[SOLVED] Webserver behind HAProxy not fully functional

[Webxorcist]

Hi,

I have set up the HAProxy plug-in with SSL offloading for several Apache2 web-servers in the back-end. All Apache servers host several virtual hosts.

Everything seems to work just fine, except for some minor, yet important stuff.

First I installed Moodle on one of the back-end servers, and after reading the Moodle forum and finding a settings that makes Moodle reverse proxy aware everything worked just fine.

Then I tried to install iTop, and this setup shows two problems when I try to install it from the other side of the reverse proxy:

1. Buttons on the sites do not respond when clicked. The setup shows advanced info when the button is clicked. This doesn't work unless you are on a workstation that is in the back-end.
2. Creating the config file. This entire step is skipped and it just gives you an error when it tries to load the now configured site. The error is that it can't find the config file, since it just doesn't create it al all. Again, when I install it from a workstation on the back-end, everything works.

Perhaps something with static/dynamic pages? So far I can't find something in the logs that look suspicious.

In the HAProxy I enabled the X-forwared-For header option.

Is there anything else I can do? I tried finding Apache settings but it seems that a back-end server doesn't need any extra configuration except for logging the client IP instead of the Proxy IP.

I am running OPNsense 1.7.7 with HAProxy 1.17

[Webxorcist]

It is perhaps because the app thinks it's http?

[Webxorcist]

It was indeed the http / https mismatch. I configured the site from a workstation in the back-end and afterwards I could enter a config option in the site config to send out everything with a https header.

Yet I don't feel satisfied because some web apps you can't configure without a workstation also behind the reverse proxy.

[ChrisH]

In that case just use SSL between HAProxy and the webserver. If you don't check the "check ssl certificate" box in HAProxy, the webserver can use a self-signed certificate or even an outdated one.

I had the same problem with an Exchange box that didn't know about HAProxy already encrypting the connection to the client.

[magnust]

In that case just use SSL between HAProxy and the webserver. If you don't check the "check ssl certificate" box in HAProxy, the webserver can use a self-signed certificate or even an outdated one.

I had the same problem with an Exchange box that didn't know about HAProxy already encrypting the connection to the client.

I'm looking at this exact setup you are describing but haven't found any good pointers of how to set up Haproxy and letsencrypt for this. Anyone seen any web pages with info on this?

[ChrisH]

I found it pretty much straightforward. Is there anything specific you need help with?

Maybe this can point you in the general direction: https://github.com/opnsense/plugins/issues/264

[Webxorcist]

I just figured it out with trial and error. Some stuff was pretty straight forward. Some other stuff was just trying. But now it works perfectly. And fast too.

But I did notice the lack of recent documentation online. I can make some screenshots if you like.

[franco]

That not so easy stuff to figure out was already part of a larger overhaul of the plugin itself. We will also have documentation based on this new plugin version 2, but it takes time to get there. Fraenki, the maintainer, works on this quite relentlessly, so please bear with us.


Cheers,
Franco

[Webxorcist]

Keep up the good work, I am very happy with what it is so far!

[magnust]

The letsencrypts automatic integration with HAproxy was great, worked like a charm!

I made a separate thread where I wrote down the steps to get HAproxy running as reverse HTTPS to HTTP proxy with Letsencrypt. https://forum.opnsense.org/index.php?topic=6436.0