HAProxy as SSL Reverse Proxy Behind Single IP



  • Okay,

    I finally got a few backend servers running via one front end from the outside :)

    1. Most of my servers have their own SSL settings… Would this explain the HSTS error from some browsers? I don't mind removing LAN SSL from them, it just takes a bit of time... I hate to see efforts wasted if I know they wouldn't help.

    2.1) Is it normal for servers to be bound to their specific backend from the WAN? Once I create the "dsm" subdomain for my synology, I can no longer access it via its old port (5001). Is this normal?

    2.2) If you use synology products at all... I will also include that I am having trouble getting mobile applications to work through the rProxy on 443 from outside my LAN or "on-the-road". This doesn't surprise me, but I am also positive it did work for me in the early stages... Maybe it is just a cert based issue that will be solved by proceeding with (1).



  • That you got a few running is great :)

    1. HSTS is a header send by the server, and is cached for X amount of time (1 year is the usual setting..) , and can even be persisted if submitted to a online list, then you might never get rid of it…

    Its actually good to have, as it 'forces' all future connections from clients to be over https with a VALID certificate for the url they request in the address bar. (You will need to get a valid certificate, this means installing the CA you used to sign the certificate on all client computers, or get a certificate from a real CA like LetsEncrypt or buy one..)

    If you already have a valid certificate then perhaps you forgot to load the intermediate certificate into pfSense that could cause issues.. Check with for example https://www.ssllabs.com/ssltest/ if indeed the chain not complete.?.

    2.1) This is due to the setting "transparent client ip", sadly the implementation is not 'perfect' all reply traffic is 'captured' from the server and send to haproxy.. Even if the inital request did not go through haproxy.. (The webgui does warn for this effect, sorry..)

    Workaround is possible by making the server listen on a second port or a second ip, but depending on the machine running the website that might be difficult to configure on that side..

    2.2) not using synology myself.. But yes if the certificates are not 'valid' that could cause issues..



  • Before I let you go for now,

    Is there any way to do HTTPS redirects using HAProxy?



  • Depending what you intend to do exactly my first thought is, yes it can.

    Use either a 'action' or put this into advanced passthrough:

    redirect scheme https if !{ ssl_fc }
    

    And make the frontend listen on :80 as well as the current :443 with offloading.



    1. I believe that works! (Edit: jk, tried IE and no luck…) I used the advanced option and am listening on :80, not sure how to do the 'action' one... I know the advanced statement includes "if", but does this allow HTTP traffic through when I have some eventually, or does it force redirect any urls to HTTPS?

    2. Is there any way to have a single frontend do SSL offloading as well as HTTPS where the SSL Handshake is done by the specific servers (SNI I believe)?

    I setup two front ends on :443 and it shut everything down...



    1. The "!{ ssl_fc }"matches all traffic that was not offloaded by haproxy. So effectively makes it impossible to perform a plain http request without redirecting to https..

    It is of course possible to make the criteria more selective..

    acl MyPlainHttpHost hdr(Host) www.plain.http.example.com
    acl issecure ssl_fc
    
    redirect scheme https if !issecure !MyPlainHttpHost
    
    1. Its not possible to have two frontends listen on the same port and get consistent results..
      It is possible to first use sni for a few domains, and then forward some other traffic to a second frontend.

    Frontend1 wanip:443 (using SNI)

    • backend1: webserver 192.168.10.10:443
    • backend2: (forward to frontend2 over unix socket)

    Frontend2 localhost:10443 with certificate offloading

    • backend3 : webserver 192.168.10.30:80
    • backend4 : webserver 192.168.10.40:80


  • "(forward to frontend2 over unix socket)" would that just be 127.0.0.1:10443 or localhost:10443? Do I have to config anything else to use this port?



