Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA-proxy: IPV6, logging, mailserver etc

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    1
    3
    309
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louis2
      last edited by

      I am trying to setup an HA-proxy config and facing a couple of issues. Here I would like to address four of them. As always some help is appreciated 😊

      1. There is no logging ..... how to fix that?
      2. When processing IPV4, I create a front-end using 'WAN (IPv4) address' + one or more port numbers. However how to select IPV6 ..... which is not one address, but a couple of them.
      • I could use 'WAN (IPV6) address'+ port number or
      • I could forward a certain IPV6-address to a VIP and use 'VIP-address, port number or
      • ???
        How to this!?
      1. I would like to use HA-proxy not only for http and https, but also for e.g. a (sftp) server and a mail server
      • Can I do that by simple forwarding all involved ports to 'This Firewall (like I do for a web-server in the example below)?
      • And creating a front-end listening to the same ports?
      1. There is an IPV6 related bug. When creating a front-end using <IPV6-address-123>, port 456. The HA-proxy application seems to receive [IPV6-address-123:456], what is not a valid address of course. I did create a bug report for that. If you put a space before the port number, the definition is accepted .... however no guarantee that it is behaving correctly ....
        .

      d0cd9456-bdf3-437c-be77-e8c242e3c4bc-image.png

      L 1 Reply Last reply Reply Quote 1
      • L
        louis2 @louis2
        last edited by

        @louis2

        Short update:

        Related to my previous mail

        ad 1) in the HA-proxy setting page you have to set the logging file. After doing so, the logging is 'mainly' going to "packages HA-proxy' however .... also to 'the system general log.

        ad 2) A few remarks:
        a) Wrong perception. If you select WAN ipv6 as source, you fetch every thing which is passing the WAN interface
        b) I did define a VIP per domain. Packages from the internal network with destination, the public servers belonging to the domain are forwarded to that VIP (using internal split DNS).

        By having the HA-proxy front-end listen to that VIP and to the WAN, I can reach my public sites from both the internet and the local network.

        ad 3) that seems to work at least for my SFTP-server. (I have to setup the mail server)

        ad 4) that is simply a bug NetGate has to fix

        Strange finding

        HA-proxy is even fetching the WAN-data without any related firewall rule !!! (like e.g. the ones shown in the previous post)

        New problem

        The packages forwarded to e.g. my spft-server, do not have there original address 😧

        They have the address of one of my interfaces! I would really like to see the original addresses !!!

        I am not ready yet. Still things to add, test and tune

        L 1 Reply Last reply Reply Quote 0
        • L
          louis2 @louis2
          last edited by

          @louis2

          I have been trying 'to fix' the issue 'that the sftp-server sees the proxy address' and not the 'client address'

          Since a proxy is forwarding a package, it is not strange that the server at the destination side normally sees the address of the proxy and not that of the client.

          Luckily there are protocols which allows the proxy to forward the client address.

          So the big question is how:

          • to enforce HA-proxy to forward the client IP and
          • how to enforce the SSH-server to use the (added) client address

          The config is as follows:

          • pfsense 2.7 actual build
          • ha-proxy haproxy-develop
            • in ssl /https(TCP-mode
            • frontend listening to WAN-address (4/6) port 22
            • IPV4-frontend and an IPV6-frontend
            • IPV4 and an IPV6 back-end
          • bitvise (advanced) ssh-server (on windows)

          That works, no problem apart of the 'lack of client address issue'.

          I did a lot of searching on the internet and found options like:

          • ‘option forwardfor’ (usable for the front and/or the back-end)
          • options like 'send-proxy' and 'send-proxy-v2' and for bitvise
          • 'proxy protocol'(disabled or required (default disabled)) and
          • 'Enable UPnP gateway forwarding (on/off (default off))

          After reading the links below I decided to try almost all possible options ...... nothing worked.

          So if someone has a working config, I would love to know how 😊

          I did google a lot. Here some links, which might or might not help (enough)

          https://www.haproxy.com/documentation/hapee/latest/load-balancing/client-ip-preservation/add-x-forward-for-header/

          https://www.reddit.com/r/PFSENSE/comments/108siet/forwarding_source_ip_from_haproxy/

          https://forum.netgate.com/topic/159562/solved-haproxy-forward-client-ip

          1 Reply Last reply Reply Quote 0
          • First post
            Last post