OPNsense Forum

Dear all,

I'm trying to configure HAProxy with a multidomain setup. I have setup frontend on localhost device and added firewall rules to NAT traffic and a default backend. This setup works great.

But in multidomain setup action and acl are required to probe the correct host. I have setup acl to "host matches" with value www.xyz.com (without the optional fields in the mask). With the action I have set backend and server, but for conditional parameters I don't understand what to set.

Is there any example?

Best Dani

Basically this setup would be needed, in this example two acl are defined in the frontend.
https://seanmcgary.com/posts/haproxy---route-by-domain-name

however when add the acl, I get the following error  'use-server' ignored because frontend 'http_in' has no backend capability.

Found a solution in the frontend with optional pass-through, adding these line and removing acl from backends
acl host_domain1 hdr(host) -i domain1.com
acl host_domain2 hdr(host) -i domain2.com

use_backend backend1 if host_domain1
use_backend backend2 if host_domain2

Next problem I'm facing is that I would like to run the frontend in transparent mode.

Thanks to Deciso support we got it working. I can only recomment to get commercial support from them. It is worth every cent.

Config, here we go:
Portforward from port 80 to 127.0.0.1:8080 on nat firewall rule:

  <rule>
      <protocol>tcp</protocol>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <descr/>
      <tag/>
      <tagged/>
      <poolopts/>
      <target>127.0.0.1</target>
      <local-port>8080</local-port>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>wanip</network>
        <port>80</port>
      </destination>
    </rule>


Corresponding firewall rule on WAN for it

<rule>
      <source>
        <any>1</any>
      </source>
      <interface>wan</interface>
      <protocol>tcp</protocol>
      <ipprotocol>inet</ipprotocol>
      <destination>
        <address>127.0.0.1</address>
        <port>8080</port>
      </destination>
      <descr>NAT </descr>
    </rule>


HAProxy config, basically one frontend, one backend, multiple server, each domain/server a acl / action rule

