OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: brynjolm on February 09, 2023, 08:54:11 am

Title: Traefik behind HAProxy
Post by: brynjolm on February 09, 2023, 08:54:11 am

Hello! I wanted to post here since i could not managed to solve this on my own. i feel like im almost there but i cant get it to work. Everything else works just that i cannot seem to pass to traefik. It gives me either a 503 no service or 400 bad request.
I have followed the tutorial: https://forum.opnsense.org/index.php?topic=23339.0 for the base sni install
then i added rules to the sni frontend using the reply from alh: https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958
 
my config looks like this:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: sni_frontend (Listening on 80 and 443)
frontend sni_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind ::1:80 name ::1:80
    bind ::1:443 name ::1:443
    mode tcp
    default_backend ssl_backend

    # logging options
    # ACL: traffic_ssl
    acl acl_63e3d7d7d34b32.18126829 req_ssl_hello_type 1
    # ACL: myservice_sni
    acl acl_63e3d8dd452718.96347718 req.ssl_sni -i traefik.homelabbity.uk

    # ACTION: request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5
    # ACTION: request_content_accept_ssl
    tcp-request connection accept if acl_63e3d7d7d34b32.18126829
    # ACTION: myservice_sni
    use_backend traefik_backend if acl_63e3d8dd452718.96347718

# Frontend: HTTP_frontend (Listiening on Virtual IP)
frontend HTTP_frontend
    bind 127.10.20.5:80 name 127.10.20.5:80 accept-proxy
    bind ::1:80 name ::1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: nossl_condition
    acl acl_63d848da104d83.11157892 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_63d848da104d83.11157892

# Frontend: HTTPS_frontend (Listen on virtual ip 443)
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.10.20.5:443 name 127.10.20.5:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
    bind ::1:443 name ::1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: local_subdomains_condition
    acl acl_63d8643cc31f29.38373794 src 192.168.50.0/24 192.168.200.0/24

    # ACTION: local_subdomains_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d863c71a8079.31054171.txt)] if acl_63d8643cc31f29.38373794
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d84917101ea0.76258733.txt)]

# Backend: ssl_backend (ssl_backend)
backend ssl_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server ssl_server 127.10.20.5 send-proxy-v2 check-send-proxy

# Backend: traefik_backend (traefik)
backend traefik_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server traefik_server 192.168.200.5:8443 send-proxy-v2 check-send-proxy



# statistics are DISABLED




any help would be greatly appreciated.

Title: Re: Traefik behind HAProxy
Post by: Bunch on February 13, 2023, 07:02:00 am

You have set traefik_backend to use Proxy Protocol
Have to set traefik to accept proxy protocol?
If not, either you find a way setting traefik to accept proxy protocol.
Or, you remove the Proxy Protocol config in traefik_backend. (But traefik and all its backends won't get correct IP info)

Title: Re: Traefik behind HAProxy
Post by: brynjolm on February 13, 2023, 03:08:46 pm

Thank you for taking the time to reply to my thread. Will try this on the weekend and reply back.
I have another question in the meantime, on the reply by alh he states on number 4

Quote

4. HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)

I dont really understand how this one works. is the myservice.example.com supposed to be the traefik dashboard domain? or can i put a wildcard certificate for it, something like *.mydomain.example?

Thank you once again.

Title: Re: Traefik behind HAProxy
Post by: Bunch on February 13, 2023, 05:48:17 pm

Quote from: brynjolm on February 13, 2023, 03:08:46 pm

Thank you for taking the time to reply to my thread. Will try this on the weekend and reply back.
I have another question in the meantime, on the reply by alh he states on number 4

Quote

4. HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)

I dont really understand how this one works. is the myservice.example.com supposed to be the traefik dashboard domain? or can i put a wildcard certificate for it, something like *.mydomain.example?

Thank you once again.

No. There aren't any condition accept partial regex in haproxy. If you want to pass the whole wildcard domain to Traefik
Change the condition to "SNI TLS extension contains (TCP request content inspection)" or "SNI TLS extension ends with (TCP request content inspection)"
For example
SNI TLS extension contains (TCP request content inspection)
.example.com

The whole thing is the usual practice to get HAProxy working with SNI in TCP layer
Check "Restrict clients to SSH only" here (https://www.haproxy.com/blog/route-ssh-connections-with-haproxy/)
And the guide is how he managed to put those commands in specific order