  • That would work to.
    But i prefer the for the field "Forwardto" of the server definition to not set it to "adress+port" but to "Frontend2"



  • Okay, now this is starting to get out of hand… :o

    1. Is the new frontend1 shared with frontend2-- with frontend1 being the primary?
      1.1) If so, the backend2 "forwarder" only sees frontend1, rather than frontend2...so I'm stuck with that case. OR,
      1.2) If not, do I set frontend2 to listen on 10443 only and frontend1 to be the main :443 :80 listener? When I tried this, at it allows SNI to work, but the forwarding to SSLfrontend2 does not work.
      1.25) In the backend that forwards to the frontend2, does the SSL box have to be checked to the right of the "Forwardto" box? It seems to make everything not work when it is checked.

    1.3) It's just a chain in my small mind...      outside-https-request -> SNIfrontend1 -> backend "forwarder"  -> SSLfrontend2 -> server (not working after 1.2, or 1.25)
    or the non-offloading scenario, still HTTPS... outside-https-request -> SNIfrontend1 -> server (working after 1.2, not after 1.25)

    Is that the correct way of looking at it?

    Second issue
    2.1) When attempting to make an HTTP request, it says "Server Hangup" which leads me to believe that my Frontend2 is sort of working and your advanced config code is doing something.

    2.2) This may resolve itself once the first mess is fixed up. We can work on issue one first… cause it seems like a doozie :)

    2.3) Again, I really appreciate all the help with my complex desires ;D This is probably the most ridiculious thing that it's been used for ;)

    My config after 1.2)

    Worked before changes to allow SNI and SSL offloading
    https://my-domain.ca:443 -> 10.0.0.6:443 (TransparentIP)
    https://dsm.my-domain.ca:443 -> 10.0.0.6:5001 (TransparentIP)
    https://pfsense.my-domain.ca:443 -> 127.0.0.1:443
    these are in frontend2 (called rProxy)

    Worked after changes to allow SNI and SSL offloading
    https://ubnt.my-domain.ca:443 -> 10.1.1.40:443
    http://photo.my-domain.ca:80 -> 10.0.0.3:8080  (non-ssl)
    These are in frontend1.
    No requests appear to make it to frontend2, all http requests show server hangup.

    
    /var/etc/haproxy/haproxy.cfg file contents:
    global
    	stats socket /tmp/haproxy.socket level admin
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend rProxy
    	bind			192.168.1.100:10443 name 192.168.1.100:10443 ssl  crt /var/etc/haproxy/rProxy.pem  
    	bind /tmp/haproxy_chroot/rProxy.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/rProxy.pem 
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl photo hdr(Host) ubnt.my-domain.ca
    	acl issecure ssl_fc
    
    	redirect scheme https if !issecure !photo
    	acl			dsm	hdr(host) -i dsm.my-domain.ca
    	acl			webroot	hdr(host) -i my-domain.ca
    	acl			pfsense	hdr(host) -i pfsense.my-domain.ca
    	acl			photo	hdr(host) -i photo.my-domain.ca
    	use_backend dsm_http_ipv4  if  dsm 
    	use_backend webroot_http_ipv4  if  webroot 
    	use_backend pfsense_http_ipv4  if  pfsense 
    	use_backend photo_http_ipv4  if  photo 
    
    frontend Frontend1
    	bind			192.168.1.100:443 name 192.168.1.100:443   
    	bind			192.168.1.100:80 name 192.168.1.100:80   
    	mode			tcp
    	log			global
    	maxconn			10
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			ubnt	req.ssl_sni -i ubnt.my-domain.ca
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	use_backend ubnt_https_ipvANY  if  ubnt 
    	default_backend forward2rProxy_https_ipvANY
    
    backend dsm_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			dsm 10.0.0.6:5001 ssl check inter 1000  weight 1 verify none 
    
    backend webroot_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			webroot 10.0.0.6:443 ssl check inter 1000  weight 1 verify none 
    
    backend pfsense_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			pfsense 127.0.0.1:443 ssl check inter 1000  weight 1 verify none 
    
    backend photo_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			photo 10.0.0.3:8080 check inter 1000  weight 1 
    
    backend ubnt_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			ubnt 10.1.1.40:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend forward2rProxy_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			forward-to-rProxy /rProxy.socket send-proxy-v2-ssl-cn check inter 1000
    
    


    1. All 3 frontends should be 'primary'.
      Using 1 frontend for both 80 and 443, while using them both in TCP mode, means the backend will receive mixed connections.. Some with plain http other with ssl traffic.. That wont work..
      1.1/1.2 checkout my new wiki page :)
      1.3) its indeed a chain.