    <HAProxy version="0.0.0">
      <frontends>
        <frontend uuid="51ea7847-d9d7-4bfc-a2c0-81a6521e76ce">
          <id>597244499fc4e2.41670272</id>
          <enabled>1</enabled>
          <name>http_in_new</name>
          <description>http_in_new</description>
          <bind>127.0.0.1:8080</bind>
          <bindOptions/>
          <mode>http</mode>
          <defaultBackend>979ae8bd-b258-433e-9d9c-6b27958cde85</defaultBackend>
          <ssl_enabled>0</ssl_enabled>
          <ssl_certificates/>
          <ssl_default_certificate/>
          <ssl_customOptions/>
          <tuning_maxConnections>50</tuning_maxConnections>
          <tuning_timeoutClient/>
          <logging_dontLogNull>0</logging_dontLogNull>
          <logging_dontLogNormal>0</logging_dontLogNormal>
          <logging_logSeparateErrors>0</logging_logSeparateErrors>
          <logging_detailedLog>1</logging_detailedLog>
          <logging_socketStats>0</logging_socketStats>
          <forwardFor>0</forwardFor>
          <connectionBehaviour>http-keep-alive</connectionBehaviour>
          <customOptions/>
          <linkedActions/>
          <linkedErrorfiles/>
        </frontend>
      </frontends>
      <backends>
        <backend uuid="979ae8bd-b258-433e-9d9c-6b27958cde85">
          <id>597244a2ddedd0.95485458</id>
          <enabled>1</enabled>
          <name>http_traffic</name>
          <description>http</description>
          <mode>http</mode>
          <algorithm>source</algorithm>
          <linkedServers>6b7aa04a-e7a7-4ab7-a575-f998d9f2685c,4820f14b-f9c4-4b61-9625-946857ec47e5</linkedServers>
          <source/>
          <healthCheckEnabled>0</healthCheckEnabled>
          <healthCheck/>
          <healthCheckLogStatus>0</healthCheckLogStatus>
          <stickiness_pattern>sourceipv4</stickiness_pattern>
          <stickiness_expire>30m</stickiness_expire>
          <stickiness_size>50k</stickiness_size>
          <stickiness_cookiename/>
          <stickiness_cookielength/>
          <tuning_timeoutConnect/>
          <tuning_timeoutCheck/>
          <tuning_timeoutServer/>
          <tuning_retries/>
          <customOptions/>
          <tuning_defaultserver/>
          <tuning_noport>0</tuning_noport>
          <linkedActions>8a1f1cc9-0302-4d85-8c35-2bd38b910054,73098205-0ee9-4a89-b289-8d741986ab45</linkedActions>
          <linkedErrorfiles/>
        </backend>
      </backends>
      <servers>
        <server uuid="6b7aa04a-e7a7-4ab7-a575-f998d9f2685c">
          <name>se_domain1_com</name>
          <description>se_domain1_com</description>
          <address>192.168.4.111</address>
          <port>80</port>
          <checkport/>
          <mode>active</mode>
          <ssl>0</ssl>
          <sslVerify>1</sslVerify>
          <sslCA/>
          <sslCRL/>
          <sslClientCertificate/>
          <weight/>
          <checkInterval>2s</checkInterval>
          <checkDownInterval/>
          <source/>
          <advanced/>
        </server>
        <server uuid="4820f14b-f9c4-4b61-9625-946857ec47e5">
          <name>se_domain2_com</name>
          <description>se_domain2_com</description>
          <address>192.168.4.170</address>
          <port>80</port>
          <checkport/>
          <mode>active</mode>
          <ssl>0</ssl>
          <sslVerify>0</sslVerify>
          <sslCA/>
          <sslCRL/>
          <sslClientCertificate/>
          <weight/>
          <checkInterval>2s</checkInterval>
          <checkDownInterval/>
          <source/>
          <advanced/>
        </server>
      </servers>
      <healthchecks/>
      <acls>
        <acl uuid="612e6680-5173-417d-9249-9819f81e23b3">
          <id>5961c1176bebe9.97403330</id>
          <name>al_domain1_com</name>
          <description>al_domain1_com</description>
          <expression>host_matches</expression>
          <negate>0</negate>
          <value>al_domain1_com</value>
          <urlparam/>
          <queryBackend/>
        </acl>
        <acl uuid="8f4f87f9-190e-497f-ab2e-8a69926db96f">
          <id>596c4cc128a6d9.48525721</id>
          <name>al_domain2_com</name>
          <description>al_domain2_com</description>
          <expression>host_matches</expression>
          <negate>0</negate>
          <value>domain2.com</value>
          <urlparam/>
          <queryBackend/>
        </acl>
      </acls>
      <actions>
        <action uuid="8a1f1cc9-0302-4d85-8c35-2bd38b910054">
          <name>an_domain1_com</name>
          <description>an_domain1_com</description>
          <testType>if</testType>
          <linkedAcls>612e6680-5173-417d-9249-9819f81e23b3</linkedAcls>
          <operator>and</operator>
          <type>use_server</type>
          <useBackend/>
          <useServer>6b7aa04a-e7a7-4ab7-a575-f998d9f2685c</useServer>
          <actionName/>
          <actionFind/>
          <actionValue/>
        </action>
        <action uuid="73098205-0ee9-4a89-b289-8d741986ab45">
          <name>an_domain2_com</name>
          <description>an_domain2_com</description>
          <testType>if</testType>
          <linkedAcls>8f4f87f9-190e-497f-ab2e-8a69926db96f</linkedAcls>
          <operator>and</operator>
          <type>use_server</type>
          <useBackend/>
          <useServer>4820f14b-f9c4-4b61-9625-946857ec47e5</useServer>
          <actionName/>
          <actionFind/>
          <actionValue/>
        </action>
      </actions>
      <luas/>
      <errorfiles/>
    </HAProxy>
  </OPNsense>


Next would be to get it working in transparent mode, not sure if possible  8)