OPNsense Forum
English Forums => General Discussion => Topic started by: dani on July 20, 2017, 08:58:31 pm
-
Dear all,
I'm trying to configure HAProxy with a multidomain setup. I have setup frontend on localhost device and added firewall rules to NAT traffic and a default backend. This setup works great.
But in multidomain setup action and acl are required to probe the correct host. I have setup acl to "host matches" with value www.xyz.com (without the optional fields in the mask). With the action I have set backend and server, but for conditional parameters I don't understand what to set.
Is there any example?
Best Dani
-
Basically this setup would be needed, in this example two acl are defined in the frontend.
https://seanmcgary.com/posts/haproxy---route-by-domain-name
however when add the acl, I get the following error 'use-server' ignored because frontend 'http_in' has no backend capability.
-
Found a solution in the frontend with optional pass-through, adding these line and removing acl from backends
acl host_domain1 hdr(host) -i domain1.com
acl host_domain2 hdr(host) -i domain2.com
use_backend backend1 if host_domain1
use_backend backend2 if host_domain2
-
Next problem I'm facing is that I would like to run the frontend in transparent mode.
-
Thanks to Deciso support we got it working. I can only recomment to get commercial support from them. It is worth every cent.
Config, here we go:
Portforward from port 80 to 127.0.0.1:8080 on nat firewall rule:
<rule>
<protocol>tcp</protocol>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<descr/>
<tag/>
<tagged/>
<poolopts/>
<target>127.0.0.1</target>
<local-port>8080</local-port>
<source>
<any>1</any>
</source>
<destination>
<network>wanip</network>
<port>80</port>
</destination>
</rule>
Corresponding firewall rule on WAN for it
<rule>
<source>
<any>1</any>
</source>
<interface>wan</interface>
<protocol>tcp</protocol>
<ipprotocol>inet</ipprotocol>
<destination>
<address>127.0.0.1</address>
<port>8080</port>
</destination>
<descr>NAT </descr>
</rule>
HAProxy config, basically one frontend, one backend, multiple server, each domain/server a acl / action rule
<HAProxy version="0.0.0">
<frontends>
<frontend uuid="51ea7847-d9d7-4bfc-a2c0-81a6521e76ce">
<id>597244499fc4e2.41670272</id>
<enabled>1</enabled>
<name>http_in_new</name>
<description>http_in_new</description>
<bind>127.0.0.1:8080</bind>
<bindOptions/>
<mode>http</mode>
<defaultBackend>979ae8bd-b258-433e-9d9c-6b27958cde85</defaultBackend>
<ssl_enabled>0</ssl_enabled>
<ssl_certificates/>
<ssl_default_certificate/>
<ssl_customOptions/>
<tuning_maxConnections>50</tuning_maxConnections>
<tuning_timeoutClient/>
<logging_dontLogNull>0</logging_dontLogNull>
<logging_dontLogNormal>0</logging_dontLogNormal>
<logging_logSeparateErrors>0</logging_logSeparateErrors>
<logging_detailedLog>1</logging_detailedLog>
<logging_socketStats>0</logging_socketStats>
<forwardFor>0</forwardFor>
<connectionBehaviour>http-keep-alive</connectionBehaviour>
<customOptions/>
<linkedActions/>
<linkedErrorfiles/>
</frontend>
</frontends>
<backends>
<backend uuid="979ae8bd-b258-433e-9d9c-6b27958cde85">
<id>597244a2ddedd0.95485458</id>
<enabled>1</enabled>
<name>http_traffic</name>
<description>http</description>
<mode>http</mode>
<algorithm>source</algorithm>
<linkedServers>6b7aa04a-e7a7-4ab7-a575-f998d9f2685c,4820f14b-f9c4-4b61-9625-946857ec47e5</linkedServers>
<source/>
<healthCheckEnabled>0</healthCheckEnabled>
<healthCheck/>
<healthCheckLogStatus>0</healthCheckLogStatus>
<stickiness_pattern>sourceipv4</stickiness_pattern>
<stickiness_expire>30m</stickiness_expire>
<stickiness_size>50k</stickiness_size>
<stickiness_cookiename/>
<stickiness_cookielength/>
<tuning_timeoutConnect/>
<tuning_timeoutCheck/>
<tuning_timeoutServer/>
<tuning_retries/>
<customOptions/>
<tuning_defaultserver/>
<tuning_noport>0</tuning_noport>
<linkedActions>8a1f1cc9-0302-4d85-8c35-2bd38b910054,73098205-0ee9-4a89-b289-8d741986ab45</linkedActions>
<linkedErrorfiles/>
</backend>
</backends>
<servers>
<server uuid="6b7aa04a-e7a7-4ab7-a575-f998d9f2685c">
<name>se_domain1_com</name>
<description>se_domain1_com</description>
<address>192.168.4.111</address>
<port>80</port>
<checkport/>
<mode>active</mode>
<ssl>0</ssl>
<sslVerify>1</sslVerify>
<sslCA/>
<sslCRL/>
<sslClientCertificate/>
<weight/>
<checkInterval>2s</checkInterval>
<checkDownInterval/>
<source/>
<advanced/>
</server>
<server uuid="4820f14b-f9c4-4b61-9625-946857ec47e5">
<name>se_domain2_com</name>
<description>se_domain2_com</description>
<address>192.168.4.170</address>
<port>80</port>
<checkport/>
<mode>active</mode>
<ssl>0</ssl>
<sslVerify>0</sslVerify>
<sslCA/>
<sslCRL/>
<sslClientCertificate/>
<weight/>
<checkInterval>2s</checkInterval>
<checkDownInterval/>
<source/>
<advanced/>
</server>
</servers>
<healthchecks/>
<acls>
<acl uuid="612e6680-5173-417d-9249-9819f81e23b3">
<id>5961c1176bebe9.97403330</id>
<name>al_domain1_com</name>
<description>al_domain1_com</description>
<expression>host_matches</expression>
<negate>0</negate>
<value>al_domain1_com</value>
<urlparam/>
<queryBackend/>
</acl>
<acl uuid="8f4f87f9-190e-497f-ab2e-8a69926db96f">
<id>596c4cc128a6d9.48525721</id>
<name>al_domain2_com</name>
<description>al_domain2_com</description>
<expression>host_matches</expression>
<negate>0</negate>
<value>domain2.com</value>
<urlparam/>
<queryBackend/>
</acl>
</acls>
<actions>
<action uuid="8a1f1cc9-0302-4d85-8c35-2bd38b910054">
<name>an_domain1_com</name>
<description>an_domain1_com</description>
<testType>if</testType>
<linkedAcls>612e6680-5173-417d-9249-9819f81e23b3</linkedAcls>
<operator>and</operator>
<type>use_server</type>
<useBackend/>
<useServer>6b7aa04a-e7a7-4ab7-a575-f998d9f2685c</useServer>
<actionName/>
<actionFind/>
<actionValue/>
</action>
<action uuid="73098205-0ee9-4a89-b289-8d741986ab45">
<name>an_domain2_com</name>
<description>an_domain2_com</description>
<testType>if</testType>
<linkedAcls>8f4f87f9-190e-497f-ab2e-8a69926db96f</linkedAcls>
<operator>and</operator>
<type>use_server</type>
<useBackend/>
<useServer>4820f14b-f9c4-4b61-9625-946857ec47e5</useServer>
<actionName/>
<actionFind/>
<actionValue/>
</action>
</actions>
<luas/>
<errorfiles/>
</HAProxy>
</OPNsense>
-
Next would be to get it working in transparent mode, not sure if possible 8)