• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy and meshcentral2 server ..... websockets

Scheduled Pinned Locked Moved Cache/Proxy
1 Posts 1 Posters 959 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    harrys6666
    last edited by Oct 9, 2021, 4:20 PM

    Hi,

    New user to pfsense, my first pfsense setup :)

    replaced draytek router with pfsense, and setup letsencrypt/haproxy as well as still running a local meshcentral server (previously with nginxmanager setup in docker)

    my meshcentral runs ok, and accessible remotely but external clients no longer detected in meshcentral, assume its websocket support missing from my backend in haproxy, seems issue is similar as this thread....

    https://forum.netgate.com/topic/158983/websockets-configuration-in-haproxy ??

    just wondering what I need to type into "access control list" and "action" in backend config to get websocket support?

    Way above my head but the manual for meshcentral .... https://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide.pdf has following info for haproxy setup ......

    Thanks, Harry

    This section covers a really simple configuration. HAProxy is capable of a lot more complex
    configurations. In the following example, HAProxy will perform TLS and forward the un-encrypted
    traffic to MeshCentral on port 444. HAProxy will add extra “X-Forwarded-Host” headers to the
    HTTP headers so that MeshCentral will know from the IP address the connection comes from.
    In the following configuration file, we have browser connections on port 80 being redirected to
    HTTPS port 443. We also have Let’s Encrypt cert bot for getting a real TLS certificate and
    “mesh.sample.com” being redirected to 127.0.0.1:444.
    37
    global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    defaults
    log global
    mode http
    option httplog
    option dontlognull
    option forwardfor
    option http-server-close
    frontend http
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }
    frontend https
    bind *:443 ssl crt /etc/haproxy/cert.pem
    http-request add-header X-Forwarded-Proto https
    acl acmepath path_beg /.well-known/acme-challenge/
    acl meshcentralhost hdr(host) -i mesh.sample.com
    acl meshcentralhost hdr(host) -i mesh.sample.com:443
    use_backend acme if acmepath
    use_backend meshcentral if meshcentralhost
    backend acme
    server certbot localhost:54321
    backend meshcentral
    http-request add-header X-Forwarded-Host %[req.hdr(Host)]
    server meshcentral 127.0.0.1:444
    On the MeshCentral side, we are not going to use port 80 and need the main HTTPS port to not
    perform TLS and listen on port 444.
    {
    "settings": {
    "Cert": "myservername.domain.com"
    "Port": 444,
    "AliasPort": 443,
    "RedirPort": 0,
    "TlsOffload": "127.0.0.1"
    },
    "domains": {
    "": {
    "certUrl": "https://127.0.0.1:443/"
    }
    }
    }
    We also specify “127.0.0.1” in TLS offload since we want MeshCentral to make use of the X-
    Forwarded-Host header that is set by HAProxy.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received