    2.1) When requesting a HTTP page, it will first wait 5 seconds in the first fronted for the SSL 'hello'.. Then its forwarded to the second frontend, which also waits for the client to send the 'SSL-HELLO'.. The client never sends this, and the haproxy cannot 'decrypt' the traffic.. caused by 1)

    2.3) you are not the first to attempt this ;)
    Because it is kinda complicated ive added a page to my 'wiki', based on 2.3 but same principles.. maybe it helps a bit:
    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends



  • I greatly appreciate that wiki page :) Hopefully others discover it soon!

    It does exactly what I want it to, but I couldn't quite make mine do it. Very close though!

    SSL and SNI works. HTTP does not.

    1. If I make a request on a fresh browser (say pfsense.my-domain.com) it does not forward to https, but rather the 503 service not available page.

    2. I cannot get one of my servers to UP. photo.my-domain.com. That is my http test server. I think it has to do with what frontends it is in.
      You kept your www (http) page as the default in the  http-frontend1 and for the SSL-offloading-Frontend3… My default www page (called webroot) is HTTPS, so I wasn't quite sure how to implement the HTTP page into the frontends without making it default... regardless it needs to be UP first.

    3. I am okay with abandoning HTTP if it is easier...  8)

    4. Where did you get the theme from in your wiki??

    My config:

    
    /var/etc/haproxy/haproxy.cfg file contents:
    global
    	stats socket /tmp/haproxy.socket level admin
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Frontend3-offload
    	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Frontend3-offload.pem  
    	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/Frontend3-offload.pem 
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			dsm-ssl	        hdr(host) -i dsm.my-domain.ca
    	acl			webroot-ssl	hdr(host) -i my-domain.ca
    	acl			pfsense-ssl	hdr(host) -i pfsense.my-domain.ca
    	acl			photo-nonssl	hdr(host) -i photo.my-domain.ca
    	use_backend dsm_http_ipv4  if  dsm-ssl 
    	use_backend webroot_http_ipv4  if  webroot-ssl 
    	use_backend pfsense_http_ipv4  if  pfsense-ssl 
    	use_backend photo-http_http_ipv4  if  photo-nonssl 
    	default_backend webroot_http_ipv4
    
    frontend Frontend2-SNI
    	bind			192.168.1.100:443 name 192.168.1.100:443   
    	mode			tcp
    	log			global
    	maxconn			10
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			ubntsni1	req.ssl_sni -i ubnt.my-domain.ca
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	use_backend ubnt_https_ipvANY  if  ubntsni1 
    	default_backend Frontend3offload_https_ipvANY
    
    frontend Frontend1-http
    	bind			192.168.1.100:80 name 192.168.1.100:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	maxconn			10
    	timeout client		30000
    	acl			httpRedirectACL	hdr(host) -i photo.my-domain.ca
    	http-request redirect scheme https  if  httpRedirectACL 
    	default_backend photo-http_http_ipvANY
    
    backend dsm_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			dsm 10.0.0.6:5001 ssl check inter 1000  weight 1 verify none 
    
    backend webroot_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			webroot 10.0.0.6:443 ssl check inter 1000  weight 1 verify none 
    
    backend pfsense_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			pfsense 127.0.0.1:443 ssl check inter 1000  weight 1 verify none 
    
    backend photo-http_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1 
    
    backend ubnt_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			ubnt 10.1.1.40:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend Frontend3offload_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			Frontend3-srv /Frontend3-offload.socket send-proxy-v2-ssl-cn check inter 5  
    
    backend photo-http_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1
    
    


    1. only photo.my-domain.ca is redirected to https, all other requests go to backend photo-http_http_ipvANY
      which doesnt seem logical to me.

