Messages

Hi,

Thanks for your post and explanation. It did not work out really for me. A one-on-one "copy" of your config is functioning, but I think it is mainly driven by assigning a dedicated backpool in step 5. As I tested it, this does not make it possible to have to HTTPS backends - as you override it.

Where I want to end is:

         managed by haproxy
{--------------------------------------}
https://www.domain1.com -----|
                                              |
https://sub1.domain1.com -----|---> server1 (running multiple dockers SSL and proxy managed by traefik)
                                              |
https://sub2.domain1.com -----|


         managed by haproxy
{--------------------------------------}
https://www.domain2.com -----|
                                              |---> server2 (running multiple dockers SSL and proxy managed by traefik)
https://sub1.domain2.com -----|

I was hoping that:

Code Select Expand

SNI TLS extension contains (TCP request content inspection)

In the conditions section combined with the addtion in the public service of:

Code Select Expand


tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }


would do the trick. Unfortunately, this did not work out.
Any ideas/pointers?

28/04/2021

Spend quite some time on it.
I have debugged it - fixed it to the following point.

I am able to passthrough ssl/tls traffic on my static ip for a certain port (testing purposes). This is done by defining a specific backend in the frontend service. The result is that xxx.domain.com and yyy.domain.com ending up at the same server in my network serving a test website with ssl/tls enabled.

Very simple:

https://xxx.domain.com:8443 -----|
                                                   |
                                                   |----> server 1 (serving xxx.domain.com)
                                                   |
https://yyy.domain.com:8443 -----|

Obviously there is a server 2 and actually yyy.domain.com should go to server 2.

I understand that I need to do something with SNI (Server Name Indication).
This post was helpfull in understanding the concept:
https://www.cloudflare.com/en-gb/learning/ssl/what-is-sni/

But I am not able to figure out - how I can set this up in opnsense. Once again any pointers would be appreciated.

Hi,

I am struggling to simply let HTTPS traffic to my servers pass trough HAPorxy. HTTP works fine.
For the HTTPS traffic, I have a separate public service, real servers, conditions, rules, etc setup.

I roughly have the following setup:

WAN with fixed IP -> OPNSENSE running HAPROXY -> VM running multiple docker behind Traefik.

Traefik handles all the SSL from the VM, and I am happy with that and I want to keep it that way.
I want HAProxy to pass through the HTTPS without any interference. But I am not able to figure how to do it.
Can someone point me in the right direction, because I find the documentation not very clear on this.

Thx for any pointers.

.

Thx. I set both the frontend and the backend to TCP - but the error stays the samen and it is not working.

The link you provided is exactly what I want to achieve. But I have the feeling that it has a twist in setting up compared to the standard howto in the opnsense docs.

The puzzle continues.

I have two frontends (one for HTTP/80 and HTTPS/443). In the HTTPS/443 the option SSL / HTTPS TCP mode is enabled.
See below parts of my config let me know if you miss anything.

Servers:
Enabled: checked
Name: app1
Description: app1
FQDN or IP: 192.168.1.xx
Port:443
Mode: active (default)
SSL: checked
Verify SSL Certificate: unchecked      
SSL Verify CA: nothing selected

Publicservices:
Enabled: checked
Name: frontend443
Description: frontend443
Listen Addresses: 0.0.0.0:443   
Type: SSL/HTTPS TCP mode
Default Backend Pool: none
Enable SSL offloading: unchecked
Max. Connections: empty
Detailed Logging: unchecked
Table type: none
Stored data types: nothing selected   
Select rules: SSLTESTRULE   
Select Error Messages: Nothing selected

Backendpool
Enabled: checked
Name: app1
Description: app1
Mode: HTTP (Layer 7) [default]
Balancing Algorithm: Source-IP Hash [default]
Servers: app1
Enable Health Checking: checked
Health Monitor: none
Log Status Changes: unchecked
Enable HTTP/2: unchecked   
HTTP/2 without TLS: unchecked
Advertise Protocols (ALPN): HTTP/2 HTTP/1
Persistence type: stick table persistence [default]
Table type: Source-IP [default]
Stored data types: nothing selected   
Cookie name: empty
Cookie length: empty
Enable: unchecked   
Allowed Users: nothing selected
Allowed Groups: nothing selected
Retries: empty
Select Rules: empty
Select Error Messages: nothing selected

Conditions:
Name: app1
Description: app1
Condition type: host contains
Negate condition: unchecked
Host contains: app1.example.com

Rules:
Name: app1.example.com
Description: app1.example.com
Test type: IF [default]
Select conditions: app1    
Logical operator for conditions: AND [default]
Execute function: use specified backend pool
Use backend pool: app1backend

I have played around with some options but had no luck. For example changing mode at backendpool to TCP.

