• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Haproxy - bind abstract namespaces addresses (abns@)

Scheduled Pinned Locked Moved Cache/Proxy
6 Posts 2 Posters 4.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    benoithcc
    last edited by Jul 23, 2020, 11:32 PM

    Hi everyone,

    I'm new here and i hope i can have some help.
    I have several domain names hosted on my network with the same wan ip address. Some need to verify client certificates while others not.
    I found a solution here: https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3
    But I need recirculation between frontend and backend using abstract namespaces (abns@) adresses but it seems to not exist in haproxy package in pfsense? (it doesn't work in custom address field)
    Am I wrong? How could I make it without abstract namespaces? Can we use like virtual IPs?

    Thanks!
    Benoit.

    1 Reply Last reply Reply Quote 0
    • B
      benoithcc
      last edited by Jul 23, 2020, 11:39 PM

      The error when using abns@ in externa address is: "The external address 'abns@haproxy-clientcert' is not a valid source IP address or alias"

      P 1 Reply Last reply Jul 25, 2020, 2:31 PM Reply Quote 0
      • P
        PiBa @benoithcc
        last edited by Jul 25, 2020, 2:31 PM

        @benoithcc
        Afaik, its not possible to use abns@ on freebsd.
        It is however possible to select a frontend for your 'recirculation' in the backend webgui options. It will then use a unixsocket unix@ on the filesystem to make the required round-trip 'automatically'.

        1 Reply Last reply Reply Quote 0
        • B
          benoithcc
          last edited by Jul 26, 2020, 1:48 AM

          @PiBa
          Thanks for your answer!

          I found and selected the frontends in the backends options, and I have the unixsockets now.
          Tell me if I 'm right, now in the recirculated frontends, I have to choose localhost in the listen address without any port? I tried it and it seems to be correct in the haproxy.cfg because if I add the 443 ports on boths frontends it duplicates the bind lines with local address plus the unixsocket

          I now have this warning now but no error when I apply the config: Multiple primary frontends (ssl-clientCert-frontend, ssl-default-frontend) with IP:Port "127.0.0.1:", use Shared-Frontends instead.

          The haproxy.cfg is now as bellow, is everything looks good?

          frontend http-to-https
                  bind                    WAN_IP:80 name WAN_IP:80
                  mode                    http
                  http-request redirect scheme https
          
          frontend https
                  bind                    WAN_IP:443 name WAN_IP:443
                  mode                    tcp
                  acl                     clientcertenabled       req_ssl_sni -i WEBSITE_WITH_CLIENT_CERT
                  tcp-request inspect-delay 5s
                  tcp-request content accept if { req_ssl_hello_type 1 }
                  use_backend redirection_clientCertEnabled_ipvANY  if  clientcertenabled
                  default_backend redirection_default_ipvANY
          
          frontend ssl-clientCert-frontend
                  bind /tmp/haproxy_chroot/ssl-clientCert-frontend.socket name unixsocket uid 80 accept-proxy   ssl crt-list /var/etc/haproxy/ssl-clientCert-frontend.crt_list ca-file /var/etc/haproxy/clientca_ssl-clientCert-frontend.pem verify required
                  mode                    http
                  acl                     name1       var(txn.txnhost) -m str -i WEBSITE_WITH_CLIENT_CERT
                  http-request set-var(txn.txnhost) hdr(host)
                  use_backend WEBSITE_WITH_CLIENT_CERT_ipv4  if  name1
          
          frontend ssl-default-frontend
                  bind /tmp/haproxy_chroot/ssl-default-frontend.socket name unixsocket uid 80 accept-proxy   ssl crt-list /var/etc/haproxy/ssl-default-frontend.crt_list
                  mode                    http
                  acl                     name2       var(txn.txnhost) -m str -i WEBSITE_WITHOUT_CLIENT_CERT
                  http-request set-var(txn.txnhost) hdr(host)
                  use_backend WEBSITE_WITHOUT_CLIENT_CERT_ipv4  if  name2
          
          backend redirection_clientCertEnabled_ipvANY
                  mode                    tcp
                  id                      105
                  server                  loopback-for-tls /ssl-clientCert-frontend.socket send-proxy-v2-ssl-cn id 106
          
          backend redirection_default_ipvANY
                  mode                    tcp
                  id                      104
                  server                  loopback-for-tls /ssl-default-frontend.socket send-proxy-v2-ssl-cn id 107
          
          backend WEBSITE_WITH_CLIENT_CERT_ipv4
                  mode                    http
                  id                      10100
                  server                  server1 LAN_IP_SRV1:443 id 10101 ssl  verify none
          
          backend WEBSITE_WITHOUT_CLIENT_CERT_ipv4
                  mode                    http
                  id                      10102
                  server                  server2 LAN_IP_SRV2:80 id 10101
          

          Thanks again for your help,
          Benoit.

          P 1 Reply Last reply Jul 27, 2020, 9:41 PM Reply Quote 0
          • P
            PiBa @benoithcc
            last edited by Jul 27, 2020, 9:41 PM

            @benoithcc
            Config seems to look good to me. I usually bind the 'loopback-frontend' to a 'unused' port, this avoids the webgui 'warning'. But does make haproxy bind to that port, while then also getting a bind for the unix socket, your solution is a bit cleaner actually.

            1 Reply Last reply Reply Quote 0
            • B
              benoithcc
              last edited by Jul 27, 2020, 10:31 PM

              Thanks for your help @PiBa everything is clear to me now!
              Benoit

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received