    Perhaps you should add a ! before the aclname?
    http-request redirect scheme https  if  !httpRedirectACL
    So that 'photo' can be retrieved over http and everything else like pfsense.my-domain.com causes the redirect.?

    1. The frontend should not matter for getting a backend 'up'.
      What you could try is changing the check method to "GET" and send a version+host header. Or if that fails try the "basic" check..
      https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki#troubleshooting

    2. http should be the easier part :)

    3. It seems to be the default layout for a github based wiki.. I didnt choose anything special.



    1. I put a "!" before "httpRedirectACL" under Condition acl names (in Frontend1-http) and now they all seem to be redirecting to https… which is better than before as the majority of my servers are https only.

    2. Changing to GET didn't help, although I didn't understand what you mean by "send a version+host header"... so I changed to "basic" check and that makes the server turn green. To get to it I had to remove the recently added "!" in 1). But now it seems to be stuck as HTTPS again.

    ....hold on... after getting the server UP (with basic health check) and keeping the "!" everything seems to be working!!!!  ;D though I haven't tested fully yet.

    1. It was about the same amount of difficulty as I started with HTTPS.

    2. The PfSense theme, not the Git theme. Oops... I want that theme.

    3. You've been too much help! Is there anything I can help you with?

    My config "as-is" working FYI.

    
    /var/etc/haproxy/haproxy.cfg file contents:
    global
    	stats socket /tmp/haproxy.socket level admin
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Frontend3-offload
    	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Frontend3-offload.pem  
    	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/Frontend3-offload.pem 
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			dsm-ssl	hdr(host) -i dsm.my-domain.ca
    	acl			webroot-ssl	hdr(host) -i my-domain.ca
    	acl			pfsense-ssl	hdr(host) -i pfsense.my-domain.ca
    	acl			photo-nonssl	hdr(host) -i photo.my-domain.ca
    	use_backend dsm_http_ipv4  if  dsm-ssl 
    	use_backend webroot_http_ipv4  if  webroot-ssl 
    	use_backend pfsense_http_ipv4  if  pfsense-ssl 
    	use_backend photo-http_http_ipv4  if  photo-nonssl 
    	default_backend webroot_http_ipv4
    
    frontend Frontend2-SNI
    	bind			192.168.1.100:443 name 192.168.1.100:443   
    	mode			tcp
    	log			global
    	maxconn			10
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			ubntsni1	req.ssl_sni -i ubnt.my-domain.ca
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	use_backend ubnt_https_ipvANY  if  ubntsni1 
    	default_backend Frontend3offload_https_ipvANY
    
    frontend Frontend1-http
    	bind			192.168.1.100:80 name 192.168.1.100:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	maxconn			10
    	timeout client		30000
    	acl			httpRedirectACL	hdr(host) -i photo.my-domain.ca
    	http-request redirect scheme https  if  !httpRedirectACL 
    	default_backend photo-http_http_ipvANY
    
    backend dsm_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			dsm 10.0.0.6:5001 ssl check inter 1000  weight 1 verify none 
    
    backend webroot_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			webroot 10.0.0.6:443 ssl check inter 1000  weight 1 verify none 
    
    backend pfsense_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			pfsense 127.0.0.1:443 ssl check inter 1000  weight 1 verify none 
    
    backend photo-http_http_ipv4
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1 
    
    backend ubnt_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			ubnt 10.1.1.40:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend Frontend3offload_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			Frontend3-srv /Frontend3-offload.socket send-proxy-v2-ssl-cn check inter 5  
    
    backend photo-http_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1
    
    


    1. with current config photo.my-domain.ca should be reachable over http:// without being redirected by haproxy. Maybe the backend itself also sends a https redirect?

