Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy - bind abstract namespaces addresses (abns@)

    Cache/Proxy
    2
    6
    4.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benoithcc
      last edited by

      Hi everyone,

      I'm new here and i hope i can have some help.
      I have several domain names hosted on my network with the same wan ip address. Some need to verify client certificates while others not.
      I found a solution here: https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3
      But I need recirculation between frontend and backend using abstract namespaces (abns@) adresses but it seems to not exist in haproxy package in pfsense? (it doesn't work in custom address field)
      Am I wrong? How could I make it without abstract namespaces? Can we use like virtual IPs?

      Thanks!
      Benoit.

      1 Reply Last reply Reply Quote 0
      • B
        benoithcc
        last edited by

        The error when using abns@ in externa address is: "The external address 'abns@haproxy-clientcert' is not a valid source IP address or alias"

        P 1 Reply Last reply Reply Quote 0
        • P
          PiBa @benoithcc
          last edited by

          @benoithcc
          Afaik, its not possible to use abns@ on freebsd.
          It is however possible to select a frontend for your 'recirculation' in the backend webgui options. It will then use a unixsocket unix@ on the filesystem to make the required round-trip 'automatically'.

          1 Reply Last reply Reply Quote 0
          • B
            benoithcc
            last edited by

            @PiBa
            Thanks for your answer!

            I found and selected the frontends in the backends options, and I have the unixsockets now.
            Tell me if I 'm right, now in the recirculated frontends, I have to choose localhost in the listen address without any port? I tried it and it seems to be correct in the haproxy.cfg because if I add the 443 ports on boths frontends it duplicates the bind lines with local address plus the unixsocket

            I now have this warning now but no error when I apply the config: Multiple primary frontends (ssl-clientCert-frontend, ssl-default-frontend) with IP:Port "127.0.0.1:", use Shared-Frontends instead.

            The haproxy.cfg is now as bellow, is everything looks good?

            frontend http-to-https
                    bind                    WAN_IP:80 name WAN_IP:80
                    mode                    http
                    http-request redirect scheme https
            
            frontend https
                    bind                    WAN_IP:443 name WAN_IP:443
                    mode                    tcp
                    acl                     clientcertenabled       req_ssl_sni -i WEBSITE_WITH_CLIENT_CERT
                    tcp-request inspect-delay 5s
                    tcp-request content accept if { req_ssl_hello_type 1 }
                    use_backend redirection_clientCertEnabled_ipvANY  if  clientcertenabled
                    default_backend redirection_default_ipvANY
            
            frontend ssl-clientCert-frontend
                    bind /tmp/haproxy_chroot/ssl-clientCert-frontend.socket name unixsocket uid 80 accept-proxy   ssl crt-list /var/etc/haproxy/ssl-clientCert-frontend.crt_list ca-file /var/etc/haproxy/clientca_ssl-clientCert-frontend.pem verify required
                    mode                    http
                    acl                     name1       var(txn.txnhost) -m str -i WEBSITE_WITH_CLIENT_CERT
                    http-request set-var(txn.txnhost) hdr(host)
                    use_backend WEBSITE_WITH_CLIENT_CERT_ipv4  if  name1
            
            frontend ssl-default-frontend
                    bind /tmp/haproxy_chroot/ssl-default-frontend.socket name unixsocket uid 80 accept-proxy   ssl crt-list /var/etc/haproxy/ssl-default-frontend.crt_list
                    mode                    http
                    acl                     name2       var(txn.txnhost) -m str -i WEBSITE_WITHOUT_CLIENT_CERT
                    http-request set-var(txn.txnhost) hdr(host)
                    use_backend WEBSITE_WITHOUT_CLIENT_CERT_ipv4  if  name2
            
            backend redirection_clientCertEnabled_ipvANY
                    mode                    tcp
                    id                      105
                    server                  loopback-for-tls /ssl-clientCert-frontend.socket send-proxy-v2-ssl-cn id 106
            
            backend redirection_default_ipvANY
                    mode                    tcp
                    id                      104
                    server                  loopback-for-tls /ssl-default-frontend.socket send-proxy-v2-ssl-cn id 107
            
            backend WEBSITE_WITH_CLIENT_CERT_ipv4
                    mode                    http
                    id                      10100
                    server                  server1 LAN_IP_SRV1:443 id 10101 ssl  verify none
            
            backend WEBSITE_WITHOUT_CLIENT_CERT_ipv4
                    mode                    http
                    id                      10102
                    server                  server2 LAN_IP_SRV2:80 id 10101
            

            Thanks again for your help,
            Benoit.

            P 1 Reply Last reply Reply Quote 0
            • P
              PiBa @benoithcc
              last edited by

              @benoithcc
              Config seems to look good to me. I usually bind the 'loopback-frontend' to a 'unused' port, this avoids the webgui 'warning'. But does make haproxy bind to that port, while then also getting a bind for the unix socket, your solution is a bit cleaner actually.

              1 Reply Last reply Reply Quote 0
              • B
                benoithcc
                last edited by

                Thanks for your help @PiBa everything is clear to me now!
                Benoit

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.