Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - CHW1979

Pages1
#1
21.1 Legacy Series / HAProxy VCSA VMWare
April 20, 2021, 10:02:32 PM
Hey everyone,

I'm trying to HAProxy to access an internal LAN VCSA (vCenter Server Appliance) @ port 443 - certificate by LetsEncrypt

Already tried
https://www.triumvirat.org/2020/02/17/haproxy-reverse-proxy-mit-lets-encrypt-zertifikaten-unter-opnsense-20-1/
https://forum.opnsense.org/index.php?topic=18538.0 (user ALH)

I've something (trial and error) for router access and that works
https://opnsense.haaas.be

But when I try to access
https://vsphere.haaas.be I get
Bad Request
This combination of host and port requires TLS.

Output of HAProxy

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   2048
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets no-tlsv12
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: https-frontend ()
frontend https-frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/607d5b69861683.49005868.certlist
    mode http
    option http-keep-alive
    # tuning options
    maxconn 1000
    timeout client 30s

    # logging options
    # ACL: OPNSense-condition
    acl acl_607d5b19e2e0a5.23841114 hdr(host) -i opnsense.haaas.be
    # ACL: vSphere-condition
    acl acl_607d7b0c93bd88.67949523 req.ssl_sni -i vsphere.haaas.be
    # ACL: synology-condition
    acl acl_607eb85aa6a758.61925083 hdr(host) -i storage.haaas.be
    # ACL: traffic_ssl
    acl acl_607f2f10690050.57423162 req_ssl_hello_type 1

    # ACTION: OPNSense-rule
    use_backend OPNSense-backend if acl_607d5b19e2e0a5.23841114
    # ACTION: vSphere-rule
    use_backend vSphere-backend if !acl_607d7b0c93bd88.67949523
    # ACTION: synology-rule
    use_backend synology-backend if acl_607eb85aa6a758.61925083
    # ACTION: request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: request_content_accept_ssl
    tcp-request content accept if acl_607f2f10690050.57423162

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: OPNSense-backend (Added by WCH)
backend OPNSense-backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server OPNSense opnsense.haaas.be:8080 ssl verify required ca-file /etc/ssl/cert.pem

# Backend: vSphere-backend (Added by WCH)
backend vSphere-backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server vSphere vsphere.haaas.be:443 ssl alpn h2,http/1.1 verify required ca-file /etc/ssl/cert.pem

# Backend: synology-backend (Added by WCH)
backend synology-backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Synology storage.haaas.be:5000

I've used Services: Unbound DNS: Overrides to add vsphere.haaas.be to his internal IP

COVID forces me to work like this ;)

Can somebody please please help tis NOOB ...

PS : whatever I choose for logging I don't get much of info

#2
Web Proxy Filtering and Caching / Re: Part I - Another HAPROXY request
October 02, 2020, 10:55:52 AM
Nevermind it is working
#3
Web Proxy Filtering and Caching / Part IV - Another HAPROXY request
September 29, 2020, 01:50:15 PM
I've read that I need only 1 Public

No certifcates are 'OK' but all subdomains are pointing to the same server

https://router.haaas.be/
https://vmware.haaas.be/
https://esxi.haaas.be/

Something to do with rules ?
#4
Web Proxy Filtering and Caching / Part III - Another HAPROXY request
September 29, 2020, 10:57:25 AM
Map


Error

#5
Web Proxy Filtering and Caching / Part II - Another HAPROXY request
September 29, 2020, 10:56:16 AM
Frontend



Condition


Rules
#6
Web Proxy Filtering and Caching / Part I - Another HAPROXY request
September 29, 2020, 10:54:20 AM
First off all - i'm a NOOB and I know there are already many threads about HAPROXY but I can't figure out a simple configuration  ::)

I'ved followed a thread but I can't find URL - it was on this forum

Goal
subdomain1.domain.be    server1:443
subdomain2.domain.be   server2:443

Already done
Certificates by Letsencrypt


Real Servers


Backend


When I use one real server the right certificate is picked up - when I want to server multiple subdomains the wrong certificate is issued - internal servers have the same name as certificate

Maybe I give to much inside information but it is only a labo ;)

If someone wants to login to OPNSense - be my guest  ;)

Nice added value - HTTP to HTTPS would be nice

Many thanks en apologies for opening another HAPROXY thread
#7
General Discussion / Re: Haproxy and RDS 2019
August 10, 2020, 01:29:41 PM
Quote from: bartjsmit on August 04, 2020, 09:45:16 AM
Have you looked at this option?

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin

Bart...

Implemented this one - working ;)
#8
General Discussion / Haproxy and RDS 2019
August 04, 2020, 09:42:05 AM
Anyone already figured out how to control Remote Desktop Gateway with Haproxy ?

I want all traffic to pass 443 towards 3389

Already created wan rules TDP & UDP 3389 but Haproxy won't let traffic pass

Haproxy for 443 webservers is working.

Many thanks
Pages1