OPNsense Forum
English Forums => General Discussion => Topic started by: fire on June 01, 2016, 05:32:53 pm
-
Hi everyone,
Thanks for this wonderfull project. I'm using it on serverals dedicated and it work like a charm.
I have some apache reverse proxies running on those dedicated servers and I wonder to replace them with the integrated HAProxy plugin on OPNsense.
I created a test environment with a OPNsense and an Apache virtual machine. The firewall has one public IP and one private IP which is in the same subnet than the apache VM.
I configured a minimal Frontend, Backend and server. Service is ON but HAProxy is not working. Port 80 seems to be closed.
Does anyone have a configuration exemple of a working infrastructure?
I have 2 cards working with the virtio driver with Hardware CRC turned off.
-
Hi there,
Thanks. :) There is an update 1.1 that's online now and a 1.2 that is pending for the upcoming 16.1.16. Make sure you're not on version 1.0, you can see that from the firmware updates page under plugins.
It may be good to get the author involved and let him know your exact setup to reproduce. I'll try to grab him. :)
Cheers,
Franco
-
I created a test environment with a OPNsense and an Apache virtual machine. The firewall has one public IP and one private IP which is in the same subnet than the apache VM.
I configured a minimal Frontend, Backend and server. Service is ON but HAProxy is not working. Port 80 seems to be closed.
Some thoughts:
- make sure you have haproxy plugin version 1.1 installed
- check the haproxy log at Services->HAProxy->Log File
- make sure haproxy service is enabled in Services->HAProxy->Settings->General Settings; click "Apply" button
What happens when you click on "Test Syntax" in Services->HAProxy->Settings->Frontend?
Regards
- Frank
-
Hello Franco and Fraenki!
I have the latest version of OPNsense (16.1.15), and the HAproxy plugin is v1.1.
HAproxy logs aren't telling anything but "Proxy front/back started", and the test syntax is telling me everything is correct.
Regarding my setup, one image is better than thousands words.
Here is my current setup:
(https://lut.im/3w96Vi4YdB/IbjUzKC5QASZjEXL.jpg)
And here is the setup i want to archieve:
(https://lut.im/7uW3jWLN7I/9dWUqIbUsjSCV790.jpg)
I'm an HAproxy noob, so there is a chance that my testconfiguration isn't correct. That's why I'd love to see a simple working example.
Thank you both for your help.
EDIT: From a security point of view, is this the correct way to proceed?
-
HAproxy logs aren't telling anything but "Proxy front/back started", and the test syntax is telling me everything is correct.
This is actually good, so the HAProxy service is at least starting up. If you have access to the OPNsense console, please run (and post the output here)...
sockstat | grep haproxy...so we know on which IPs and ports the service is listening.
Regarding my setup, one image is better than thousands words.
Here is my current setup:
Looks sane to me. :)
I'm an HAproxy noob, so there is a chance that my testconfiguration isn't correct. That's why I'd love to see a simple working example.
What happens when you try to access the URL you want to serve with HAProxy? Does it timeout? Did you check the firewall logs?
Could you post some quick screenshots of your Frontend and Backend configuration? (Make sure to obfuscate your public IP addresses.)
You're invited to join us on IRC (Freenode: irc.freenode.org. #opnsense), so we can directly discuss this issue, if you like. 8)
EDIT: From a security point of view, is this the correct way to proceed?
I don't see any security issue. (You don't need to drop your DMZ, as the picture suggests. The HAProxy service could still use an IP address from your DMZ.)
Regards
- Frank
-
When I try to access the URL, I have a "ERR_CONNECTION_RESET" and logs are saying:
(https://lut.im/5wBZ3CtHGT/SyoAfo1nQEHPib04.png)
My listen port and interface looks good:
(https://lut.im/unguM0rPjZ/ek8JtkGiqxRkW0Hd.png)
Here are my test settings for testing HAproxy:
Frontend:
(https://lut.im/dg9FjL6aUW/YtWRxYfpLHP6hFEk.png)
Backend:
(https://lut.im/x5KESnXbrA/K24JLnKihrlEzuWV.png)
And server:
(https://lut.im/Vr6BSjLrbR/BhUKDfoIyBWMSxOf.png)
Can you confirm it's correct? I tried to add some ACL but it doesn't work either.
-
Solution: Needed to add a firewall rule to allow requests to pass through to HAProxy. The plugin does not automatically generate firewall rules (I should add a hint somewhere).
-
As you said, the firewall rule did the trick and I can now continue testing the HAproxy plugin.
Thank you for your time! My problem is now solved.
Have a nice day!
-
Can you post the firewall rule?
-
Can you post the firewall rule?
You just need to add rules to allow traffic to your HAProxy frontends and between your HAProxy backends and servers.
Regards
- Frank