Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy issue with FireFox

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gommox
      last edited by

      Hello all.

      I'm experiencing a very strange problem with FireFox browsers and my PFSense 2.0.1 box.

      Network is configured as follow:

      NIC_1=LAN
      NIC_2=WAN
      NIC_3=DMZ
      NIC_4=Internet Gateway 1 (with dedicated line and static public IP)
      NIC_5=ADSL backup line

      Servers are of course on DMZ. Web Servers are 2 machines that run Apache 2.2.

      On server_1 there are 5 websites, on server_2 there are 3 websites.

      I configured HAProxy with 1 frontend and 2 servers. Connecting from internal LAN to DMZ all works because nothing passes thru proxy; when I connect from Internet to DMZ, I experience the issue with FireFox:

      Scenario of the sites is:

      http://www.site_1.com -> on server_1
      http://www.site_2.com -> on server_1
      http://www.site_3.com -> on server_1
      http://www.site_4.com ->on server_2
      http://www.site_5.com -> on server_2

      With IE and Chrome, except site_3, all sites reach correct destination, and all seems to work fine; with Firefox, instead, it happens the following:

      http://www.site_1.com -> it goes on server_2, showing the default apache webpage "it works"
      http://www.site_4.com -> It goes on server_1, showing the default apache webpage "it works"
      The same with other websites.

      I don't understand how it can happen. To HAProxy is assigned a Virtual IP created as CARP type (as recomended in another post here in the forum). I attach here the configuration generated by PFSense GUI:

      
      global
      	maxconn			9999999
      	uid			80
      	gid			80
      	nbproc			4
      	chroot			/var/empty
      	daemon
      
      listen Server1
      	bind			192.168.2.5:80
      	cookie SERVERID insert indirect
              httpchk HEAD /index.html HTTP/1.0
      	mode			http
      	log			global
      	option			dontlognull
      	option			httpclose
      	option			forwardfor
      	maxconn			10000
      	clitimeout		30000
      	balance			roundrobin
      	contimeout		60000
      	srvtimeout		60000
      	retries			3
      	option			httpchk HEAD / HTTP/1.0
      	stats			enable
      	stats			uri /haproxy?stats 
      	stats			realm Haproxy\ Statistics
      	stats			auth
      	stats			refresh 5
      	server			Server_1 192.168.2.31:80  cookie server1   check inter 1000 weight 1
      	server			Server_2 192.168.2.40:80  cookie DEV_Server   check inter 1000 weight 1
      
      

      I also don't understand one thing: how HAProxy knows to which server to route the request if there is no any map between the hostname and the IP? when the request comes from Internet "www.server_1.com" how HAProxy knows to which serverto route the request? I thought that it checks on DNS Forward configuration in PFSense box (all domains are configured there, domains existing in my DMZ). It is correct or I'm wrong?

      Where I can check for this strange issue with FireFox? I'm becoming crazy to find the cause, but I don't found nothing yet. I hope that someone can help me.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @gommox:

        I also don't understand one thing: how HAProxy knows to which server to route the request if there is no any map between the hostname and the IP? when the request comes from Internet "www.server_1.com" how HAProxy knows to which serverto route the request? I thought that it checks on DNS Forward configuration in PFSense box (all domains are configured there, domains existing in my DMZ). It is correct or I'm wrong?

        That's the point, haproxy balance based on ip addresses not based on host names.

        If you need hostname balance, then you need to use varnish or apache2+mod_security

        take a look on package description to choose between both.

        I prefer varnish  ;)

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.