy.socket level admin
              uid                     80
              gid                     80
              nbproc                  1
              hard-stop-after         15m
              chroot                          /tmp/haproxy_chroot
              daemon
              tune.ssl.default-dh-param       2048
              server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
              bind 127.0.0.1:22221 name localstats
              mode http
              stats enable
              stats admin if TRUE
              stats show-legends
              stats uri /haproxy/haproxy_stats.php?haproxystats=1
              timeout client 5000
              timeout connect 5000
              timeout server 5000
      
      frontend shared_frontend-merged
              bind                    2001:fdd0:1:4f::6:80 name 2001:fdd0:1:4f::6:80   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
              bind                    2001:fdd0:1:4f::6:443 name 2001:fdd0:1:4f::6:443   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
              bind                    1.23.45.6:80 name 1.23.45.6:80   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
              bind                    1.23.45.6:443 name 1.23.45.6:443   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
              mode                    http
              log                     global
              option                  http-keep-alive
              option                  forwardfor
              acl https ssl_fc
              http-request set-header         X-Forwarded-Proto http if !https
              http-request set-header         X-Forwarded-Proto https if https
              timeout client          30000
              acl                     aclcrt_shared_frontend  var(txn.txnhost) -m reg -i ^media\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1_domain4   var(txn.txnhost) -m str -i map.domain4.de
              acl                     aclcrt_map.domain4.de  var(txn.txnhost) -m reg -i ^map\.domain4\.de(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i media.domain1.net
              acl                     aclcrt_media.domain1.net   var(txn.txnhost) -m reg -i ^media\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i domain5.de
              acl                     aclcrt_domain5.de var(txn.txnhost) -m reg -i ^domain5\.de(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i ah.domain5.de
              acl                     aclcrt_ah.domain5.de      var(txn.txnhost) -m reg -i ^ah\.domain5\.de(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i db.unix.domain2.net
              acl                     aclcrt_db.unix.domain2.net        var(txn.txnhost) -m reg -i ^db\.unix\.domain2\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i git.unix.domain2.net
              acl                     aclcrt_git.unix.domain2.net       var(txn.txnhost) -m reg -i ^git\.unix\.domain2\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i gestioip.domain1.net
              acl                     aclcrt_gestioip.domain1.net        var(txn.txnhost) -m reg -i ^gestioip\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i domain3.de
              acl                     acl2    var(txn.txnhost) -m str -i www.domain3.de
              acl                     aclcrt_kabeljochen.de   var(txn.txnhost) -m reg -i ^domain3\.de(:([0-9]){1,5})?$
              acl                     aclcrt_kabeljochen.de   var(txn.txnhost) -m reg -i ^www\.domain3\.de(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i gosix.domain1.net
              acl                     aclcrt_gosix.domain1.net   var(txn.txnhost) -m reg -i ^gosix\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i ideas.domain1.net
              acl                     aclcrt_ideas.domain1.net   var(txn.txnhost) -m reg -i ^ideas\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i wiki.domain1.net
              acl                     aclcrt_wiki.domain1.net    var(txn.txnhost) -m reg -i ^wiki\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i riot.domain1.net
              acl                     aclcrt_riot.domain1.net    var(txn.txnhost) -m reg -i ^riot\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i db.domain1.net
              acl                     aclcrt_db.domain1.net      var(txn.txnhost) -m reg -i ^db\.domain1.net\.net(:([0-9]){1,5})?$
              acl                     acl1    var(txn.txnhost) -m str -i ip.domain1.net
              acl                     aclcrt_ip.domain1.net      var(txn.txnhost) -m reg -i ^images\.domain1.net\.net(:([0-9]){1,5})?$
              http-request set-var(txn.txnhost) hdr(host)
              use_backend srv108_map_domain4_ipvANY  if   aclcrt_map.domain4.de
              use_backend emby.unix.domain2.net_ipvANY  if   aclcrt_media.domain1.net
              use_backend domain5.de_ipvANY  if   aclcrt_domain5.de
              use_backend srv123.unix.domain2.net-ah.domain5.de_ipvANY  if   aclcrt_ah.domain5.de
              use_backend db.unix.domain2.net_ipvANY  if   aclcrt_db.unix.domain2.net
              use_backend git.unix.domain2.net_ipvANY  if   aclcrt_git.unix.domain2.net
              use_backend gestioip_srv119_ipvANY  if   aclcrt_gestioip.domain1.net
              use_backend kabeljochen_srv119_ipvANY  if   aclcrt_kabeljochen.de
              use_backend gosix.domain1.net_srv119_ipvANY  if   aclcrt_gosix.domain1.net
              use_backend ideas.domain1.net_srv119_ipvANY  if   aclcrt_ideas.domain1.net
              use_backend wiki.domain1.net_srv119_ipvANY  if   aclcrt_wiki.domain1.net
              use_backend riot.domain1.net_srv119_ipvANY  if   aclcrt_riot.domain1.net
              use_backend db.unix.domain2.net_ipvANY  if   aclcrt_db.domain1.net
              use_backend ip.domain1.net_srv119_ipvANY  if   aclcrt_ip.domain1.net
      