[Chrome:]

I have HAProxy working for subdomains using http (port 80), as soon as I bring in a subdomain which is being served by a https/port 443, I can't get it working.

My current setup is as follows:

Multiple VMs running in a network, some of these VMs have containers running with their own proxy and certificates.

Working:
http://test1.example.com --> test_server_1
http://test2.example.com --> test_server_2

These VMs are not using any ssl, etc.

Not working:
https://app1.example.com --> container_server
https://app2.example.com --> container_server

The container_server runs its own proxy (Traefik) and handles the Let's Encrypt certificates.  I want to keep it in this way, because I want to build some sort of BeyondCorp / ZeroTrust setup in the backend later on and I want my Firewall to be not to much involved (certificate handling, etc). HAProxy needs to be as transparent as possible.

The error I am getting is that there is some kind of SSL error.

Using a Mac:

Chrome:
This site can't provide a secure connection

app1.example.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Firefox:
An error occurred during a connection to app1.example.com. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

ADDITION:
I have no port 443 rules, port forwards running (all disabled)

Any help is appreciated.

This took me quite some time, but I have figured it out.
I simply overlooked several times the significance of the following statement in the docs:

If you configure a port that is already in use, the configuration test will be successful but the start of HAProxy will fail silently. Please ensure that the used port is free - especially if the number conflicts with the web configuration of OPNsense.

By setting up the port for the opnsense web interface to something else then 443, the issue was resolved.
Thanks for those who helped out.

[s]

Hi,

For those who have responded, thanks for looking into this, but unfortunately I was not able to fix this yet.
It is drivinfg me nuts, because I have the feeling I am overlooking something small, but obviously with a great impact.

Based on my current setup, I configured HAProxy several times, but no solution.

I made two vm with a webpage to point to.

My base setup is that I have several port forwarding configs. I disable all those port forwards and associated rules. I then setup HAProxy as the tutorial suggests and make a rule in the firewall.

Situation I end up in:

On wifi:

if I go to http://test1.domain.nl it goes to https://test1.domain.nl and shows the login page of opnsense.

On 4G

If I go to http://test1.domain.nl I get no resolution and enventually it informs that the request timed out.

The make a FW rule is quite cryptic for me. Does any one have screenshots of what is actually in there? And do you establish it as a rule or as a portforward under NAT?

@ruggerio: Thx for the reply.

During the last week, I tried several setups but I am not able to get this working and it is totally unclear for me if the issue is in the FW rule or in the HAProxy setup.

Does anybody have an easy to share configuration or a link to a good tutorial? The information in the documentation on HAProxy is okayish, but brought me to this point.

[Small question - no background]

Small question - no background

In the documentation the following statement is made:

Code Select Expand

Now you need to configure firewall rules for accessing your HAProxy instance.
https://docs.opnsense.org/manual/how-tos/haproxy.html

I am struggling with the firewall rule. When trying to setup a FW rule, I see no options to point to HAProxy.

Can somebody explain the last step. Setting up the FW rule?

Same question - more background
I am trying to setup the following situation in my home network.

www.example.com --> server1
test1.example.com --> server1
test2.example.com --> server1
test3.example.com --> server2
test4.example.com --> server2

Both server1 and server2 are running multiple dockers, with Traefik as a reverse proxy.
Currenly I have only a setup with server1, and this handled by port forwarding and on the the server with Traefik as reverse proxy. So far so good. Now I want to add another server, with subdomains  within the same domain. This can't be handled by portforwarding. I need a reverse proxy on OPNsense.

I followed this from the documentation:
https://docs.opnsense.org/manual/how-tos/haproxy.html

But I am struggling with this statement at the end of the page.

Code Select Expand

Now you need to configure firewall rules for accessing your HAProxy instance.

Can somebody explain the last step. Setting up the FW rule?
Is there another, or better way to achieve this, or is this the "correct" way?