I've been finding the UI for haproxy in OPNSense more difficult to configure than it was in pfsense.
This tells me I really don't understand haproxy well enough, so if my question is something that should be understood I do apologize.
I have a domain mydomain.com
At this time I have 2 servers I'm trying to send through haproxy(plex and ombi).
I believe I have all the firewall rules doing what they need to for forwarding.
I'd like any traffic for plex.mydomain.com to always go to the plex server
Anything else, including someone just typing https://mydomain.com go to ombi
With the config I'm including I seem to get ombi working one restart, then plex working on the next restart. Almost like the rules are in some sort of priority order that switches each time I restart haproxy.
Once I have these 2 working I will eventually add other services.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 20
maxconn 10
tune.ssl.default-dh-param 1024
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
defaults
log global
option redispatch -1
maxconn 100
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: ombi (HTTPS Ombi)
frontend ombi
bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 crt-list /tmp/haproxy/ssl/6029c02e5cc836.63584345.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: Ombi
acl acl_6029bf280a2d50.77237914 hdr(host) -i plex.mydomain.com
# ACTION: OmbiRules
use_backend OmbiPool if !acl_6029bf280a2d50.77237914
# Frontend: 80_redirect (HTTP Redirect)
frontend 80_redirect
bind 0.0.0.0:80 name 0.0.0.0:80
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: HTTP
acl acl_603205c7df9a30.32769784 req.proto_http
# ACTION: http-redirect
http-request redirect scheme https if acl_603205c7df9a30.32769784
# Frontend: Plex (HTTPS Plex)
frontend Plex
bind 0.0.0.0:443 name 0.0.0.0:443 ssl ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 crt-list /tmp/haproxy/ssl/60de5b0e9afdd3.95063140.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: plex
acl acl_6032c230647965.95880753 hdr(host) -i plex.mydomain.com
# ACTION: PlexRules
use_backend PlexPool if acl_6032c230647965.95880753
# Backend: OmbiPool ()
backend OmbiPool
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Ombi 192.168.1.42:3000
# Backend: PlexPool ()
backend PlexPool
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Plex 192.168.1.42:32400
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# statistics are DISABLED
I adjusted things quite a bit. I'm now consistently able to load plex.mydomain.com
but going to mydomain.com gives a 503 error
I got to this point using the amazing directions at:
https://forum.opnsense.org/index.php?topic=23339.0
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
maxconn 1000
tune.ssl.default-dh-param 4096
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 80_redirect (HTTP Redirect)
frontend 80_redirect
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: HTTP
acl acl_603205c7df9a30.32769784 req.ssl_ver gt 0
# ACTION: http-redirect
http-request redirect scheme https code 301 if !acl_603205c7df9a30.32769784
# Frontend: SNI_frontend ()
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: HTTPS_frontend ()
frontend HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60e263758b8c80.28077203.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: Ombi
acl acl_6029bf280a2d50.77237914 hdr_beg(host) -i ombi
# ACL: plex
acl acl_6032c230647965.95880753 hdr_beg(host) -i plex
# ACTION: OmbiRules
use_backend OmbiPool if acl_6029bf280a2d50.77237914
# ACTION: PlexRules
use_backend PlexPool if acl_6032c230647965.95880753
# Backend: OmbiPool ()
backend OmbiPool
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Ombi 192.168.1.42:3000 ssl verify none
# Backend: PlexPool ()
backend PlexPool
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Plex 192.168.1.42:32400 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_SERVER 127.0.0.1 send-proxy-v2 check-send-proxy
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# statistics are DISABLED