HAProxy and meshcentral2 server ..... websockets
-
Hi,
New user to pfsense, my first pfsense setup :)
replaced draytek router with pfsense, and setup letsencrypt/haproxy as well as still running a local meshcentral server (previously with nginxmanager setup in docker)
my meshcentral runs ok, and accessible remotely but external clients no longer detected in meshcentral, assume its websocket support missing from my backend in haproxy, seems issue is similar as this thread....
https://forum.netgate.com/topic/158983/websockets-configuration-in-haproxy ??
just wondering what I need to type into "access control list" and "action" in backend config to get websocket support?
Way above my head but the manual for meshcentral .... https://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide.pdf has following info for haproxy setup ......
Thanks, Harry
This section covers a really simple configuration. HAProxy is capable of a lot more complex
configurations. In the following example, HAProxy will perform TLS and forward the un-encrypted
traffic to MeshCentral on port 444. HAProxy will add extra “X-Forwarded-Host” headers to the
HTTP headers so that MeshCentral will know from the IP address the connection comes from.
In the following configuration file, we have browser connections on port 80 being redirected to
HTTPS port 443. We also have Let’s Encrypt cert bot for getting a real TLS certificate and
“mesh.sample.com” being redirected to 127.0.0.1:444.
37
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
frontend http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https
bind *:443 ssl crt /etc/haproxy/cert.pem
http-request add-header X-Forwarded-Proto https
acl acmepath path_beg /.well-known/acme-challenge/
acl meshcentralhost hdr(host) -i mesh.sample.com
acl meshcentralhost hdr(host) -i mesh.sample.com:443
use_backend acme if acmepath
use_backend meshcentral if meshcentralhost
backend acme
server certbot localhost:54321
backend meshcentral
http-request add-header X-Forwarded-Host %[req.hdr(Host)]
server meshcentral 127.0.0.1:444
On the MeshCentral side, we are not going to use port 80 and need the main HTTPS port to not
perform TLS and listen on port 444.
{
"settings": {
"Cert": "myservername.domain.com"
"Port": 444,
"AliasPort": 443,
"RedirPort": 0,
"TlsOffload": "127.0.0.1"
},
"domains": {
"": {
"certUrl": "https://127.0.0.1:443/"
}
}
}
We also specify “127.0.0.1” in TLS offload since we want MeshCentral to make use of the X-
Forwarded-Host header that is set by HAProxy.