HAProxy as SSL Reverse Proxy Behind Single IP
-
Hello again,
In time if come up with a few more questions.
-
Can the document root be specified in the backends? I have a website that is accessed via my-domain.ca/file1/here.
-
Is my rProxy config mirrored to within my network at all? As in I have 4 web addresses running on one server via different ports (not vhosts), and I'd like their public domain names, from within my LAN, to resolve to LANIP:WANPUBLICPORT… Is this crazy talk? I do not need this feature, it's just something that would make HAProxy very seamless for me.
-
-
Hi Brialyn,
- If required it is possible to rewrite the request url.. But depending on the web-application and the urls it generates/uses that might be tricky. Checkout reqirep and its syntax, it might help.. http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-reqirep
Perhaps these 'examples' will help a little?: https://gist.github.com/PiBa-NL/8ad6c222354cbd7a5af5
- HAProxy can be used from the LAN network, but do make sure you keep routing both request and response traffic through pfSense.. This is especially required when using 'transparent client ip'. When doing so the client and server may not be on the same subnet.
Regards,
PiBa-NL -
PiBa,
- Was having a bunch of issues with accessing my Synology NAS as it was using vhosts to redirect standard websites… After much grief, it appears that disabling vhosts and applying your first example to the "Backend pass thru" works!
reqirep ^([^\ :]*)\ /(.*) \1\ /folder-name/\2From the WAN side:
-
now by accessing photo.root-domain.ca I get redirected by the index.html in the root folder. Which is how I get redirected to PhotoStation for all you Synology fan boys out there.
-
by accessing root-domain.ca I get direct access the the index.html file found in the /app1 folder without having to specify it in the original URL. It is sort of hidden if you will. Not sure if navigation to other folders is possible now, but I would like to explore for any introduced security/functionality issues.
- In a business situation, if I were running a reverse proxy like this, I would most definitely run it on a VM in a completely different subnet with all of my backend clients in that subnet. I would use routing to make my production LAN talk with the rProxy server in the other LAN. I would imagine VLANs could be configured to do this as well, but I do not know much about configuring them. Maybe someday.
Thanks for all of your help!
-
Hello again,
Just got most of the web services working on the synology (DSM 5.2 latest as of this post). Then I upgraded it to the newest software (DSM 6.0 Beta2) and most of my web services on that box behind HAProxy broke. :o
I sort of assumed it was due to settings not porting over after upgrading… Now, I've been fiddling with it for 2 days and still have had no luck getting things back online. I'm sort of glad I did have it working a couple of days ago, cause that made me understand that my crazy setup did indeed work as it was intended.
To my point,
I can access my websites by going to LAN-IP:443 and LAN:443/sub-root-dir and it takes me to the document roots on the NAS, and executes the appropriate index.html files in the specified directory. That's good.
The stats show the websites as DOWN and when attempting to access them from the WAN, it shows "503 Service Unavailable". I have two LAN IP's on the NAS. Both of them work identically from the LAN, but only one is being used behind this rProxy to prevent the weird DNS issues I was getting at the top of this thread. Really just brute force and ignorance there.
-
Is there any way to see the logging on such issues? Note, the main NAS landing page is on :5001 and it continues to work fine behind the HAproxy:443 from the outside.
-
Any other advice to get these pages to roll again? There isn't really anything special about the two troublesome websites, other than the box they are on. vhosts are disabled (as far as I know...) but maybe there are some issues there on this beta version.
-
-
The "503 Service Unavailable" is normal when the server is down.
Check what LastChk says in the stats. -
photo reads Layer6 timeout. L6TOUT in 1004ms
webroot reads Layer7 wrong status: Bad request. L7STS/400 in 4ms
-
L6 is a problem with SSL, sure the ip:port properly serves a certificate?
A HTTP 400 status is probably due to the requested page or method used for the checks, try a different one. -
The SSL issue was just cause I had the Backend pointing to the incorrect port.
Then it was simply an issue of switching the Health Checks to Basic….
Not sure why I didn't try that before before. Sorry for all the background... that's what I do when I flustered.
Thanks again:)
-
Having troubles with reqirep understanding and implementation.
For my webroot (my-domain.com) index.html is on a server within a folder named my-domain.com with index.html inside.
reqirep ^([^\ :]*)\ /(.*) \1\ /my-domain.com/\2This works fine for a simple website, but I have one strange creature that only works by landing in the root folder. I'll try to give brief background. I have a photo website that can be accessed by photo.my-domain.com which redirects to photo.my-domain.com/~user1/photo. Currently, the index.html redirects to only the 1 username, and simply changing it out allows it to work with other users.
-
Is there an easy way to specify an index.html by a URL in the same root, such as user1.photo.my-domain.com will look at root/index1.html and user2.photo.my-domain.com will look at root/index2.html? I tried this yesterday with the above code and placing the index.html inside root/user1/ (redirecting to */~username/photo), but for some reason the server responds with it's own unavailable page, thus making HAProxy keep the 'Online' status for that server… not exactly what I am going for.
-
If these redirects remain, that is fine, but a URL rewrite would be awesome. user2.photo.my-domain.com is actually photo.my-domain.com/~User2/photo
-
-
I was wondering if you can comment on any updates using this. I have a DSM, photo station, a web server, etc… Things are working OK but I'd like to do certificate authentication, which led me to looking at getting a wildcard ssl cert, which then made me start wondering about my setup.
Are things still working for you OK? If possible, can you post your latest configs so I can use them as an example?
Thanks!
-
Perhaps YOU can post your latest configs.? Then maybe we can tell what might be wrong.?
*And anyhow starting a new topic would probably be better than resurrecting a 2 year old topic.
-
@wiz561– I've moved away from Synology due to lack of integration between applications. Nothing against them, I do really like their products out of the box. I've moved to NextCloud, Google Photos, & dedicated web servers for hosting. I still do use HAProxy as discussed in this thread.
I do believe Synology has since integrated a reverse proxy server right into DSM. You might want to check it out--I have never used it, so I can't officially vouch for it.
For what it is worth, my latest HAProxy config is shown here: https://forum.pfsense.org/index.php?topic=146701.msg796970#msg796970.