haproxy: mixed ssl passthrough and offloading

Started by lebernd, June 21, 2020, 09:35:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 21, 2020, 09:35:45 PM
Hello everybody,

I'm trying to make something like this: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends working on opnsense.

As I'm getting closer to a working passthrough connection - I'm not sure how I can bind a default backend that is looping to an offloading frontend.

Has anyone something like this working?

Thanks and best,
Bernd
IPU451, 16GB RAM, 120GB SSD:
OPNsense 22.7.11_1-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

IPU441, 8GB RAM, 120GB SSD:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
September 25, 2021, 10:25:10 AM #1
Hello, ever succeeded in configuring that ssl passthrough?
October 01, 2021, 10:09:13 AM #2
Tell me, have you found a solution for yourself?  :)
October 01, 2021, 08:43:17 PM #3
I think this guide should cover it:

https://forum.opnsense.org/index.php?topic=23339.0
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
August 27, 2022, 11:53:27 PM #4
Could anybody get mixed modes passthrough and offloading running with HAProxy under OPNsense meanwhile?

I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

I guess this instruction for pfsense is exactly what I am looking for. Unfortunately, I am not able to transfer this to OPNsense.

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Any idea?
August 28, 2022, 09:42:51 PM #5
Quote from: Tubs on August 27, 2022, 11:53:27 PM
I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:

Quote6. How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your "NOSSLservice_server" is running in TCP mode.
February 01, 2023, 08:45:09 PM #6
Quote from: Tubs on August 28, 2022, 09:42:51 PM
After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:
sorry to ressurect but would like to know how you were able to implement this
Print
Go Up Pages1
User actions