"Quote from: slykens on November 15, 2023, 05:26:08 AM
Hello... another pfsense refugee here.
Still working on getting everything working how I want and tonight's project was wrangling haproxy. I am having a problem with https redirect so I followed the tutorial in this thread with no success.
When an https client hits haproxy, it works as expected.
When an http client hits haproxy, I get the following error in the haproxy log:Code Selectssl_redirect/[::]:80: Received something which does not look like a PROXY protocol header
This is my present config export:Code Select#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https ()
frontend https
bind 0.0.0.0:443 name 0.0.0.0:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6554226ca7c6c4.56456894.certlist
bind [::]:443 name [::]:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6554226ca7c6c4.56456894.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACTION: sni_translation
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65542596a04585.83628685.txt)]
# Frontend: ssl_redirect ()
frontend ssl_redirect
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
bind [::]:80 name [::]:80 accept-proxy
mode http
option http-keep-alive
# logging options
# ACTION: ssl_redirect
# NOTE: actions with no ACLs/conditions will always match
http-request redirect scheme https code 301
# Backend: x_openvpn_as ()
backend x_openvpn_as
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x_openvpn_as 10.11.23.2:443 ssl verify none
# Backend: webui ()
backend webui
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server webui 127.0.0.1:1443 ssl verify none
# statistics are DISABLED
Any ideas or guidance are welcome and appreciated. Thank you.
Unfortunately, I am stuck with this as well after following the tutorials . My goal is simply to have HA proxy act as a reverse proxy for various sub domains that I aim to make backends and frontends for. Im testing just one for my proxmox server that I'd like to reverse proxy to. Yet here is the only thing i found in the logs Everytime i access my proxmox domain
Quote2_HTTPS_Frontend/192.168.1.43:443: Received something which does not look like a PROXY protocol header
My browser will give me this error (snippet Firefox)
QuotePR_END_OF_FILE_ERROR
While chrome will say my connection is closed but the HAProxy logs still give the same error. I'm quite new to HAProxy so I can't initially make heads or tails of this. Any help would be appreciated.
Attached is my conf
Code Select
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:443 and 0.0.0.0:80)
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_Frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_Frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_655d4c7f77c559.77912446 ssl_fc
# ACTION: HTTPtoHTTPS
http-request redirect scheme https code 301 if !acl_655d4c7f77c559.77912446
# Frontend: 2_HTTPS_Frontend (Listening on WAN IP:443)
frontend 2_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 192.168.1.43:443 name 192.168.1.43:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/655d518eb205a6.14872799.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/655d4cef9a0796.78380664.txt)]
# Backend: SSL_backend (SSL Backend)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: Proxmox_backend (Proxmox Backend)
backend Proxmox_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Proxmox_server 172.16.1.1:8006
# statistics are DISABLED
