Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy and meshcentral2 server ..... websockets

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 981 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      harrys6666
      last edited by

      Hi,

      New user to pfsense, my first pfsense setup :)

      replaced draytek router with pfsense, and setup letsencrypt/haproxy as well as still running a local meshcentral server (previously with nginxmanager setup in docker)

      my meshcentral runs ok, and accessible remotely but external clients no longer detected in meshcentral, assume its websocket support missing from my backend in haproxy, seems issue is similar as this thread....

      https://forum.netgate.com/topic/158983/websockets-configuration-in-haproxy ??

      just wondering what I need to type into "access control list" and "action" in backend config to get websocket support?

      Way above my head but the manual for meshcentral .... https://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide.pdf has following info for haproxy setup ......

      Thanks, Harry

      This section covers a really simple configuration. HAProxy is capable of a lot more complex
      configurations. In the following example, HAProxy will perform TLS and forward the un-encrypted
      traffic to MeshCentral on port 444. HAProxy will add extra “X-Forwarded-Host” headers to the
      HTTP headers so that MeshCentral will know from the IP address the connection comes from.
      In the following configuration file, we have browser connections on port 80 being redirected to
      HTTPS port 443. We also have Let’s Encrypt cert bot for getting a real TLS certificate and
      “mesh.sample.com” being redirected to 127.0.0.1:444.
      37
      global
      log /dev/log local0
      log /dev/log local1 notice
      chroot /var/lib/haproxy
      stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
      stats timeout 30s
      user haproxy
      group haproxy
      daemon
      defaults
      log global
      mode http
      option httplog
      option dontlognull
      option forwardfor
      option http-server-close
      frontend http
      bind *:80
      redirect scheme https code 301 if !{ ssl_fc }
      frontend https
      bind *:443 ssl crt /etc/haproxy/cert.pem
      http-request add-header X-Forwarded-Proto https
      acl acmepath path_beg /.well-known/acme-challenge/
      acl meshcentralhost hdr(host) -i mesh.sample.com
      acl meshcentralhost hdr(host) -i mesh.sample.com:443
      use_backend acme if acmepath
      use_backend meshcentral if meshcentralhost
      backend acme
      server certbot localhost:54321
      backend meshcentral
      http-request add-header X-Forwarded-Host %[req.hdr(Host)]
      server meshcentral 127.0.0.1:444
      On the MeshCentral side, we are not going to use port 80 and need the main HTTPS port to not
      perform TLS and listen on port 444.
      {
      "settings": {
      "Cert": "myservername.domain.com"
      "Port": 444,
      "AliasPort": 443,
      "RedirPort": 0,
      "TlsOffload": "127.0.0.1"
      },
      "domains": {
      "": {
      "certUrl": "https://127.0.0.1:443/"
      }
      }
      }
      We also specify “127.0.0.1” in TLS offload since we want MeshCentral to make use of the X-
      Forwarded-Host header that is set by HAProxy.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.