    2. in the healthcheck field "Http check version" try it with the following value

    HTTP/1.1\r\nHost:\ www.yourdomain.com\r\nAccept:\ */*
    

    Also do check what the chkresult in the stats is. It should tell if a unexpected response is retrieved or maybe it just takes more than 2 seconds to check the server response?

    Perhaps its a 'permission denied' response? Workaround for that could be checking a different url or accepting 404 as a 'valid' response.. http-check expect status 404 http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-http-check%20expect

    1. ok

    2. its the default theme of pfSense 2.3 beta snapshots. Ive converted haproxy to bootstrap for usage on 2.3 only recently..

    3. if you have some time install pfSense 2.3 on a virtual machine, add haproxy package and report any issues that might still exist in the package :).

    p.s. The the 5 millisecond on the offloading backend i intended to be a 5000 millisecond timeout.. It might currently be eating some more cpu than needed.. (going to change my wiki screenshot as well..)



    1. It's just a web service running on a rPi2. I turned off https to test http with the rProxy, so it shouldn't be redirecting to https itself.
      It appears that the issue is resolved (now that I've moved to Firefox… Chrome loves remembering broken things)... I can access photo (when it's UP) via http without it redirecting. It appears to use my SSL offloading when I type "https://" into the url though... I'm not sure that I want it to do that. All of my other servers are redirecting to https fine, even if I try http:)

    2. With the "Http check version" set to:

    
    HTTP/1.1\r\nHost:\ photo.my-domain.ca\r\nAccept:\ */*
    
    

    the server goes to "down".

    I cannot find chkresult, but here are a few stats that stuck out on the down server:

    under photo-http_http_ipv4 and photo-http_http_ipvANY (they are red)
    Server Lastchk=L7STS/401 in 10ms
    Server chk=1

    Is there any issues in running the check method as basic?

    "Perhaps its a 'permission denied' response? Workaround for that could be checking a different url or accepting 404 as a 'valid' response.. http-check expect status 404"

    I'm not sure If I need to worry about this anymore as the http request does through the frontend and looks for a backend.

    1. Bootstrap FTW!

    2. I'll deploy another VM and give it a go. I'm not to certain how I'll test it all without interrupting others in my house… I need to get better at running a "network lab"

    Q1) Can I make https requests to http servers deadend to nothing or an error page?
    Q2) Can I have no defaults so that incorrect domain names also go nowhere, or is this poor practice?



    1. if you dont want photo to be reachable over https then remove it from 'Frontend3'

    2. ok so the issue indicated by LastChk is that haproxy gets a 401 response, this is by default considered invalid. But you could configure it to expect that status. Put "http-check expect status 401" into advanced setting of the backend. 'Chkresult' indeed does not exist, i ment the one you found.. Even though basic health check works, doesnt check if the webserver is 'properly working' it only checks if the connection can be made. If a cgi or database backend is not working that might go unnoticed.. And haproxy would declare the backend healthy while it is unable to respond to requests.. Even so the impact is probably small it can mean the diffence between no response, a error response from the backend depending on how functional it is.. And a page from haproxy 'no server available' which could trigger a email alert, and is easy to diagnose. In environments where load-balancing the same domain to multiple servers it is more important to properly detect if 1 server is in a bad state so it can be taken offline and requests will be balanced across the remaining servers.

    Q1) It is possible to deny requests using acls+actions. The error returned by haproxy can be changed using the errorfiles. (example on template tab)
    Q2) Its possible to have no default. Whether or not that is good practice, i don't really know, it might confuse search-engine crawlers if it finds 10 (mis spelled) url's leading to the same website, but i don't have much experience with that. I personally kinda like to always return 'some' response. Perhaps put redirect location action at the bottom towards the main webroot url..



  • Alright,

    Great info yet again, thanks PiBa.

    I can see how the health check can be very important, but at this point I do not desire notifications or for the health do even show up correctly for that matter.

