Proper way to set up proxy forward for backend HAProxy server.

SkippyTheMagnificent · Jun 4, 2023, 11:33 PM

ok, so I understand the subject line might be a bit confusing, so I'll try to explain my scenario: I have pfSense+ 23.05 as my edge ingress point to a homelab. In the LAN side, I have a small kubernetes cluster with haproxy ingress. The kube haproxy uses host-headers to identify which pod to connect to inside the k8s cluster. Now, I want to expose a service running inside the cluster from outside of my local network. I can't seem to find the right backend configuration for the pfSense HAProxy service that will allow traffic through the pfSense haproxy to the k8s haproxy.

More details: The K8S haproxy host uses letsencrypt certs for services running inside the cluster, AND similar certs to allow https ingress through the pfSense HAProxy as well, so, for example: https://ombi.mydomain.com redirects inside the cluster to ombi-service.media.svc.cluster.local:3456 (inside the cluster), and works successfully from any host on the LAN. So, I'm pretty sure that part is correct.
However, when trying to access https://ombi.mydomain.com from outside my LAN, I get a 503 from the pfSense haproxy; most likely because all httpchecks are failing from the pfsense backend (Status page always shows the host offline).

So, I think I've got something messed up in my "backend" HTTP check, somehow, but I'm struggling with how to configure it. I have this setup in my pfsense/haproxy backend config for this backend:

in my backend rule, but no matter what I try, I keep getting an offline state for the HAProxy Ingress controller.

I'm entirely sure I'm most likely doing something wrong, or missing a huge concept somewhere, so any tips/pointers/links to RTFM content, please feel free to let me know. Any suggestions? As mentioned, I CAN successfully get to other hosted devices/services OUTSIDE the k8s cluster from outside my LAN, so I know it works; I'm just having trouble routing to this one site/service inside my k8s cluster.

Thanks in advance!
Skippy

SkippyTheMagnificent · Jun 13, 2023, 5:37 AM

I've been banging my head against a wall for a week... nothing seems to work. Internally (on my network), I CAN successfully navigate to https://ombi.mydomain.com and get a secure connection. As mentioned, I am doing host routing within the K8S cluster's HAProxy ingress, namely, if the host header is detected as "ombi.mydomain.com", it knows what pod/service to access inside the cluster. However, when going through pfSense haproxy, it 503's due to the detected host (k8s haproxy) not being able to verify the SSL cert: "Layer6 Invalid Response: SSL Handshake Error"

viragomann · Jun 13, 2023, 10:58 AM

@SkippyTheMagnificent
First of all the backend state has to be online to get it work. If this isn't the case, the health checks might fail.

You have enabled HTTP health check + SSL checks + "/" as URL to check.
This means, HAproxy might try to access "https://10.0.1.160:443/" for checking the backends state. So the backend has to provide a valid SSL certificate for the CN "10.0.1.160". I'm in doubt...

I'd switch the health check method to basic instead.