OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: ikkeT on April 29, 2018, 08:05:53 pm
-
Hi,
how does one do things like this in GUI? So replacing path parts with regexp placements?
reqirep ^([^ :]*)\ /mirror/foo/(.*) \1\ /\2
See sample here: https://www.haproxy.com/blog/howto-write-apache-proxypass-rules-in-haproxy/
Edit: describing a bit more:
So I want my external url to be rewritten by HAproxy for my internal server:
https:/my.com/myexturl/index.html?stuff=1
=>
http://foo.intranet/index.html?stuff=1
Like about this haproxy config:
http-request set-header Host foo.intranet
reqirep ^([^ :]*)\ /myexturl/(.*) \1\ /\2
acl hdr_location res.hdr(Location) -m found
rspirep ^Location:\ (https?://my.com(:[0-9]+)?)?/myexturl(/.*) Location:\ /\3 if hdr_location
# ProxyPassReverseCookieDomain my.com foo.intranet
acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= foo.intranet
rspirep ^(Set-Cookie:.*)\ Domain=foo.intranet(.*) \1\ Domain=my.com\2 if hdr_set_cookie_dom
# ProxyPassReverseCookieDomain / /myexturl/
acl hdr_set_cookie_path res.hdr(Set-cookie) -m sub Path=
rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/myexturl\2 if hdr_set_cookie_path
Now some of those I can find through menues, but e.g. the plain reqirep at the beginning I can't. How to do it via GUI?
-
Another question: How does one open ports from firewall for HA proxy?
So I try testing that with 8443 port. Now that it's not port to be forwarded (NAT) anywhere, OPNsense rules won't allow me adding that port for destination "WAN address". For some reason it just allows to pick from predefined port list (e.g. HTTP, FTP) but won't allow me write 8443 there. Which I have set HAproxy to bind to at 0.0.0.0.
-
Ok, the firewall opening was no issue afterall. Just had to do an alias for port 8443, as that seems to be the way to open custom ports.
But, how to create the rules with gui?
-
Any ideas? I changed the topic name from mangling to rewrite as that seems to be better term for it. In a meanwhile I got Let's encrypt working, and a basic forward from port 443 without path change.
I have one IP. I'd like to catch all *:443 traffic, and based on domain, or URL point it to different services. So
1. https://foo.com/ -> WAN -> *:443 -> decrypt -> foo.intranet:80/
2. https://foo.com/bar -> WAN -> *:443 -> decrypt -> bar.intranet:3000/
3. https://foo22.com/bar -> WAN -> *:443 -> decrypt -> bar22.intranet:8080/
The basic first one works fine. But I don't find option to put both rules into one *:443 via GUI. I suppose I should rewrite the host and url both in incoming and outgoing traffic. I suppose I could install HAproxy, and manually write the haproxy.cnf, and start the service manually to avoid the GUI shortcomings. Or is there any other way?
Can there be several binds to *:443?
I am currently trying like this, it partly works already (tried to change names to english):
frontend default_ssl
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy/ssl/5aeeda9fd8e5e2.51517701.crtlist
mode http
option http-keep-alive
#default_backend nextcloud_bep
default_backend Grafana
# tuning options
timeout client 30s
acl acl_nc hdr(host) -i nexctloud.my.com
use_backend nextcloud_bep if acl_nc
acl acl_5aeedb998d8044.83346815 path_beg -i /.well-known/acme-challenge/
use_backend acme_challenge_backend if acl_5aeedb998d8044.83346815
acl acl_home hdr(host) -i home.my.com
acl acl_cauges path_beg -i /gauges
use_backend Grafana if acl_home acl_gauges
backend Grafana
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
acl acl_5ae5eeecbbf009.46818008 hdr(host) -i home.my.com
reqirep ^([^\ :]*)\ /gauges/(.*) \1\ /\2
http-request add-header X-Forwarded-For %[src]
reqirep ^Host:\ home.my.com Host:\ grafana.intranet:3000
acl hdr_location res.hdr(Location) -m found
rspirep ^Location:\ (https?://home.my.com(:[0-9]+)?)?/gauges(/.*) Location:\ /\3 if hdr_location
rspirep ^
http-request add-header X-Forwarded-For %[src] if acl_5ae5eeecbbf009.46818008
server grafana grafana.intranet:3000
backend nextcloud_bep
# health check: http_check
option httpchk OPTIONS / HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server nextcloud nc.intranet:8090 check inter 2s
-
Pheeew... finally it's all coming together. The key was to make one frontend for 0.0.0.0:443, and then add rules there to point to different backends. Not several frontends for 0.0.0.0:443.
And to replace parts of the paths, one need to create rule with option pass through, like this:
# ACTION: foobar_away
http-request set-uri %[path,regsub(/bar/,/)] if acl_5aef6814c09b63.87584580
and have that in backendpool rules. I couldn't find another way to add it than pass-through option for rule.