SSL certs handling and HAproxy

stephenw10

HAProxy will work fine using https to the backends if you need it to. I have no idea if you can add Varnish to that though.

lewis

Well, I showed all of my configuration and I can see haproxy sending to http.
Even after changing all of the urls to http, the page is still showing up broken to public clients but perfectly to internal.

lewis

@stephenw10 said in SSL certs handling and HAproxy:

HAProxy will work fine using https to the backends if you need it to. I have no idea if you can add Varnish to that though.

Right, that was the entire goal so if I can't do that, then this is all moot.

stephenw10

Well if the backend servers can only respond correctly to https connections then Varnish needs to use https to connect to them.

You might try using a very simple site that you know works fine with http as a test until you have the other parts working.

lewis

You might try using a very simple site that you know works fine with http as a test until you have the other parts working.

That's what this site was, for testing.
Other than this post, I can't find much more information so I guess I don't get to set this up the way I need it.

stephenw10

By very simple I mean just an index page. Nothing with anything linking to https.

lewis

@stephenw10 said in SSL certs handling and HAproxy:

By very simple I mean just an index page. Nothing with anything linking to https.

Yes, I already proved to myself that haproxy is sending http now but the site is built in https.
I dumped the db, renamed all of the https urls to http and it worked fine other than some small things I'd have to fix.

The problem is, I cannot do that to all of the apps that would be in play here, it's simply too much work.
The only other option I have is to not use haproxy on pfsense, but use acme only to have that centralized part I wanted.

Setups could be a proxy/varnish on a server. Not sure if pfsense can send pure http after acme to the LAN.

stephenw10

I'd be surprised if Varnish can't also use https. As long as the front and backend sessions are terminated there it can still see and cache all the content.

But, yes, if you're running Varnish on some separate server then it might be easier to do it all there.

lewis

These are some headers I have set in the Apache configuration.
I'm reading that haproxy also needs to have custom headers for some of these to work.

        # Add X-Forwarded-For header to log the original client IP
        RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e

        # Add X-Real-IP header
        RequestHeader set X-Real-IP %{REMOTE_ADDR}e

        # Add X-Forwarded-Proto header to identify the protocol used by the client
        RequestHeader set X-Forwarded-Proto https

        # Use Vary header for content negotiation
        <Location />
            Header append Vary Accept-Encoding
        </Location>

I would need to add custom configs in haproxy, like under the frontend or backend sections, depending on specific requirements.
The actual syntax for these directives will typically look like http-request set-header X-Forwarded-For %[src] for X-Forwarded-For, as an example.
But that's the problem, I can't find enough information to even understand what I would need to add to haproxy.

Maybe I'm closer than I think but lack of knowledge and examples is making it impossible.

lewis

What's the chances?

stephenw10

You are accessing that via the proxy?

lewis

@stephenw10 said in SSL certs handling and HAproxy:

You are accessing that via the proxy?

I was searching Google which gave a link to these forums and this is what I got, repeatedly.
When we forward a domain, we typically maintain the old domain's cert also, just for this reason.

kiokoman

@lewis
must be an old entry because the forum is forum.netgate.com and not forum.pfsense.com
or they forgot to add the DNS

stephenw10

Oh well spotted! Yeah that's just an old link.

lewis

I wish I could figure this thing out. I very badly need a cache server for all of the web sites on the back end.
I appreciate the help you've all provided.

lewis

And today, another random thing happens on pfsense which I'm sure no dev will say 'oh ya, we're working on that one' to.

When I created my first acme cert and generated it, it should the dates of the cert start/end in Last renewed.
Today, I create a new cert, generate it and see nothing, just 'Issued Certificate Dates;' and nothing.

stephenw10

You have a screenshot?

lewis

lewis

In the end, the point is to have two new things;

1: varnish server to handle caching

2: fixing the haproxy configuration so that it's actually load balancing those web servers.
That was an interesting find. I don't know how pfsense was sending traffic to the web servers without haproxy actually working.
Maybe it automatically round robins since the servers are listed in an alias?