200$ - Update haproxy to 1.5-dev17



  • Hey all,

    we're interested in the lates haproxy package that enables ssl offloading. As far as i can overview this haproxy needs to be compiled with other options and 2 new settings for ssl key and cert have to be added…

    The bigger problem is i don't know if this really works with freebsd...

    Here are some helpful links:
    http://blog.exceliance.fr/2012/09/04/howto-ssl-native-in-haproxy/
    http://haproxy.1wt.eu/download/1.5/src/CHANGELOG

    Is it possible to get a receipt from whoever takes this bounty? :) German laws... ^^

    Max



  • I can help on it but I'm from Brazil, and receive donations as service via paypal.

    I'll take a look on haproxy 1.5-dev17 and feedback.



  • @dexcs

    If you find some way to do a donation and get a receipt (or something else) please let me know.
    I am not interested in haproxy but in squid with SSL filtering.

    I am working in the public sector and they do not do anything without having a receipt or something else.



  • Apparently there is a FreeBSD port of -dev17:

    https://www.freshports.org/net/haproxy-devel/



  • @dhatz:

    Apparently there is a FreeBSD port of -dev17:

    Yes, I've compiled it and I'm testing it and it's new options on pfsense.




  • service is up and running…

    Next step: test if it really works...

    [2.0.1-RELEASE]: haproxy -v
    HA-Proxy version 1.5-dev17 2012/12/28
    Copyright 2000-2012 Willy Tarreau w@1wt.eu[2.0.1-RELEASE]: ps ax | grep -i haproxy
    28894  ??  Ss     0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
    29008  ??  Ss     0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
    29045  ??  Ss     0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
    29138  ??  Ss     0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
    45745   0  S+     0:00.00 grep -i haproxy/w@1wt.eu



  • Wow, that was fast!

    Please ping me on (mynick)@jabber.ccc.de any we will do the payment….

    One question: How can i install the package? Via package manager?

    Max



  • @dexcs:

    One question: How can i install the package? Via package manager?

    yes, just wainting package compilation by core team, the gui is already pushed



  • This on is done. Thanks for the great work!



  • Hi, I am also interested in running this version of ha proxy - are you going to share the instructions? i'm happy to donate :)



  • I'll send instructions for pfSense 2.0 via personal message.



  • I'm curious.. can you enter multiple one SSL cert for each listener?

    This looks like it might solve our SNI issues.

    Do you know if this will get pushed as an official package any time soon, or do I need to ask you very nicely and buy you a beer for the instructions ;)

    Many thanks,

    Harv



  • @HarvUK:

    Do you know if this will get pushed as an official package any time soon, or do I need to ask you very nicely and buy you a beer for the instructions ;)

    It will not be on 2.0 but in 2.1.

    I can push here instructions and then you decide about donating.



  • Hey guys,

    I am and have been for little more then a month been improving the haproxy-devel package for pfSense.

    @ HarvUK
    It is possible to create multiple frontends and configure them to be 'shared', and assign a certificate to each one of them. This will allow to have multiple https sites behind 1 IP. (You can either go for SNI, or SSLoffloading for that).

    @ a n y o n e
    Currently also 1.5-dev18 is online, and in progress to compile against OpenSSL 1.0.1 which is possible (but still trying to figure out how to put in the package.xml for the automatic builds..) to allow for using 'SPDY' though i wont add that to the GUI, it could then be configured in the 'advanced' option text fields..

    For questions, other usefull improvements, or bugs, or just things that are 'illogical' send me a PM, or contact me PiBa-NL on IRC ##pfsense.

    Also for pfSense2.0,
    Its actually possible to install the package there if you 'must'.. But its unsupported in every way, and not available in the package manager.. And not 'allowed' into the main pfSense package tree. https://raw.github.com/PiBa-NL/pfsense-packages/3c1278fbdecdc07108124b17de943c55589075a6/config/haproxy-devel/haproxy-devel_install_on_pfs_2_0.php and requires you to place and call the php file 'manually'.. Also for latest release OpenSSL needs to be installed from the console. "pkg_add -r openssl"..  This because 2.0 is a 'release' version, and it is illogical to run a 'development' software/package on it while version 2.1 of pfSense is also nearing 'release' status and as such is also stable enough for people who wish to experiment..

    greets PiBa-NL



  • This is awesome, I'm currenly using HAProxy 1.5 in a jail on my PfSense box for SSL Termination, it works great!  But, I'll be even happier to get this in an easy to install pfsense package!

    Here's some stuff I learned that might help others..

    HAProxy

    
            option forwardfor
            option http-server-close
            reqadd X-Forwarded-Proto:\ https
    

    The 'forwardfor' is because most backends don't yet support HAProxy's proxy protocol.
    I use the 'X-Forwarded-Proto' header to see if requests are ssl in varnish / nginx.
    The 'http-server-close' tells haproxy it needs to close the connection to the backend. this is so it resends the ip+protocol header for each request. This is better then closing the entire connection with 'httpclose' as the client may quickly request more stuff before the timeout and you won't have the overhead of stating a new connection.

    Varnish

    if ( !client.ip ~ haproxy )
                    {set req.http.X-Forwarded-For = client.ip; set req.http.X-Forwarded-Proto = http;}
    

    This way clients can't spoof their IP, or that they are using https

    NGINX

    set_real_ip_from 192.168.1.1;
    real_ip_header X-Forwarded-For;
    http {
            map $http_x_forwarded_proto $server_https {
                    default off;
                    https on;
    }
    
    ##fastcgi_params##
    fastcgi_param HTTPS $server_https;
    ####
    

Locked