OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: tapnl on December 01, 2019, 09:31:55 pm
-
Small question - no background
In the documentation the following statement is made:
Now you need to configure firewall rules for accessing your HAProxy instance.https://docs.opnsense.org/manual/how-tos/haproxy.html
I am struggling with the firewall rule. When trying to setup a FW rule, I see no options to point to HAProxy.
Can somebody explain the last step. Setting up the FW rule?
Same question - more background
I am trying to setup the following situation in my home network.
www.example.com --> server1
test1.example.com --> server1
test2.example.com --> server1
test3.example.com --> server2
test4.example.com --> server2
Both server1 and server2 are running multiple dockers, with Traefik as a reverse proxy.
Currenly I have only a setup with server1, and this handled by port forwarding and on the the server with Traefik as reverse proxy. So far so good. Now I want to add another server, with subdomains within the same domain. This can't be handled by portforwarding. I need a reverse proxy on OPNsense.
I followed this from the documentation:
https://docs.opnsense.org/manual/how-tos/haproxy.html
But I am struggling with this statement at the end of the page.
Now you need to configure firewall rules for accessing your HAProxy instance.
Can somebody explain the last step. Setting up the FW rule?
Is there another, or better way to achieve this, or is this the "correct" way?
-
You have to make rules source WAN destination localhost to the Ports you offer the internet. E.g. your haproxy listens to port 80 public for your webserver:
Port 80 Source WAN Target Localhost. Port is whatever you defined in haproxy as port for your public server.
-
@ruggerio: Thx for the reply.
During the last week, I tried several setups but I am not able to get this working and it is totally unclear for me if the issue is in the FW rule or in the HAProxy setup.
Does anybody have an easy to share configuration or a link to a good tutorial? The information in the documentation on HAProxy is okayish, but brought me to this point.
-
With some trial and error I was able to get HAProxy to work and work fairly well at that... This will differ to what you are after obviously but hopefully you can pick up on something you may have missed...
I've removed any addresses and Cert/CA details for obvious reasons...
Real server settings: (https://i.imgur.com/xv3MHRV.png)
Public Service: (https://i.imgur.com/KI1g6rw.png)
(https://i.imgur.com/cTn4Xpq.png)
(https://i.imgur.com/E3tI5N1.png)
Backend Pool: (https://i.imgur.com/c6TFBlB.png)
(https://i.imgur.com/5mSmIo8.png)
Regarding the FW... All you will need to do is allow web traffic, in my case just HTTPS to hit the FW...
(https://i.imgur.com/ZYxjojW.png)
-
One little hint for HTTP/2.0. If you enable it in HAProxy, then make sure that your web server supports/serves it. Else you will run into problems - at least when using firefox
-
Hi,
For those who have responded, thanks for looking into this, but unfortunately I was not able to fix this yet.
It is drivinfg me nuts, because I have the feeling I am overlooking something small, but obviously with a great impact.
Based on my current setup, I configured HAProxy several times, but no solution.
I made two vm with a webpage to point to.
My base setup is that I have several port forwarding configs. I disable all those port forwards and associated rules. I then setup HAProxy as the tutorial suggests and make a rule in the firewall.
Situation I end up in:
On wifi:
if I go to http://test1.domain.nl it goes to https://test1.domain.nl and shows the login page of opnsense.
On 4G
If I go to http://test1.domain.nl I get no resolution and enventually it informs that the request timed out.
The make a FW rule is quite cryptic for me. Does any one have screenshots of what is actually in there? And do you establish it as a rule or as a portforward under NAT?
-
As far as the FW is concerned all you need is https://i.imgur.com/ZYxjojW.png.
You don't need to do anything with NAT as you are only meant to be hitting the FW... then the FW serves the page through HAProxy.
I'm assuming you have set up a record on your domain pointing to the FW for your site?
-
This took me quite some time, but I have figured it out.
I simply overlooked several times the significance of the following statement in the docs:
If you configure a port that is already in use, the configuration test will be successful but the start of HAProxy will fail silently. Please ensure that the used port is free - especially if the number conflicts with the web configuration of OPNsense.
By setting up the port for the opnsense web interface to something else then 443, the issue was resolved.
Thanks for those who helped out.
-
By setting up the port for the opnsense web interface to something else then 443, the issue was resolved.
Thanks for those who helped out.
Another solution is to bind the HA Proxy listener to the external interface's IP address (Virtual Services - Public Services - listener - Listen address: external_IP_Address:443)