OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: dustymiller259 on July 04, 2020, 01:58:31 pm
-
Now I've posted this in the correct forum, heres hoping for some assistance - Gotta love being a newbie at this.
I'm trying to understand how HAProxy work, and get it setup, but despite my limited understanding, i think i have the config correct, but it does not seem to work as expected at all. does anyone know of any good resources out there ?
I'm only trying to get it to work for a couple of webservers behind my firewall (Home Setup)
I have one rule working, but cant get the second to play without killing the first rule.
I basically have 1 rule working that say if "path contains string" = VirtualRadar then use one backend pool. That works
When I add an anti rule so if the "path Contains string" - VirtualRadar + then negate that condition, in the second rule, it all falls apart.
What am I missing
-
Could you please post the whole config so we can get a better idea of the whole set up?
-
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
# NOTE: Could be a security issue, but required for some feature.
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 1
tune.ssl.default-dh-param 1024
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: VirtualRadar_Real (VRS Server)
frontend VirtualRadar_Real
bind www.millersmail.net:80 name www.millersmail.net:80
mode http
option http-keep-alive
default_backend VirtualRadar_Backend
# tuning options
timeout client 30s
# logging options
# Frontend: Web_Traffic_Real (Normal_HTTP)
frontend Web_Traffic_Real
bind www.millersmail.net:80 name www.millersmail.net:80
mode http
option http-keep-alive
default_backend Web_Traffic_Backend
# tuning options
timeout client 30s
# logging options
option httplog
# Backend: VirtualRadar_Backend (VRS Server)
backend VirtualRadar_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server VirtualRadar_80 192.168.0.41:80
# Backend: Web_Traffic_Backend (Synology_NAS)
backend Web_Traffic_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Synology 192.168.0.11:80 ssl verify required ca-file /etc/ssl/cert.pem
-
Cant seem to find the rules in the proxy config, where are they stored ???
-
Ok... First things first...
How the config is set up currently the second front end will never be hit... You have two front ends on the same port doing the exact same thing.. Ideally only have one front end per service so one for http and one for https...
Secondly I don't see in that config any ACLs for the front end or backend.
The back ends look ok just change the frontends and add ACLs to direct to each server.
-
So i have two conditions, and two rules, the first is the one below, and the second condition is with the negate option ticked, so that anything that does not contain "VirtualRadar" is picked up buy the second rule, and pushed to the second backend. But the rules dont appear in my config, however this rule and condition works, its the Anti rule to push non VirtualRadar traffic that doesnt.
Sorry for the long post with all the images.
(http://www.millersmail.net/co1.jpg)
(http://www.millersmail.net/r1.jpg)
(http://www.millersmail.net/co2.jpg)
(http://www.millersmail.net/r2.jpg)
(http://www.millersmail.net/be.jpg)
(http://www.millersmail.net/fe.jpg)
www.millersmail.net/haproxy.conf (http://www.millersmail.net/haproxy.conf)
-
So basically... If you match the first condition then go to the VirtualRadar... Any other traffic go to the webserver?
You only need one condition and then have the default pool as Web_Traffic... You seem to be over complicating it.
-
OK, cheers for that, it seems that ! also need a firewall rule to allow the traffic to traverse, but im not sure where to put the firewall rule to allow the traffic to traverse the firewall as there is already a rule for port 80 in the WAN side.
If the port forward rules are enabled then the routing works, but i cant have two port forwards for port 80, so not sure where to put the rules to allow the traffic to flow. I've added a rule in the WAN Rules area, and that makes no difference.
-
Don't forward at all... Terminate incoming traffic on the firewall... HAProxy will then pick it up and do what it needs.
If you port forward you'll bypass HAProxy entirely.
-
I've tried without the port forward and HAProxy doesn't forward the default web traffic, only the traffic for which there is a proxy rule for, which is why I'm stumped.
-
Ok so haproxy is listening on port 80 and you're saying it's not handling general http traffic hitting the FW? It won't be doing https traffic unless you have a Front end for 443.
-
HAProxy is listening, and passing traffic on port 80 to the one server that has the rule created, but the default traffic is not being passed off to the relevant backend, I get a 404 error from HA Proxy. I just wish there was some decent logging available from HAProxy to work out why. I'm just trying to get a JPEG served at the moment.
-
Can you please post an updated version of your config?
Is it still the same addresses you're trying to hit as the original config?
-
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
# NOTE: Could be a security issue, but required for some feature.
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 1
tune.ssl.default-dh-param 1024
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: VirtualRadar_Real (VRS Server)
frontend VirtualRadar_Real
bind 195.166.157.80:80 name 195.166.157.80:80
mode http
option http-keep-alive
default_backend Web_Traffic_Backend
# tuning options
timeout client 30s
# logging options
# Backend: VirtualRadar_Backend (VRS Server)
backend VirtualRadar_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server VirtualRadar_80 192.168.0.41:80
# Backend: Web_Traffic_Backend (Synology_NAS)
backend Web_Traffic_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Synology 192.168.0.11: ssl verify none
-
Ok so now you have the one frontend and the two backends but no rules or conditions?
Set the rule on the frontend not the backend.
The synology doesn't have a port?
-
Nope the single rule and condition is still there, it does not show in the config for some reason.
-
So now i have a DNS REbinding issue.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
# NOTE: Could be a security issue, but required for some feature.
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 1
tune.ssl.default-dh-param 1024
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: Default_HTTP_Frontend (Push To Synology - Port 80)
frontend Default_HTTP_Frontend
bind www.millersmail.net:80 name www.millersmail.net:80
mode http
option http-keep-alive
default_backend Web_Traffic_Backend
# tuning options
timeout client 30s
# logging options
# ACL: VRS
acl acl_5ede099ae6a2a1.30660197 path_sub -i VirtualRadar
# ACTION: VRS
use_backend VirtualRadar_Backend if acl_5ede099ae6a2a1.30660197
# Backend: VirtualRadar_Backend (VRS Server)
backend VirtualRadar_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server VirtualRadar_80 192.168.0.41:80
# Backend: Web_Traffic_Backend (Synology_NAS)
backend Web_Traffic_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Synology 192.168.0.11:80
-
Don't use a FQDN for the bind address. Either a specific interface IP or 0.0.0.0
Then that should work fine.
-
Nope, tried with both my external ip & 0.0.0.0 with port 80, and the same DNS REbind error.