Show Posts
1
Web Proxy Filtering and Caching / Re: [HAProxy] [updated] HTTPS passthrough
« on: September 17, 2021, 06:18:19 pm »
I just spend several hours trying to figure this out myself. Just in case you are still wanting to do this or someone finds this thread, this is what I have found needs to be done to get this accomplished.
You will need a static IP to do this as I have outlined, otherwise you will need to check the box next to Disable web GUI redirect rule in System -> Settings -> Administration. You will also need to change the TCP Port to something other than 443. Note you will need to use this port with HTTPS to access your firewall moving forward. It should automatically redirect you to the new port once you apply the changes.
If you haven't already setup firewall rules to all traffic in to HAProxy here is what I did.
That should be it! You should have a functioning reverse proxy that handles both HTTP and HTTPS traffic and routes it accordingly to the web servers behind your firewall.
You will need a static IP to do this as I have outlined, otherwise you will need to check the box next to Disable web GUI redirect rule in System -> Settings -> Administration. You will also need to change the TCP Port to something other than 443. Note you will need to use this port with HTTPS to access your firewall moving forward. It should automatically redirect you to the new port once you apply the changes.
- You need to ensure that you have setup all of your real servers, and that they are pointing to the correct internal IP and port. You will need to create a server for each port you want to route to one for HTTP and one for HTTPS, or just one if that is all you need.
- Go to Virtual Services -> Backend Pools. To simplify things, we will be using the backend to do our routing. Create a backend for both or either HTTP and HTTPS. For HTTP, create a new backend and give it a name, I used "http". In the Servers section, you will need to add all of your HTTP web servers. Leave everything else as default, and Save. For HTTPS, create a new backend and give it a name, I used "HTTPS-SNI". Change Mode to TCP (Layer4). Add all of your HTTPS web servers to the Servers section. Leave everything else as default, and Save.
- We now need to create conditions to get traffic routed correctly. Go to Rules & Checks -> Conditions. You will need to make separate rules for HTTP and HTTPS if you have both that are needed, otherwise just do the ones you need. Create a new condition. Give it a name. Condition type for HTTPS should be SNI TLS extension contains (TCP request content inspection) and for HTTP it should be Host contains. In the Parameters field, it should be the FQDN of your website (example.com or sub.example.com, etc.). Make a new condition for both or either HTTP and HTTPS for each FQDN you want to route.
- Now go to Rules & Checks -> Rules. You will need to create a rule for each condition that you had setup previously.
Create a new rule and give it a name, usually the same name as your condition. In the Select conditions section, select the corresponding condition. Should only be one selected here. In the Execute function section, select Override server in Backend Pool. In the Use server section select your web server you had created earlier that you want traffic routed to. Save. Do this for each condition.
For your each of your backend pools, you will need to edit it and in the Select Rules section you will need to add all the rules you had just created for all your HTTP web servers or for your HTTPS backend pool all your HTTPS web servers. Save. - Now go to Virtual Services -> Public Services. We will need to create a new public service for both HTTP and HTTPS, or just one depending on your needs.
For HTTP, create a new public service and give it a name, I used HTTP. In the Listen Addresses section you will need to put your WAN IP followed with a colon and port (1.2.3.4:80) or if you have a dynamic WAN IP you would put (0.0.0.0:80). In the Default Backend Pool section you will need to select your HTTP backend pool you created earlier. Leave everything else default. Save.
For HTTPs, create a new public service and give it a name, I used HTTPS. In the Listen Addresses section you will need to put your WAN IP followed with a colon and port (1.2.3.4:443) or if you have a dynamic WAN IP you would put (0.0.0.0:443). In the Type section you need to select TCP. In the Default Backend Pool section you will need to select your HTTPS backend pool you created earlier. In the top left corner of the window, enable the slider Advanced. In the section Option pass-through put
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
Leave everything else default. Save. - Now go to Settings -> Service, and check the box Enable HAProxy. Apply.
If you haven't already setup firewall rules to all traffic in to HAProxy here is what I did.
- Go to Firewall -> Aliases. Create a new alias and name it Websrv_Ports or whatever you would like. For Type, select Port(s). In the Content section put 80 443. Hit tab after each port to add the entry. Add a description if you would like. Save.
- Go to Firewall -> Rules -> WAN (Or whatever you specified for your WAN interface). Create a new rule. Change section Protocol to TCP/UDP. Change section Destination to WAN address (Or whatever you specified for your WAN interface, followed by address). Change section Destination port range to Wensrv_Ports (Or whatever you named the alias earlier). Save.
That should be it! You should have a functioning reverse proxy that handles both HTTP and HTTPS traffic and routes it accordingly to the web servers behind your firewall.