HAProxy - Why won't my rules work...

Started by Stealthbird97, August 13, 2019, 02:51:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 13, 2019, 02:51:58 AM
Hi, I appear to be having issues with HAProxy.

For whatever reason my condition do not seem to work and I do not know why.

I have my Real Servers, Backend pools and public services setup.

I have a condition using "Host Ends With" mydomain.co.uk (for example)

I have a rule using the above condition "Use Backend Server" MyServer

Ports are forwarded as necessary, and when I then try to connect to "http://mydomain.co.uk" in the browser, it does not go to the website... Just gives a connection error.

If I set the Public Service default backend to MyServer it does work (so this indicates that the rules/conditions are not working, rather than the server config).

Any ideas on this?

I can provide the config files (however I have no idea where to find them so please advice where to find them)

Kind Regards
Cori

P.S. The documentation page regarding HAProxy is waaaayyy out of date to the extent its basically unusable unless you already know what you're doing.

August 13, 2019, 12:04:06 PM #1
Have you assigned your configured rule to the public service?
If not, it won't get evaluated..

Cheers,
Markus
August 13, 2019, 01:59:58 PM #2
Ah, that seems to have been the issue.
Don't know what but I thought that option was for something else. Though it was 2am so that might explain it..
Many thanks.
August 13, 2019, 06:34:47 PM #3
So, after further work, I'm getting frequent, though intermittent "empty response" errors now. Unless I set the default back end.
August 14, 2019, 09:21:03 AM #4
To me that sounds that your server is not reachable for a short period of time..
Did you check your server stats on HAProxy Statistics -> Status?
August 14, 2019, 11:37:49 AM #5
Hi,
I've had a look and it's not my servers losing connection. They are showing no downtime in Status.
However, I setup a separate server and install haproxy, and copied over only the essential configuration that OPNsense generated so try and diagnose the issue.
I was still getting the same problem, so I asked on the haproxy community regarding the rules.

Apparently, you need to wait for a client hello to complete before trying to match on the SNI like I am trying to do.
Code Select
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

I have added these using option passthrough and things are now working as expected.. Though, I wonder why (if this is required) that this is not automatically configured... Maybe I am missing an option or something?

Kind Regards
Cori
August 14, 2019, 11:23:33 PM #6
I see, so you are basically using HAProxy in TCP mode and the SSL sessions terminate on your backend servers.
From your first question I was assuming that you are using HTTP mode.

I agree, SSL pass-through can be a bit tricky, that's why I try to avoid it where possible ;)

I doubt you are missing some option in the GUI, I guess there is just no automatism in OPNsense which tells you "Hey, you are doing SNI detection on a TCP session, please be advised to also configure X, Y, and Z..."

You don't need to set these options via passthrough though, you can configure 'tcp-request inspect-delay' and  'tcp-request content accept' via rules but you will have to attach them to your backend or frontend, which should make no difference in the end.

Regards,
Markus
Print
Go Up Pages1
User actions