OPNsense Forum
English Forums => General Discussion => Topic started by: tmaniac on March 14, 2018, 08:46:18 pm
-
Hello Experts,
I've been using Opnsense with HAProxy for a few months now and i'm very happy with it.
Thanks for all the hard work!
However, i've stumbled on a small problem and i can't seem to find enough information (that i can understand) on how to solve it.
I'm publishing an application on SSL (WAN side) and unsecure (HTTP, port 8084) on the LAN-side.
However, the application does not play nice with the reverse proxy and the site is not shown.
I'm looking for a few options:
- Where can i configure "X-Forwarded-For" option? (It used to be a check box but that has disappeared.)
- how can i enable SSL-Termination for a single publication (Rule)?
I tried browsing the documents but the how-to's in the wiki are for a previous version and i'm not quite sure how i can add a general haproxy options (or what syntax to use)
Thanks in advance!
(and apologies if my questions are stupid :D)
-
Hello Experts,
I've been using Opnsense with HAProxy for a few months now and i'm very happy with it.
Thanks for all the hard work!
However, i've stumbled on a small problem and i can't seem to find enough information (that i can understand) on how to solve it.
I'm publishing an application on SSL (WAN side) and unsecure (HTTP, port 8084) on the LAN-side.
However, the application does not play nice with the reverse proxy and the site is not shown.
I'm looking for a few options:
- Where can i configure "X-Forwarded-For" option? (It used to be a check box but that has disappeared.)
- how can i enable SSL-Termination for a single publication (Rule)?
I tried browsing the documents but the how-to's in the wiki are for a previous version and i'm not quite sure how i can add a general haproxy options (or what syntax to use)
Thanks in advance!
(and apologies if my questions are stupid :D)
I cannot tell you much about the issue since I do not have many details but you should check the developer console of your browser for errors. Maybe your server sends absolute URLs relative to the internal hostname etc.
-
Well, when i load the page via SSL the browser shows several errors because of mixed content.
That's why i figured that if i used SSL termination on the publication in HAProxy i'd remove these errors from the equation.
Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.
Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?
-
Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.
Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?
Yes, there was an Option to enable/disable in the past ::)
You can also set it on your own:
Services -> HAProxy -> Virtual Services -> Backend Pool -> Edit Server
Enable "advanced mode"
Field:
Option pass-through
# add X-FORWARDED-FOR
option forwardfor
# add X-CLIENT-IP
# http-request add-header X-CLIENT-IP %[src]
-
Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.
Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?
Yes, there was an Option to enable/disable in the past ::)
You can also set it on your own:
Services -> HAProxy -> Virtual Services -> Backend Pool -> Edit Server
Enable "advanced mode"
Field:
Option pass-through
# add X-FORWARDED-FOR
option forwardfor
# add X-CLIENT-IP
# http-request add-header X-CLIENT-IP %[src]
Thank you VERY much for your answer!
It did not solve my problem right away but it gave me enough google-juice to find a working solution!
i have added the following options to my backend:
#force SSL redirect
redirect scheme https if !{ ssl_fc }
# close open connections
option http-server-close
# add X-FORWARDED-FOR
option forwardfor
# add X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
This forces my stubborn application into SSL using the configured wildcard certificate on my OpnSense.
ps. the stubborn application is Medusa (https://github.com/pymedusa/Medusa)
-
Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.
Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?
Yes, there was an Option to enable/disable in the past ::)
You can also set it on your own:
Services -> HAProxy -> Virtual Services -> Backend Pool -> Edit Server
Enable "advanced mode"
Field:
Option pass-through
# add X-FORWARDED-FOR
option forwardfor
# add X-CLIENT-IP
# http-request add-header X-CLIENT-IP %[src]
I've install HAProxy using SSL passthrough follow this guide (https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958) from @alh
Every works ok except my Nginx log can not receive real ip from client, it's only show ip local of my OPNSense server in file /var/log/nginx/access.log
I follow your guide but nothing change, Do you have any solution in this? Thanks!
This should work for any TCP-based SSL/TLS encrypted service in passthrough (HAProxy: TCP) mode... It does NOT work for STARTTLS!
In this example I use TCP port 443.
HAProxy plugin: Create "Real Server" (enter name, IP/FQDN and port number if different from 443, the rest can be left at default)
HAProxy plugin: Create "Backend Pool" (enter name, set mode to TCP and select the real server from step 1)
HAProxy plugin: Create "Condition" (enter name ["traffic_ssl"], condition type is "custom condition (option pass-through)" with value "req_ssl_hello_type 1")
HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)
HAProxy plugin: Create "Rule" (enter name ["request_inspect_delay"], select no condition, function is "tcp-request inspect delay" with value "5s" or whatever suits you)
HAProxy plugin: Create "Rule" (enter name ["request_content_accept_ssl"], select condition of 3 ["traffic_ssl"], function is "tcp-request content accept")
HAProxy plugin: Create "Rule" (enter name ["myservice_sni"], select condition of 4 ["myservice_sni"], function is "Use specific backend pool" with your pool from 2)
HAProxy plugin: Create "Public service" (enter name ["https_passthrough"], choose a listen address [":443" for all], type is "TCP" and select the 3 rules created earlier)
HAProxy plugin: Enable plugin or test/apply
Firewall: allow incoming traffic to WAN (address) or whatever for TCP port 443.
That works at least for me. If you have double NAT you would need to disable port randomization for the proxied port...
Does that help you?