    This may be just my last post Q1, but is there a reasonably easy way to disable servers to resolve in an error page? I honesty haven't checked the docs, but I've got a bunch of rProxy config, and I want to simply disable a few backends without affecting others running… Is there an error page for "temporarily unavailable" I can quick deploy? You can point me to docs if it's a lot to explain here, and we may be getting a bit off topic 8)



  • Q1) 'Disabling' a server can easily be done from the haproxy widged, or the stats page.
    By default haproxy will then send a 503 error, but you can change that page using the error files.
    On the 'files' tab add a new errorfile (or use the example from the 'Templates' tab as a starting point)
    Then assign the errorfile to the backend by adding a line with code 503 and select file available.

    There are other more 'advanced' solutions involving sticktables and acls, but those are probably not easy to recreate through the current webgui options.

    This is an example of such a 'maintenance' page: https://gist.github.com/sts/62d8dd59221ab68661aa
    As-is it requires to run some commands to the /tmp/haproxy.socket to put it into / out of maintenance mode..



  • Cool, it looks like there is a lot of functionality that I will be able to enjoy once I get rolling with this.

    I am beginning to wonder about firewall now… Is there an easy way to allow/deny certain IP ranges from accessing certain backends?



  • As haproxy is only listening on one port firewall rules cannot make a much of a difference depending on the domain used.. (maybe thats not truly correct ;) , if using transparent-client-ip you could technically block haproxy from reaching the backend with some floating rules..)

    Other way would be to use a acl in haproxy 'source matches ip or alias' and then perform a 'http-requests block' action on that acl.



  • I'll fiddle with the firewall later. I shouldn't need much there, but I'll put thought into it another day.

    The widget thing you embedded into the package works very well! :)



  • Hello again,

    In time if come up with a few more questions.

    1. Can the document root be specified in the backends? I have a website that is accessed via my-domain.ca/file1/here.

    2. Is my rProxy config mirrored to within my network at all? As in I have 4 web addresses running on one server via different ports (not vhosts), and I'd like their public domain names, from within my LAN, to resolve to LANIP:WANPUBLICPORT… Is this crazy talk? I do not need this feature, it's just something that would make HAProxy very seamless for me.



  • Hi Brialyn,

    1. If required it is possible to rewrite the request url.. But depending on the web-application and the urls it generates/uses that might be tricky. Checkout reqirep and its syntax, it might help..  http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-reqirep

    Perhaps these 'examples' will help a little?: https://gist.github.com/PiBa-NL/8ad6c222354cbd7a5af5

    1. HAProxy can be used from the LAN network, but do make sure you keep routing both request and response traffic through pfSense.. This is especially required when using 'transparent client ip'. When doing so the client and server may not be on the same subnet.

    Regards,
    PiBa-NL



  • PiBa,

    1. Was having a bunch of issues with accessing my Synology NAS as it was using vhosts to redirect standard websites… After much grief, it appears that disabling vhosts and applying your first example to the "Backend pass thru" works!
    reqirep  ^([^\ :]*)\ /(.*) \1\ /folder-name/\2
    

    From the WAN side:

    • now by accessing photo.root-domain.ca I get redirected by the index.html in the root folder. Which is how I get redirected to PhotoStation for all you Synology fan boys out there.

    • by accessing root-domain.ca I get direct access the the index.html file found in the /app1 folder without having to specify it in the original URL. It is sort of hidden if you will. Not sure if navigation to other folders is possible now, but I would like to explore for any introduced security/functionality issues.

    1. In a business situation, if I were running a reverse proxy like this, I would most definitely run it on a VM in a completely different subnet with all of my backend clients in that subnet. I would use routing to make my production LAN talk with the rProxy server in the other LAN. I would imagine VLANs could be configured to do this as well, but I do not know much about configuring them. Maybe someday.

    Thanks for all of your help!



