Messages

1

19.7 Legacy Series / os-acme-client missing Leaseweb api option

« on: January 14, 2020, 10:11:10 am »

Hello,

(not sure if this is the correct place for this question)

I'm trying to set up the LetsEncrypt validation for my HAProxy.

However, i see in the Github pages that the Leaseweb API is available in the source-script.

But i'm unable to find the option in the validation methods.
Am i doing something wrong here?

2

General Discussion / Re: HAProxy Questions

« on: March 15, 2018, 04:59:35 pm »

Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.
Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?

Yes, there was an Option to enable/disable in the past 
You can also set it on your own:

Services -> HAProxy -> Virtual Services -> Backend Pool -> Edit Server
Enable "advanced mode"

Field:
Option pass-through

Code: [Select]

# add X-FORWARDED-FOR
option forwardfor

# add X-CLIENT-IP
# http-request add-header X-CLIENT-IP %[src]

Thank you VERY much for your answer!

It did not solve my problem right away but it gave me enough google-juice to find a working solution!

i have added the following options to my backend:

Code: [Select]

#force SSL redirect
redirect scheme https if !{ ssl_fc }

# close open connections
option http-server-close

# add X-FORWARDED-FOR
option forwardfor

# add X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }

This forces my stubborn application into SSL using the configured wildcard certificate on my OpnSense.

ps. the stubborn application is Medusa

3

General Discussion / Re: HAProxy Questions

« on: March 15, 2018, 09:00:04 am »

Well, when i load the page via SSL the browser shows several errors because of mixed content.

That's why i figured that if i used SSL termination on the publication in HAProxy i'd remove these errors from the equation.

Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.
Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?

4

General Discussion / HAProxy Questions

« on: March 14, 2018, 08:46:18 pm »

Hello Experts,

I've been using Opnsense with HAProxy for a few months now and i'm very happy with it.
Thanks for all the hard work!

However, i've stumbled on a small problem and i can't seem to find enough information (that i can understand) on how to solve it.

I'm publishing an application on SSL (WAN side) and unsecure (HTTP, port 8084) on the LAN-side.
However, the application does not play nice with the reverse proxy and the site is not shown.

I'm looking for a few options:
- Where can i configure "X-Forwarded-For" option? (It used to be a check box but that has disappeared.)
- how can i enable SSL-Termination for a single publication (Rule)?

I tried browsing the documents but the how-to's in the wiki are for a previous version and i'm not quite sure how i can add a general haproxy options (or what syntax to use)

Thanks in advance!
(and apologies if my questions are stupid )

5

17.1 Legacy Series / Re: How do you redirect HTTP to HTTPS with HAProxy?

« on: June 28, 2017, 03:57:38 pm »

So it's still a bit unclear to me.
I have a few websites set up in HAProxy and i want to force a few of them to HTTPS.

So how can i configure this for a specific website? (and not all HTTP traffic)

6

General Discussion / Setting up Reverse Proxy (HAProxy)

« on: June 12, 2017, 02:27:40 pm »

Hello Experts,

i'm fooling around with OPNsense and HAProxy to set up a dedicated Reverse proxy for my virtual lab environment.
I have a single pulbic IP but want to be able to set up multiple webservers with different SSL certs etc.

After some heavy googling and trying different options, OPNsense is the first piece of software i have succesfully working as Reverse proxy
(and it looks good aswell, but that's not important)

I don't need the OPNsense box to be a firewall or router since i allready have a hardware based firewall/router in my network; it's sole purpose is Reverse Proxy.

I've set up OPNsense with 2 interfaces (LAN and WAN) both in the same subnet.
In the firewall i disabled the "Block private networks" option (and ofcourse allowed HTTP(S) traffic to the LAN).

I have installed the HAProxy plugin and i've succesfully set up my front/backend, servers, actions and ACLs.

The 3 questions i have are:
1) I have a website with hostheader "app1.domain.com" that goes to internal server 192.168.1.2 over port 80
I want to force SSL on the external side but only for the website with that specific hostheader.
How can i accomplish this?

2) I have published a website with hostheader "app1.domain.com"
This works like a charm with traffic from the internet.
In my network i use split-brain dns, if i create an a-record for app1.domain.com and point this to the WAN interface of OPNsense i'm unable to open the website.
How can i get this to work from my internal network aswell?

3) Do i even need 2 interfaces if all i want OPNsense to do is Reverse Proxy?

Thanks for the help!