HAPROXY config Help !



  • Hello everyone,

    I am trying to implement a solution haproxy (with this tutorial: http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate) and I take my head because nothing works :-)

    If anyone can look at my config file and help me … I would be very grateful.

    I wonder if there is not an error with the dummy backend set to disable?

    if I do not pass through the HTTPS Reverse Proxy, it works (Removing pass thru Per server: send-proxy)

    thank you in advance for your help

    global
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    	tune.ssl.default-dh-param 2048
    	tune.ssl.maxrecord 1370
    
    frontend WAN_HTTPS
    	bind			127.0.0.1:2043 name 127.0.0.1:2043 ssl no-sslv3 crt /var/etc/haproxy/WAN_HTTPS.pem  accept-proxy npn http/1.1
    	mode			http
    	log			global
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	reqadd X-Forwarded-Proto:\ http if !https
    	reqadd X-Forwarded-Proto:\ https if https
    	timeout client		7200000
    	rspidel ^Server:.*$
    	rspidel ^X-Powered-By:.*$
    	rspidel ^X-AspNet-Version:.*$
    	default_backend		none_http_ipvANY
    
    frontend WAN_443-merged
    	bind			192.168.1.112:443 name 192.168.1.112:443   
    	mode			tcp
    	log			global
    	timeout client		7200000
    	tcp-request inspect-delay 5s
    	tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
    	acl			aclusr_custom_req.ssl_hello_type_201	req.ssl_hello_type 1
    	acl			aclusr_custom_req.ssl_sni_20-m_20end_20-i_20syno.mydomain.com	req.ssl_sni -m end -i syno.mydomain.com
    	acl			aclusr_custom_req.ssl_sni_20-m_20end_20-i_20vcenter.mydomain.com	req.ssl_sni -m end -i vcenter.mydomain.com
    	acl			aclusr_custom_req.ssl_sni_20-m_20end_20-i_20swiss.mydomain.com	req.ssl_sni -m end -i swiss.mydomain.com
    	use_backend		WAN_HTTPS_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 
    	use_backend		syno_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20syno.mydomain.com 
    	use_backend		vcenter_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20vcenter.mydomain.com 
    	use_backend		swiss_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20swiss.mydomain.com 
    	default_backend		none_tcp_ipvANY
    
    frontend WAN_HTTP
    	bind			192.168.1.112:80 name 192.168.1.112:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	default_backend		ssl-redirect_http_ipvANY
    
    backend none_http_ipvANY
    	mode			http
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk
    	server			none 127.0.0.1:80 disabled 
    
    backend none_tcp_ipvANY
    	mode			tcp
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk
    	server			none 127.0.0.1:80 disabled 
    
    backend WAN_HTTPS_tcp_ipvANY
    	mode			tcp
    	timeout connect		30000
    	timeout server		7200000
    	retries			3
    	option			httpchk
    	server			WAN_HTTPS 127.0.0.1:2043 check-ssl  verify none send-proxy 
    
    backend syno_tcp_ipvANY
    	mode			tcp
    	timeout connect		30000
    	timeout server		7200000
    	retries			3
    	option			httpchk
    	server			syno 192.168.200.50:5001 check-ssl  verify none send-proxy 
    
    backend vcenter_tcp_ipvANY
    	mode			tcp
    	timeout connect		30000
    	timeout server		720000
    	retries			3
    	option			httpchk
    	server			vcenter.mydomain.com 192.168.200.20:9443 check-ssl  verify none send-proxy 
    
    backend swiss_tcp_ipvANY
    	mode			tcp
    	timeout connect		30000
    	timeout server		720000
    	retries			3
    	option			httpchk
    	server			swiss 192.168.200.254:80  send-proxy 
    
    backend ssl-redirect_http_ipvANY
    	mode			http
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk
    	redirect scheme https code 301
    


  • Hi lololo,

    If i understand correctly everything 'works' alright when you do not have the "send-proxy" server settings?

    So if you do want the backend to know the actual ip of the client then you must make sure it is expecting the proxy-protocol to be used around the tcp connection.. So the webserver/mailserver/yourserver, must be configured to accept the proxy-protocol header.

    For nginx for example you would put something like this in the configuration: "listen 80 proxy_protocol;" for apache it seems to need "ProxyProtocol On".. There are other pieces of software that have implemented support for this protocol as well, but always needs support and some configuration on the server side as well it wont work by only changing the haproxy configuration..

    Hope this helps you somewhat..

    Another thing i would do is enable the stats pages (fill in a local port in the settings tab), and enable health checking on the backends. It helps diagnose if haproxy sees the servers properly..

    Greets,
    PiBa-NL



  • ok I understand I will try

    thank you for your help



  • yes that's right, in the stats page if I put "send-proxy" backend server is down … if I did not put, the server is up!

    it is the login page synology (DSM) suddenly, I can not change anything to accept the proxy_protocol :-(



  • Hi lololo,

    Yep in case of such a custom appliance there isn't much to configure for proxy-protocol..

    Other question is do you 'need' the client-ip in the synology device?

    If so perhaps using transparent-client-ip option in the backend configuration can help you with that? It will mess up direct access to the device when trying to directly connect from lan to opt1 networks for example, and connections from the same local network that are routed through haproxy. So be sure to test all your required scenarios if your going that route…

    Greets
    PiBa-NL



  • Hi,

    I can not find the problem (finally I wonder if this is a SNI problem I change the configuration and no longer uses the tcp.

    Everything works perfectly now!

    Thank you for your help
    have a good day

    laurent


Log in to reply