  • Hello again,

    Just got most of the web services working on the synology (DSM 5.2 latest as of this post). Then I upgraded it to the newest software (DSM 6.0 Beta2) and most of my web services on that box behind HAProxy broke.  :o

    I sort of assumed it was due to settings not porting over after upgrading… Now, I've been fiddling with it for 2 days and still have had no luck getting things back online. I'm sort of glad I did have it working a couple of days ago, cause that made me understand that my crazy setup did indeed work as it was intended.

    To my point,

    I can access my websites by going to LAN-IP:443 and LAN:443/sub-root-dir and it takes me to the document roots on the NAS, and executes the appropriate index.html files in the specified directory. That's good.

    The stats show the websites as DOWN and when attempting to access them from the WAN, it shows "503 Service Unavailable". I have two LAN IP's on the NAS. Both of them work identically from the LAN, but only one is being used behind this rProxy to prevent the weird DNS issues I was getting at the top of this thread. Really just brute force and ignorance there.

    1. Is there any way to see the logging on such issues? Note, the main NAS landing page is on :5001 and it continues to work fine behind the HAproxy:443 from the outside.

    2. Any other advice to get these pages to roll again? There isn't really anything special about the two troublesome websites, other than the box they are on. vhosts are disabled (as far as I know...) but maybe there are some issues there on this beta version.



  • The "503 Service Unavailable" is normal when the server is down.
    Check what LastChk says in the stats.



  • photo reads Layer6 timeout. L6TOUT in 1004ms

    webroot reads Layer7 wrong status: Bad request. L7STS/400 in 4ms



  • L6 is a problem with SSL, sure the ip:port properly serves a certificate?
    A HTTP 400 status is probably due to the requested page or method used for the checks, try a different one.



  • The SSL issue was just cause I had the Backend pointing to the incorrect port.

    Then it was simply an issue of switching the Health Checks to Basic….

    Not sure why I didn't try that before before. Sorry for all the background... that's what I do when I flustered.

    Thanks again:)



  • Having troubles with reqirep understanding and implementation.

    For my webroot (my-domain.com) index.html is on a server within a folder named my-domain.com with index.html inside.

    
    reqirep  ^([^\ :]*)\ /(.*) \1\ /my-domain.com/\2
    
    

    This works fine for a simple website, but I have one strange creature that only works by landing in the root folder. I'll try to give brief background. I have a photo website that can be accessed by photo.my-domain.com which redirects to photo.my-domain.com/~user1/photo. Currently, the index.html redirects to only the 1 username, and simply changing it out allows it to work with other users.

    1. Is there an easy way to specify an index.html by a URL in the same root, such as user1.photo.my-domain.com will look at root/index1.html and user2.photo.my-domain.com will look at root/index2.html? I tried this yesterday with the above code and placing the index.html inside root/user1/ (redirecting to */~username/photo), but for some reason the server responds with it's own unavailable page, thus making HAProxy keep the 'Online' status for that server… not exactly what I am going for.

    2. If these redirects remain, that is fine, but a URL rewrite would be awesome. user2.photo.my-domain.com is actually photo.my-domain.com/~User2/photo



  • I was wondering if you can comment on any updates using this.  I have a DSM, photo station, a web server, etc…  Things are working OK but I'd like to do certificate authentication, which led me to looking at getting a wildcard ssl cert, which then made me start wondering about my setup.

    Are things still working for you OK?  If possible, can you post your latest configs so I can use them as an example?

    Thanks!



  • Perhaps YOU can post your latest configs.? Then maybe we can tell what might be wrong.?

    *And anyhow starting a new topic would probably be better than resurrecting a 2 year old topic.



  • @wiz561– I've moved away from Synology due to lack of integration between applications. Nothing against them, I do really like their products out of the box. I've moved to NextCloud, Google Photos, & dedicated web servers for hosting. I still do use HAProxy as discussed in this thread.

    I do believe Synology has since integrated a reverse proxy server right into DSM. You might want to check it out--I have never used it, so I can't officially vouch for it.

    For what it is worth, my latest HAProxy config is shown here: https://forum.pfsense.org/index.php?topic=146701.msg796970#msg796970.


Log in to reply