Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA-Proxy, how to set correctly a shared fronted with Offloading and TCP

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 3 Posters 777 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BelluX
      last edited by

      Hi,

      i'm new to haproxy

      i have two local server, one have an internal certficate and another one will sign/renew with pfsense. i need to create a shared frontend to work with 443 with these two server, i followed and search some guide to set up haproxy correctly but i found nothing about a shared fronted.

      Screenshot 2025-03-20 110428.png

      I endend up setting all like you see in the attachment and it works because i can reach endpoint without problem and all have the certificate seen correctly when i try to enter from outside.

      The problem is the warning you see, i don't know how to set up properly a shared frontend, if i shutdwon the two that are working for offloading and tcp everything stop working.

      Which guide i can follow or what yuo suggest to adjust for the shared frontend to work properly.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • S Offline
        Sebastian74
        last edited by

        It looks like your setup is mostly working, but the warning could indicate a misconfiguration in HAProxy's frontend/backend handling. Since you're using a shared frontend on port 443, you might need to adjust your ACLs and SNI rules properly.

        A few things to check:

        Ensure that HAProxy is correctly routing traffic based on SNI (Server Name Indication).

        If you're using TCP mode, make sure that SSL passthrough is configured correctly for both backends.

        If you're offloading SSL at HAProxy, ensure that the certificates are properly assigned and that backend communication is happening over HTTP or correctly re-encrypted HTTPS.

        If your setup involves a shared proxy, check that HAProxy is correctly handling multiple backend servers and not conflicting with SSL termination.

        For guides, you might find these helpful:

        HAProxy SNI Routing

        HAProxy with pfSense

        If you can share the exact warning message, it’ll be easier to troubleshoot further!"

        Let me know if you need any more refinements!

        B 1 Reply Last reply Reply Quote 0
        • B Offline
          BelluX @Sebastian74
          last edited by

          @Sebastian74

          If you're using TCP mode, make sure that SSL passthrough is configured correctly for both backends.

          If you're offloading SSL at HAProxy, ensure that the certificates are properly assigned and that backend communication is happening over HTTP or correctly re-encrypted HTTPS.

          I'm using every of this two option because one server have the certificate inside it, the other one is certified by HA Proxy and the cert is on Pfsense.

          I need to mix this two mode or tell me another way to do this correctly, i can't find anything for this case scenario.

          Thank you

          A 1 Reply Last reply Reply Quote 0
          • A Offline
            andrew_cb @BelluX
            last edited by

            @BelluX

            The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option Shared Frontend on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mix http/https (offloading) with ssl/https (TCP mode).

            This is how I set up HAProxy to support mixed offloading and passthrough:

            1. Create a Backend called tcp_to_https which goes to server 127.0.0.1:4443 and Encrypt(SSL) is set to No.

            2. Create a Frontend called SSL_Termination that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal.

            3. Create a Frontend called SSL_Passthrough that listens on port 443 but do not enable SSL Offloading. Set it to ssl / https (TCP mode).
              Add ACLs using Server Name Indication TLS extension ends with for the hostnames that you want to pass through directly to the backends. Set the Default Backend to tcp_to_https.

            The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend tcp_to_https, which connects to the frontend SSL_Termination, where the connections are processed a second time, this time performing SSL offloading.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.