OPNsense Forum

English Forums => General Discussion => Topic started by: tmaniac on June 12, 2017, 02:27:40 pm

Title: Setting up Reverse Proxy (HAProxy)
Post by: tmaniac on June 12, 2017, 02:27:40 pm

Hello Experts,

i'm fooling around with OPNsense and HAProxy to set up a dedicated Reverse proxy for my virtual lab environment.
I have a single pulbic IP but want to be able to set up multiple webservers with different SSL certs etc.

After some heavy googling and trying different options, OPNsense is the first piece of software i have succesfully working as Reverse proxy :)
(and it looks good aswell, but that's not important)

I don't need the OPNsense box to be a firewall or router since i allready have a hardware based firewall/router in my network; it's sole purpose is Reverse Proxy.

I've set up OPNsense with 2 interfaces (LAN and WAN) both in the same subnet.
In the firewall i disabled the "Block private networks" option (and ofcourse allowed HTTP(S) traffic to the LAN).

I have installed the HAProxy plugin and i've succesfully set up my front/backend, servers, actions and ACLs.

The 3 questions i have are:
1) I have a website with hostheader "app1.domain.com" that goes to internal server 192.168.1.2 over port 80
I want to force SSL on the external side but only for the website with that specific hostheader.
How can i accomplish this?

2) I have published a website with hostheader "app1.domain.com"
This works like a charm with traffic from the internet.
In my network i use split-brain dns, if i create an a-record for app1.domain.com and point this to the WAN interface of OPNsense i'm unable to open the website.
How can i get this to work from my internal network aswell?

3) Do i even need 2 interfaces if all i want OPNsense to do is Reverse Proxy?

Thanks for the help!

Title: Re: Setting up Reverse Proxy (HAProxy)
Post by: fabian on June 12, 2017, 10:31:00 pm

Quote from: tmaniac on June 12, 2017, 02:27:40 pm

1) I have a website with hostheader "app1.domain.com" that goes to internal server 192.168.1.2 over port 80
I want to force SSL on the external side but only for the website with that specific hostheader.
How can i accomplish this?

You need to answer requests with status 301 or 302 and a suitable "Location" header if the request comes via port 80.
For example my personal website does this. I don't know how it is done in the plugin but it is easy in nginx.

Quote from: tmaniac on June 12, 2017, 02:27:40 pm

3) Do i even need 2 interfaces if all i want OPNsense to do is Reverse Proxy?

In theory no, in practise yes: You would double the traffic on the link if you would use the same link in and out so you may DoS yourself.