HAProxy VCSA VMWare

Started by CHW1979, April 20, 2021, 10:02:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 20, 2021, 10:02:32 PM Last Edit: April 20, 2021, 10:07:43 PM by CHW1979
Hey everyone,

I'm trying to HAProxy to access an internal LAN VCSA (vCenter Server Appliance) @ port 443 - certificate by LetsEncrypt

Already tried
https://www.triumvirat.org/2020/02/17/haproxy-reverse-proxy-mit-lets-encrypt-zertifikaten-unter-opnsense-20-1/
https://forum.opnsense.org/index.php?topic=18538.0 (user ALH)

I've something (trial and error) for router access and that works
https://opnsense.haaas.be

But when I try to access
https://vsphere.haaas.be I get
Bad Request
This combination of host and port requires TLS.

Output of HAProxy

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   2048
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets no-tlsv12
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: https-frontend ()
frontend https-frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/607d5b69861683.49005868.certlist
    mode http
    option http-keep-alive
    # tuning options
    maxconn 1000
    timeout client 30s

    # logging options
    # ACL: OPNSense-condition
    acl acl_607d5b19e2e0a5.23841114 hdr(host) -i opnsense.haaas.be
    # ACL: vSphere-condition
    acl acl_607d7b0c93bd88.67949523 req.ssl_sni -i vsphere.haaas.be
    # ACL: synology-condition
    acl acl_607eb85aa6a758.61925083 hdr(host) -i storage.haaas.be
    # ACL: traffic_ssl
    acl acl_607f2f10690050.57423162 req_ssl_hello_type 1

    # ACTION: OPNSense-rule
    use_backend OPNSense-backend if acl_607d5b19e2e0a5.23841114
    # ACTION: vSphere-rule
    use_backend vSphere-backend if !acl_607d7b0c93bd88.67949523
    # ACTION: synology-rule
    use_backend synology-backend if acl_607eb85aa6a758.61925083
    # ACTION: request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: request_content_accept_ssl
    tcp-request content accept if acl_607f2f10690050.57423162

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: OPNSense-backend (Added by WCH)
backend OPNSense-backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server OPNSense opnsense.haaas.be:8080 ssl verify required ca-file /etc/ssl/cert.pem

# Backend: vSphere-backend (Added by WCH)
backend vSphere-backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server vSphere vsphere.haaas.be:443 ssl alpn h2,http/1.1 verify required ca-file /etc/ssl/cert.pem

# Backend: synology-backend (Added by WCH)
backend synology-backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Synology storage.haaas.be:5000

I've used Services: Unbound DNS: Overrides to add vsphere.haaas.be to his internal IP

COVID forces me to work like this ;)

Can somebody please please help tis NOOB ...

PS : whatever I choose for logging I don't get much of info

Print
Go Up Pages1
User actions