Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
HAProxy VCSA VMWare
« previous
next »
Print
Pages: [
1
]
Author
Topic: HAProxy VCSA VMWare (Read 1746 times)
CHW1979
Newbie
Posts: 8
Karma: 0
HAProxy VCSA VMWare
«
on:
April 20, 2021, 10:02:32 pm »
Hey everyone,
I'm trying to HAProxy to access an internal LAN VCSA (vCenter Server Appliance) @ port 443 - certificate by LetsEncrypt
Already tried
https://www.triumvirat.org/2020/02/17/haproxy-reverse-proxy-mit-lets-encrypt-zertifikaten-unter-opnsense-20-1/
https://forum.opnsense.org/index.php?topic=18538.0
(user ALH)
I've something (trial and error) for router access and that works
https://opnsense.haaas.be
But when I try to access
https://vsphere.haaas.be
I get
Bad Request
This combination of host and port requires TLS.
Output of HAProxy
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
tune.ssl.default-dh-param 2048
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets no-tlsv12
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https-frontend ()
frontend https-frontend
bind 0.0.0.0:443 name 0.0.0.0:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/607d5b69861683.49005868.certlist
mode http
option http-keep-alive
# tuning options
maxconn 1000
timeout client 30s
# logging options
# ACL: OPNSense-condition
acl acl_607d5b19e2e0a5.23841114 hdr(host) -i opnsense.haaas.be
# ACL: vSphere-condition
acl acl_607d7b0c93bd88.67949523 req.ssl_sni -i vsphere.haaas.be
# ACL: synology-condition
acl acl_607eb85aa6a758.61925083 hdr(host) -i storage.haaas.be
# ACL: traffic_ssl
acl acl_607f2f10690050.57423162 req_ssl_hello_type 1
# ACTION: OPNSense-rule
use_backend OPNSense-backend if acl_607d5b19e2e0a5.23841114
# ACTION: vSphere-rule
use_backend vSphere-backend if !acl_607d7b0c93bd88.67949523
# ACTION: synology-rule
use_backend synology-backend if acl_607eb85aa6a758.61925083
# ACTION: request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: request_content_accept_ssl
tcp-request content accept if acl_607f2f10690050.57423162
# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: OPNSense-backend (Added by WCH)
backend OPNSense-backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server OPNSense opnsense.haaas.be:8080 ssl verify required ca-file /etc/ssl/cert.pem
# Backend: vSphere-backend (Added by WCH)
backend vSphere-backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vSphere vsphere.haaas.be:443 ssl alpn h2,http/1.1 verify required ca-file /etc/ssl/cert.pem
# Backend: synology-backend (Added by WCH)
backend synology-backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Synology storage.haaas.be:5000
I've used Services: Unbound DNS: Overrides to add vsphere.haaas.be to his internal IP
COVID forces me to work like this
Can somebody please please help tis NOOB ...
PS : whatever I choose for logging I don't get much of info
«
Last Edit: April 20, 2021, 10:07:43 pm by CHW1979
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
HAProxy VCSA VMWare