SSL certs handling and HAproxy

lewis · Jan 3, 2024, 2:46 PM

These are some headers I have set in the Apache configuration.
I'm reading that haproxy also needs to have custom headers for some of these to work.


        # Add X-Forwarded-For header to log the original client IP
        RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e

        # Add X-Real-IP header
        RequestHeader set X-Real-IP %{REMOTE_ADDR}e

        # Add X-Forwarded-Proto header to identify the protocol used by the client
        RequestHeader set X-Forwarded-Proto https

        # Use Vary header for content negotiation
        <Location />
            Header append Vary Accept-Encoding
        </Location>

I would need to add custom configs in haproxy, like under the frontend or backend sections, depending on specific requirements.
The actual syntax for these directives will typically look like http-request set-header X-Forwarded-For %[src] for X-Forwarded-For, as an example.
But that's the problem, I can't find enough information to even understand what I would need to add to haproxy.

Maybe I'm closer than I think but lack of knowledge and examples is making it impossible.

lewis · Jan 3, 2024, 4:59 PM

What's the chances?

stephenw10 · Jan 3, 2024, 5:01 PM

You are accessing that via the proxy?

lewis · Jan 3, 2024, 5:02 PM

@stephenw10 said in SSL certs handling and HAproxy:

You are accessing that via the proxy?

I was searching Google which gave a link to these forums and this is what I got, repeatedly.
When we forward a domain, we typically maintain the old domain's cert also, just for this reason.

kiokoman · Jan 4, 2024, 8:38 AM

@lewis
must be an old entry because the forum is forum.netgate.com and not forum.pfsense.com
or they forgot to add the DNS

stephenw10 · Jan 4, 2024, 10:38 AM

Oh well spotted! Yeah that's just an old link.

lewis · Jan 4, 2024, 5:01 PM

I wish I could figure this thing out. I very badly need a cache server for all of the web sites on the back end.
I appreciate the help you've all provided.

lewis · Jan 4, 2024, 11:48 PM

And today, another random thing happens on pfsense which I'm sure no dev will say 'oh ya, we're working on that one' to.

When I created my first acme cert and generated it, it should the dates of the cert start/end in Last renewed.
Today, I create a new cert, generate it and see nothing, just 'Issued Certificate Dates;' and nothing.

stephenw10 · Jan 5, 2024, 12:50 AM

You have a screenshot?

lewis · Jan 5, 2024, 2:39 AM

lewis · Jan 6, 2024, 8:22 PM

In the end, the point is to have two new things;

1: varnish server to handle caching

2: fixing the haproxy configuration so that it's actually load balancing those web servers.
That was an interesting find. I don't know how pfsense was sending traffic to the web servers without haproxy actually working.
Maybe it automatically round robins since the servers are listed in an alias?