OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of aleks76 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - aleks76

Pages: [1]
1
General Discussion / Re: haproxy issue with forwarding client ip to backend - apache [SOLVED]
« on: September 17, 2023, 06:23:17 pm »
Quote from: aleks76 on September 17, 2023, 09:57:55 am
Hi
I installed haproxy with acme, it works great, the only thing is  forwarding the client IP to apache on backend is not working, i see only  the firewall IP as source/client ip, can someone help please?
this is my config:

opnsense version: OPNsense 23.7.4-amd64
config:
Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: HTTP_Frontend (Port 80)
frontend HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSLCondition
    acl acl_64ff73febf87d5.46667267 ssl_fc

    # ACTION: HTTP_to_HTTPS
    http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267

# Frontend: 0_SNI_Frontend (Listening 80 , 443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: HTTPS_Frontend (Port 443 SSL)
frontend HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

    # ACTION: PublicSubdomainsRules
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)]

# Backend: firstdomain ( firstdomain)
backend firstdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 ssl verify none

# Backend:  seconddomain (seconddomain)
backend seconddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server2 192.168.1.27:443 ssl verify none

# Backend: thirddomain (thirddomain)
backend thirddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: fourthdomain (fourthdomain)
backend fourthdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy
on apache 2.4:
Code: [Select]
<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
RemoteIPTrustedProxyList conf/trusted-proxies.lst
</IfModule>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
content of trusted-proxies.lst
Code: [Select]
192.168.1.29/32 # opnsense proxy
Any help would be appreciated

2
General Discussion / Re: haproxy issue with forwarding client ip to backend - apache
« on: September 17, 2023, 06:21:03 pm »
meanwhile i could solve the problem, if someone has the same problem i was missing this option in apache vhost remoteip_module:
Code: [Select]
RemoteIPTrustedProxy 192.168.1.29/32

3
General Discussion / Re: Please Make a Donation to OPNsense
« on: September 17, 2023, 10:09:07 am »
Donated 20€,thanks for the great work

4
General Discussion / haproxy issue with forwarding client ip to backend - apache
« on: September 17, 2023, 09:57:55 am »
Hi
I installed haproxy with acme, it works great, the only thing is  forwarding the client IP to apache on backend is not working, i see only  the firewall IP as source/client ip, can someone help please?
this is my config:

opnsense version: OPNsense 23.7.4-amd64
config:
Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: HTTP_Frontend (Port 80)
frontend HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy ssl ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64fc8577517b08.93149937.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSLCondition
    acl acl_64ff73febf87d5.46667267 ssl_fc

    # ACTION: HTTP_to_HTTPS
    http-request redirect scheme https code 301 if !acl_64ff73febf87d5.46667267

# Frontend: 0_SNI_Frontend (Listening 80 , 443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: HTTPS_Frontend (Port 443 SSL)
frontend HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64ff7abb50d286.50202189.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

    # ACTION: PublicSubdomainsRules
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64ff7468b93502.73063080.txt)]

# Backend: firstdomain ( firstdomain)
backend firstdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 ssl verify none

# Backend:  seconddomain (seconddomain)
backend seconddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server2 192.168.1.27:443 ssl verify none

# Backend: thirddomain (thirddomain)
backend thirddomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: fourthdomain (fourthdomain)
backend fourthdomain
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server server1 192.168.1.4:443 ssl verify none

# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server HA_Proxy 127.4.4.3 send-proxy-v2 check-send-proxy
on apache 2.4:
Code: [Select]
<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
RemoteIPTrustedProxyList conf/trusted-proxies.lst
</IfModule>
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
content of trusted-proxies.lst
Code: [Select]
192.168.1.29/32 # opnsense proxy
Any help would be appreciated

5
German - Deutsch / Re: HAProxy Real SRC IP auf einen Apachen hinter einem HAProxy sehen
« on: September 16, 2023, 08:41:52 am »
Hallo
Ich habe das gleiche Problem, wurde hier eine Lösung bereits gefunden?
Danke
LG
Aleksandar

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2