Multiple sites via HAproxy

Started by kosta, July 26, 2021, 12:24:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 26, 2021, 12:24:42 AM
Hello,

I hope this is the right place. I am using HAproxy for SSL offloading for internal and external GUIs.
I migrated to the OPNsense, however I have issue with the same config as I used to have on the Sophos, our previous firewall.
I have two sites that both have internally 443, however I used to get to one via another port.
Doing that works, the site answers, however the site gets redirected to 443 and also picks some other certificate, one of the other sites used in HAproxy.
There is only one WAN IP, however different FQDNs, of course.
My understanding is mostly basic, what I know from reading off the net and tutorials.
I would expect it to "sort" the access according to the FQDN and then retain the port at which HAproxy serves the site (and of course the cert).
Is that possible at all?

An example:
site1.domain.com:443 -> server1.internal.domain.com:443
site2.domain.com:4343 -> server2.internal.domain.com:443

I'm only reluctant to post real domains and ports, so these are just examples.
July 28, 2021, 08:51:11 AM #1
Dear kosta,

there is a tutorial written, which pretty much covers your use case as well as far as I understood it.
https://forum.opnsense.org/index.php?topic=23339.msg110962#msg110962

It is very detailed with screenshots. It shall help you.

Greetings,
saarko
July 28, 2021, 02:20:23 PM #2 Last Edit: July 28, 2021, 08:48:20 PM by kosta
Hello,

I went through the whole post, thank you.
I'm afraid that since I can't create a wildcard-cert for my domain, this won't be possible?
As far as I am reading along, if I have a single IP, single port like 443, I must use one frontend.
Is that correct or is there some way around?
July 28, 2021, 09:35:25 PM #3
you can setup HAproxy as with as many sites as you wish.

SSL certificates may be generated with lets encrypt plugin, or you can use your own. no need to use wildcard.
But you will need to define "frontend" and "backend" records, and then map it to each other.

from my opinion, setting up HAproxy is more complicated, then nginx... but still, you can do all things with one public IP.
July 28, 2021, 09:37:48 PM #4 Last Edit: July 28, 2021, 09:52:40 PM by kosta
Hm OK, but why does then one site at 443 load the certificate of the other site, which is also at 443?
I do have my certs with LE plugin, each DNS record I am using.
But if I create multiple public services, calling up the page will often result at loading of the false certificate, or even worse the wrong page/application.
July 28, 2021, 10:57:12 PM #5
Ha, yes! Indeed it works. I completely ignored the fact that I can actually select more than one certificate in the public service, and apparently just thought I need one (wilcard) certificate.

Thank you!
Print
Go Up Pages1
User actions