Configure HAProxy for PC folder access
-
I installed Apache Guacamole on a PC on a network to use with http://IP-Address:8080/guacamole
I would like to call hit back remotely with
http://ServerName.domain.tld/10101
but I get "unreachable" error.I created a HA-Proxy setup with:
Backend- Server List Address = PC-IP-Address
- Port = 8080
Frontend
- Listen Address = WanAddress(IP4)
- Port = 10101
- Type = http / https (offloading)
- Access Control List value = ServerName.domain.tld:10101
All other options are standard.
I have also a WAN rule from Any to WAN Address port 10101I don't understand where I should define the "/guacamole" folder.
-
@WhiteTiger-IT said in Configure HAProxy for PC folder access:
I would like to call hit back remotely with
http://ServerName.domain.tld/10101
but I get "unreachable" error.That's incorrect. You should use: http://ServerName.domain.tld:10101/guacamole
Though I would want to use https.
Does the FQDN resolve correctly?
-
@stephenw10 said in Configure HAProxy for PC folder access:
@WhiteTiger-IT said in Configure HAProxy for PC folder access:
http://ServerName.domain.tld/10101
That's incorrect. You should use: http://ServerName.domain.tld:10101/guacamole
Though I would want to use https.
Does the FQDN resolve correctly?
Sorry, I spelled it wrong, but I used the correct URL.
There is currently no domain for this IP, and I am using DuckDNS with a Static IP which resolves correctly.
-
I made some changes, but it's still not reachable
https://domain.duckdns.org:10101/guacamoleI created a Let'sEncrypt certificate.
I then modified the Frontend-
External Address
Listen Address = WanAddress(IP4)
Port = 10101
SSL offloading = Yes
Type = http / https (offloading) -
Access Control List
Name = ACLName
Expression = Host starts with:
Value = domain.duckdns.org:10101 -
Action
Use Backend = Backend selected
Condition and names = ACLName -
Certificate = LES created
-
-
@WhiteTiger-IT
You have to let HAproxy insert "/guacamole" into the path:
You can do this with an "http-request set-path" action and enter "/guacamole%[path]" below.Basically, you can set this rule either in the frontend or in the backend. I'd prefer the backend for this, however.
-
@viragomann
Even with this change in the backend it doesn't work.
The service is active, but I don't see anything in stats and system logs.
In my opinion the request doesn't even arrive.
Don't I have to set up a NAT? -
@WhiteTiger-IT
No, NAT isn't needed with HAproxy.Does your backend server log the access?
Can you see something there?@WhiteTiger-IT said in Configure HAProxy for PC folder access:
Access Control List
Name = ACLName
Expression = Host starts with:
Value = domain.duckdns.org:10101The port '10101' is not part of the host name.
This ACL will never match any traffic. -
@viragomann
I do not understand.
How is the URL composed? I use:
https://domain.duckdns.org:10101/guacamole
I configured the router to port forward 10101 on its LAN which coincides with the pfSense WAN.
I don't see anything, neither in Stats nor in System Logs/HA-ProxyHere some snapshots
-
@WhiteTiger-IT said in Configure HAProxy for PC folder access:
How is the URL composed? I use:
https://domain.duckdns.org:10101/guacamole"/guacamole" is the part, which the backend rule is adding to the requested path. So you should only request "https://domain.duckdns.org:10101" from outside.
Did you also add a firewall rule to allow access to port 10101 on WAN?
If so, is there even any packet arriving? Sniff the WAN traffic to get sure.
Is the backend shown as 'online' in the stats?
-
@viragomann
With the setup I posted yesterday, the URL https://domain.duckdns.org:10101 doesn't work .
This is the rule in WAN.
In LAN and DMZ the first rule is everything open.
Nothing is reported in Stats, nor in System Logs-HAProxy, nor in System Logs-Firewall by applying the Pass = 10101 filter.
It's all empty. -
@WhiteTiger-IT
Sniff the traffic on WAN as suggested, to ensure if the packets even arrive there.
Possibly your ISP blocks the used port. -
@WhiteTiger-IT said in Configure HAProxy for PC folder access:
Nothing is reported in Stats, nor in System Logs-HAProxy, nor in System Logs-Firewall by applying the Pass = 10101 filter.
It's all empty.Where are you testing from?
-
Sorry, but I don't understand you.
I have enabled WAN rule logging.
I'm trying the URL from my PC at home, while with Anydesk I control pfSense remotely.
In System Logs / Firewall / Dynamic View I don't see any traffic related to port 10101 or my home IP.
How do I sniff it? With what package?The Stats page is completely empty.
Can you explain to me in action the /guacamole%[path] format which I don't understand, what's in [path]?
-
You should see hits on that WAN firewall rule even if HAProxy isn't working at all. If you don't see incoming connections being passed by it then nothing else can work.
-
@WhiteTiger-IT said in Configure HAProxy for PC folder access:
I'm trying to access from my PC at home, while with Anydesk I control pfSense remotely.
Anydesk to a PC inside the remote network?
So you're accessing the remote WAN IP, port 10101 from home, I guess.
How do I sniff it? With what package?
Diagnostic > Packet Capture menu.
Select WAN at interface and enter 10101 into the port filter box.
Start the capture and try to access port 10101 from home.Can you explain to me in action the /guacamole%[path] format which I don't understand, what's in [path]?
"path" is a virable used in HAproxy for the origin requested path (the URL part behind the host name).
So you need to exactly enter, what I stated above. -
I removed all configurations, both in pfSense (about HA-Proxy and WAN rules) and the router (about port forwarding), redid them from scratch and restarted both.
Now works. Evidently there was a blockage somewhere.Before closing the thread, where can I find documentation for the format to use in Actions?
-
@WhiteTiger-IT
Generally you can comply with the official HAproxy documentation.
You just need to translate it to the setting possibilities, which you can find in the pfSense web GUI.