      frontend http_to_https
              bind                    1.23.45.6:80 name 1.23.45.6:80
              bind                    2001:fdd0:1:4f::6:80 name 2001:fdd0:1:4f::6:80
              mode                    http
              log                     global
              option                  http-keep-alive
              timeout client          30000
              http-request redirect scheme https
      
      backend srv108_map_domain4_ipvANY
              mode                    http
              id                      102
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  srv108.domain2.net 2001:fdd0:3f:1::6:8123 id 103 check inter 10000
      
      backend emby.unix.domain2.net_ipvANY
              mode                    http
              id                      100
              log                     global
              balance                 leastconn
              timeout connect         30000
              timeout server          30000
              retries                 3
              option                  httpchk OPTIONS /
              server                  emby.unix.domain2.net_0 10.10.101.59:8096 check inter 10000
              server                  emby.unix.domain2.net_1 2009:4444:28d4:1b:d313:1726:1a3b:b596:8096 check inter 10000
      
      backend domain5.de_ipvANY
              mode                    http
              id                      104
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  srv118.domain2.net 2001:fdd0:3f:6::6:8008 id 105 check inter 10000
      
      backend srv123.unix.domain2.net-ah.domain5.de_ipvANY
              mode                    http
              id                      106
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  srv123.unix.domain2.net 2001:fdd0:3f:7::5:8080 id 105 check inter 10000
              
      backend db.unix.domain2.net_ipvANY
              mode                    http
              id                      107
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  mariadb.domain2.net 2001:fdd0:3f:5::4:80 id 105 check inter 10000
      
      backend git.unix.domain2.net_ipvANY
              mode                    http
              id                      108
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  srv104.domain2.net_gogs_0 5.145.135.92:3000 check inter 10000
              server                  srv104.domain2.net_gogs_1 2001:fdd0:3f::4:3000 check inter 10000
      
      backend gestioip_srv119_ipvANY
              mode                    http
              id                      109
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  srv119_gestioip 2001:fdd0:3f::7:80 id 105 check inter 10000
      
      backend kabeljochen_srv119_ipvANY
              mode                    http
              id                      110
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              option                  httpchk OPTIONS /
              server                  srv119_kabeljochen 2001:fdd0:3f::8:80 id 105 check inter 10000
      
      backend gosix.domain1.net_srv119_ipvANY
              mode                    http
              id                      111
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              option                  httpchk OPTIONS /
              server                  srv119_gosix.domain1.net 2001:fdd0:3f::9:80 id 105 check inter 10000
              
      backend ideas.domain1.net_srv119_ipvANY
              mode                    http
              id                      112
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              option                  httpchk OPTIONS /
              server                  srv119_ideas.domain1.net 2001:fdd0:3f::a:80 id 105 check inter 10000
      
      backend wiki.domain1.net_srv119_ipvANY
              mode                    http
              id                      115
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  srv119_wiki.domain1.net 2001:fdd0:3f::e:80 id 105 check inter 10000
      
      backend riot.domain1.net_srv119_ipvANY
              mode                    http
              id                      116
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              option                  httpchk OPTIONS /
              server                  srv119_riot.domain1.net 2001:fdd0:3f::f:80 id 105 check inter 10000
      
      backend ip.domain1.net_srv119_ipvANY
              mode                    http
              id                      114
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              option                  httpchk OPTIONS /
              server                  srv119_ip.domain1.net 2001:fdd0:3f::d:80 id 105 check inter 10000
      
      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @junicast
        last edited by

        @pmisch
        Can you check the CN of the certificate chosen in that frontend?

        junicastJ 1 Reply Last reply Reply Quote 0
        • junicastJ
          junicast @PiBa
          last edited by junicast

          @PiBa
          Thank you for your reply. That lead me to another interesting thing.
          In pfSense's WebGUI the right certificate is chosen. I have a look into /var/etc/haproxy/shared_frontend and did:

          openssl x509 -in ip.domain1.net -text -noout
          

          And baam, the common name is 'images'. The letsencrypt certificate though had a wrong CN configured so that's what this is.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.