HAproxy Settings error

gschmidt · Mar 7, 2021, 4:54 PM

Understood...thanx!

gschmidt · Mar 10, 2021, 7:12 AM

Hi,

I have read that it is wise when opening ports 80 and 443 for HAproxy, to change the port or disable the redirect rule of the pfSense webgui.

If I check the “Disable webConfigurator redirect rule” in advanced settings, am I still able to access the pfSense web app inside my network (LAN)? Just to be sure that I don’t lock my self out of pfSense.

PiBa · Mar 10, 2021, 6:26 PM

@gschmidt

imho its wise to change the port and disable the redirect rule of the pfSense webgui.

After that the http://pfsense wont work anymore
And if the port is changed to for example 444, then https://pfsense/ won't work either.. but https://pfsense:444/ should work fine..

and to avoid losing access completely to the webgui make sure you have SSH access, that would allow to undo changes and reboot if for some unknown reason the webgui access stops working..

gschmidt · Mar 10, 2021, 6:37 PM

@piba

I have tested this and I can still access pfSense from the LAN side. SSH was already enabled

Update: I didn't read your reply well enough "change the port and disable the redirect rule"
To which port do you refer? The WAN port for anti-lockout?

PiBa · Mar 10, 2021, 6:52 PM

@gschmidt said in HAproxy Settings error:

To which port do you refer?

In the menu: System/Advanced/Admin Access
The setting: "TCP port"

After changing that the anti lockout should automatically change as well..

gschmidt · Mar 10, 2021, 7:43 PM

@piba
Yesterday I have already created the following rules for HAproxy (online tutorial). The below example is for the HTTPS 443 port, but I also have created it for the HTTP 80 port

So if I set a port number at the System/Advanced/Admin Access/TCP field e.g. 8010....the LAN anti lock-out port will become 8010?
Or do I need to ceate a rule first for port 8010 which matches the port in the TCP field?

I have read some issue of people locking themselves out...just wanna be cautious.

PiBa · Mar 10, 2021, 7:57 PM

@gschmidt
to be cautious you could:
-manually create a rule that allows 8010
-change the webgui tcpport
-check the antilockout also changed
-remove manual rule
I cant imagine it to go wrong that way even if the antilockout rule update laggs a little..
and adding rules to allow access to haproxy's frontend ports as desired..

gschmidt · Mar 10, 2021, 8:21 PM

@piba

I followed the steps and this is the result (after removing the cautious rule)
Used port 10443:

The anti lock-out rules on the WAN side are removed

But to login in pfSense, I need to add the port: 192.168.X.X:10433
The port number was previously not nessecary, is this correct?

PiBa · Mar 10, 2021, 8:29 PM

@gschmidt
Yes, when running a webgui/website on a non standard port it must be specified in the browser..

gschmidt · Mar 10, 2021, 8:38 PM

@piba

Thanx for the help man!

Now, yesterday I have already tested a bit with a backend and frontend, but I ran into problems...I will create a new issue to explain what I want to achieve and what errors I ran into

(whithout above settings and rules, I guess beside safety this doesn't affect the workability of ACME/HAproxy ?)