Best practise for using HAProxy for internal servers?



  • I'd like to have a bunch of my docker containers having nice easy to access URLs rather than port numbers etc. I have HAProxy working using https for some external servers but I'd like to use it for these internal severs.

    I tried a little experiment by writing the IP into the DNS Resolver and then resolving that IP to pfsense for HAproxy to pick up (on port 80 this time) but got into a a lot of strange behaviour with the router suspecting DNS rebinding attacks and almost at one point making the web admin page unavailable / unresponsive (it somehow magically came back...). I'm quite sure I'm not doing that correctly so how do I use HAProxy on pfsense to manage internal servers that I never want to be resolved from the WAN side?



  • @shad0wca7 said in Best practise for using HAProxy for internal servers?:

    I'd like to have a bunch of my docker containers having nice easy to access URLs rather than port numbers etc. I have HAProxy working using https for some external servers but I'd like to use it for these internal severs.

    I have something similar setup. I use a virtual IP, 192.168.1.25 and have my HAProxy Front End listening to this virtual IP

    9656758b-7ecf-40f7-a641-49407cf7e85e-image.png
    833c4897-f42d-4744-96f2-dce84dd1af6b-image.png

    The HAProxy "backends" point to the internal server IPs; however, I use the Host override in the DNS to point to the same virtual IP used in the HAProxy Frontend.

    In your example, you would setup and point all your docker servers in the backend, then create DNS host override to point to each of the docker server to the same virtual IP used by HA Proxy.

    With this setup, people accessing the url from inside the network reach the correct server. For example, printer.example.com would reach 192.168.1.25

    53c8dbff-c4de-40d3-b21c-fe8458765511-image.png

    Hope this helps.



  • @costanzo This is basically exactly what I ended up doing as well after thinking about it further (but forgot to post in here).

    Glad to see I'm not the only one coming to this conclusion of how to set it up. Seems reliable.


Log in to reply