Can pfsense detect requests and routing to set hostname

stephenw10

So do you see states created?

sysbitnet

Yes, I set.

When i do this just for testing

How can i see if i correctly configured and tried to access it, this is working perfectly.

IP_ProxMox is set localhost IP set inside Firewall / Aliases / IP

When i disable this Port Forward and now testing to login again like https://pm.domain.com:8006 i get this result

503 Service Unavailable
No server is available to handle this request.

If i have a set like this inside HAProxy

@sysbitnet said in Can pfsense detect requests and routing to set hostname:

Inside Services / HAProxy / Backend

Name: PM_8006
Mode: active
Name: pm
Forward to: Address+Port
Address: 192.168.100.3
Port: 8006
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: basic

How i configure On the Frontend part.

Services / HAProxy / Frontend
Name: PM_Front
External address
Listen address: WAN address (IPv4)
Port: 8006
SSL Offloading: yes

In Access Control lists inside the same
Name: pm
Expression: Host matches
CS: empty
Note: empty
Value: pm.domain.com

In part Actions inside the same

Action Use Backend the name that i set on PM_8006
Condition acl names: the same name that i set in Access Control lists pm

And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates

The same certificate and added inside proxmox, because is letsencrypt wildcard certificate

And when i try to visit https://pm.domain.com:8006/ the result is like this below message.

503 Service Unavailable
No server is available to handle this request.

stephenw10

But do you see states on port 8006 in Diag > States?

sysbitnet

@stephenw10 said in Can pfsense detect requests and routing to set hostname:

But do you see states on port 8006 in Diag > States?

If you mean on Diagnostics / States / States yes this is what i get as a result.

stephenw10

Ok. So what is the LAB interface? What are the IPs there?

I expect to see a port 8006 state on WAN whilst you're testing.

sysbitnet

@stephenw10 said in Can pfsense detect requests and routing to set hostname:

Ok. So what is the LAB interface? What are the IPs there?

I expect to see a port 8006 state on WAN whilst you're testing.

LAB interface is a local private network, 192.168.100.0./24

stephenw10

Ok so I assume 192.168.100.254 is the LAN interface address.

That state could be the backend on-line check.

If you are trying to connect to it you should also see states on the WAN.

sysbitnet

I just tested with mobile internet and have this result

sysbitnet

@stephenw10 said in Can pfsense detect requests and routing to set hostname:

Ok so I assume 192.168.100.254 is the LAN interface address.

That state could be the backend on-line check.

If you are trying to connect to it you should also see states on the WAN.

I get this result with a local private network because i use the same IP and for that reason, i get a local IP

stephenw10

Ok so you do see a state open on the WAN. Do you also see a new state open on LAB when that happens? That's what you would expect to see if HAProxy is opening the backend.

If it isn't then it's probably not trying because it thinks the backend is down.

sysbitnet

@stephenw10 said in Can pfsense detect requests and routing to set hostname:

Ok so you do see a state open on the WAN. Do you also see a new state open on LAB when that happens? That's what you would expect to see if HAProxy is opening the backend.

If it isn't then it's probably not trying because it thinks the backend is down.

This is how it configures Backend and Frontend
@sysbitnet said in Can pfsense detect requests and routing to set hostname:

@stephenw10
I agree with you.

How can testing what is the problem only leave this service, for example, i used to test proxmox.

Inside Services / HAProxy / Backend

Name: PM_8006
Mode: active
Name: pm
Forward to: Address+Port
Address: 192.168.100.3
Port: 8006
Encrypt(SSL): yes
SSL checks: yes
And in the Health check method set: basic

How i configure On the Frontend part.

Services / HAProxy / Frontend
Name: PM_Front
External address
Listen address: WAN address (IPv4)
Port: 8006
SSL Offloading: yes

In Access Control lists inside the same
Name: pm
Expression: Host matches
CS: empty
Note: empty
Value: pm.domain.com

In part Actions inside the same

Action Use Backend the name that i set on PM_8006
Condition acl names: the same name that i set in Access Control lists pm

And inside the same Additional certificates select SSL Offloading what i on System / Certificates / Certificates

The same certificate and added inside proxmox, because is letsencrypt wildcard certificate

And when i try to visit https://pm.domain.com:8006/ the result is like this below message.

503 Service Unavailable
No server is available to handle this request.

The web interface can be reached via https://youripaddress:8006 or https://pm.domain.com:8006

When i open Stats FS i see Green for this profile

stephenw10

Oh this is simply the Proxmox webgui. That should work Did you add the Proxmox CA cert to pfSense so it will allow connections?

You should change the backend health-check to https. When that shows as available then proxied requests should do also.

sysbitnet

@stephenw10 said in Can pfsense detect requests and routing to set hostname:

Oh this is simply the Proxmox webgui. That should work Did you add the Proxmox CA cert to pfSense so it will allow connections?

You should change the backend health check to https. When that shows as available then proxied requests should do also.

I have a Let's Encrypt wildcard certificate, which i add inside ProxMox

Or you mean to add this from ProxMox to pfSenese

When i change on Services / HAProxy / Backend
In the Health check method set: from Basic to HTTP when i have status Down

For now, only add my Let's Encrypt wildcard certificate on Services / HAProxy / Frontend

stephenw10

I'm just speculating that HAProxy cannot open a connection to Proxmox because it refuses the cert. However it should be OK if Proxmox is using a LE cert.

Try to open it from pfSense directly. It fails for me here because I'm using the self signed cert in Proxmox:

[24.03-RELEASE][root@m270-2.stevew.lan]/root: curl https://172.21.16.250:8006
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

sysbitnet

I back with this case, when i use like this

Is not meather did i enter Public IP https://xxx.xxx.xxx.xxx:8006 or https://pm.domain.com:8006

I get similar results on the ProxMox login screen

In this case, the only SSL that it uses is the SSL that is installed inside ProxMox.

When i disable rule inside Firewall / NAT / Port Forward

And back inside HAProxy where in Frontend
PM_Front rule

Just inside SSL Offloading => Certificate use, for example, pfSense certificate and open in the same way first what i get is

Your connection is not private
Attackers might be trying to steal your information from pm.domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

And when i agree with that and want to continue again like the final point get

503 Service Unavailable
No server is available to handle this request.

And inside Diagnostics / States / States get this like result

stephenw10

Did you try to open it with curl like I showed above?