200$ - Update haproxy to 1.5-dev17

dhatz

Apparently there is a FreeBSD port of -dev17:

https://www.freshports.org/net/haproxy-devel/

marcelloc

@dhatz:

Apparently there is a FreeBSD port of -dev17:

Yes, I've compiled it and I'm testing it and it's new options on pfsense.

haproxy_15.png_thumb

marcelloc

service is up and running…

Next step: test if it really works...

[2.0.1-RELEASE]: haproxy -v
HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau w@1wt.eu[2.0.1-RELEASE]: ps ax | grep -i haproxy
28894 ?? Ss 0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
29008 ?? Ss 0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
29045 ?? Ss 0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
29138 ?? Ss 0:00.00 /usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D
45745 0 S+ 0:00.00 grep -i haproxy/w@1wt.eu

dexcs

Wow, that was fast!

Please ping me on (mynick)@jabber.ccc.de any we will do the payment….

One question: How can i install the package? Via package manager?

Max

marcelloc

@dexcs:

One question: How can i install the package? Via package manager?

yes, just wainting package compilation by core team, the gui is already pushed

dexcs

This on is done. Thanks for the great work!

macdabby

Hi, I am also interested in running this version of ha proxy - are you going to share the instructions? i'm happy to donate :)

marcelloc

I'll send instructions for pfSense 2.0 via personal message.

HarvUK

I'm curious.. can you enter multiple one SSL cert for each listener?

This looks like it might solve our SNI issues.

Do you know if this will get pushed as an official package any time soon, or do I need to ask you very nicely and buy you a beer for the instructions ;)

Many thanks,

Harv

marcelloc

@HarvUK:

Do you know if this will get pushed as an official package any time soon, or do I need to ask you very nicely and buy you a beer for the instructions ;)

It will not be on 2.0 but in 2.1.

I can push here instructions and then you decide about donating.

PiBa

Hey guys,

I am and have been for little more then a month been improving the haproxy-devel package for pfSense.

@ HarvUK
It is possible to create multiple frontends and configure them to be 'shared', and assign a certificate to each one of them. This will allow to have multiple https sites behind 1 IP. (You can either go for SNI, or SSLoffloading for that).

@ a n y o n e
Currently also 1.5-dev18 is online, and in progress to compile against OpenSSL 1.0.1 which is possible (but still trying to figure out how to put in the package.xml for the automatic builds..) to allow for using 'SPDY' though i wont add that to the GUI, it could then be configured in the 'advanced' option text fields..

For questions, other usefull improvements, or bugs, or just things that are 'illogical' send me a PM, or contact me PiBa-NL on IRC ##pfsense.

Also for pfSense2.0,
Its actually possible to install the package there if you 'must'.. But its unsupported in every way, and not available in the package manager.. And not 'allowed' into the main pfSense package tree. https://raw.github.com/PiBa-NL/pfsense-packages/3c1278fbdecdc07108124b17de943c55589075a6/config/haproxy-devel/haproxy-devel_install_on_pfs_2_0.php and requires you to place and call the php file 'manually'.. Also for latest release OpenSSL needs to be installed from the console. "pkg_add -r openssl".. This because 2.0 is a 'release' version, and it is illogical to run a 'development' software/package on it while version 2.1 of pfSense is also nearing 'release' status and as such is also stable enough for people who wish to experiment..

greets PiBa-NL

josh4trunks

This is awesome, I'm currenly using HAProxy 1.5 in a jail on my PfSense box for SSL Termination, it works great! But, I'll be even happier to get this in an easy to install pfsense package!

Here's some stuff I learned that might help others..

HAProxy


        option forwardfor
        option http-server-close
        reqadd X-Forwarded-Proto:\ https

The 'forwardfor' is because most backends don't yet support HAProxy's proxy protocol.
I use the 'X-Forwarded-Proto' header to see if requests are ssl in varnish / nginx.
The 'http-server-close' tells haproxy it needs to close the connection to the backend. this is so it resends the ip+protocol header for each request. This is better then closing the entire connection with 'httpclose' as the client may quickly request more stuff before the timeout and you won't have the overhead of stating a new connection.

Varnish

if ( !client.ip ~ haproxy )
                {set req.http.X-Forwarded-For = client.ip; set req.http.X-Forwarded-Proto = http;}

This way clients can't spoof their IP, or that they are using https

NGINX

set_real_ip_from 192.168.1.1;
real_ip_header X-Forwarded-For;
http {
        map $http_x_forwarded_proto $server_https {
                default off;
                https on;
}

##fastcgi_params##
fastcgi_param HTTPS $server_https;
####