"
Hi,
For quite some time I am trying to figure out HAProxy configuration that would _reliably_ work for switching between SSH and HTTPS. There are tons of guides all over the network, and most of them work, but not reliably. Although I'm often able to make SSH work every time, HTTPS is hit or miss - often from the same PC it will work on one browser, but not another. This doesn't depend on browser as well.
Can you please have a look at my config and advise what I should change?
For quite some time I am trying to figure out HAProxy configuration that would _reliably_ work for switching between SSH and HTTPS. There are tons of guides all over the network, and most of them work, but not reliably. Although I'm often able to make SSH work every time, HTTPS is hit or miss - often from the same PC it will work on one browser, but not another. This doesn't depend on browser as well.
Can you please have a look at my config and advise what I should change?
Code Select
root@opnsense:/usr/local/etc # less haproxy.conf
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
# NOTE: Could be a security issue, but required for some feature.
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
tune.ssl.default-dh-param 1024
ssl-server-verify none
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: Router-443
frontend Router-443
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend HTTPS_SERVERPool
# tuning options
timeout client 30s
# logging options
option tcplog
# ACL: HTTPS-HTTPS_SERVER
acl acl_5ed8f96fe45bc7.92407970 req.ssl_hello_type 1
# ACL: SSH-SSH_SERVER-1
acl acl_5ef0be88c7f291.74440621 req.ssl_hello_type 1
# ACL: SSH-SSH_SERVER-2
acl acl_5ed8f9b4806f55.62302544 req.len 0
# ACTION: HTTPS_SERVER-IIS
use_backend HTTPS_SERVERPool if acl_5ed8f96fe45bc7.92407970
# ACTION: SSH_SERVER-SSH
use_backend SSH_SERVERPool if !acl_5ef0be88c7f291.74440621 acl_5ed8f9b4806f55.62302544
# Backend: HTTPS_SERVERPool ()
backend HTTPS_SERVERPool
# health checking is DISABLED
mode tcp
balance source
# tuning options
timeout connect 30s
timeout server 30s
server HTTPS_SERVER 192.168.1.99:443
# Backend: SSH_SERVERPool ()
backend SSH_SERVERPool
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
