Tutorial 2023/03: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[TheHellSite]

Heres and output of my config file, i have some disabled stuff in the config file since i turn on and off stuff for testing. Also renamed some stuff, truenas is just the Physical server with the IP. (myloopbackip) is the virutal address.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

#
# NOTE: HAProxy is currently DISABLED
#
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr libc,last
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend (Listening on ip:80 / ip:443)
frontend SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind :::80 name :::80
    bind :::443 name :::443
    mode tcp
    default_backend SSL_Backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: HTTP_frontend (Listening on 127.10.20.5)
frontend HTTP_frontend
    bind (myloopbackip):80 name (myloopbackip):80 accept-proxy
    bind :::80 name :::80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_Condition
    acl acl_62aa8dcf894a87.42381056 ssl_fc

    # ACTION: HTTPtoHTTPS
    http-request redirect scheme https code 301 if !acl_62aa8dcf894a87.42381056

# Frontend: HTTPS_frontend (Listening on (myloopbackip))
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind (myloopbackip):443 name (myloopbackip):443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
    bind :::443 name :::443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: Public_subdomains_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62aa8e31993357.88056717.txt)]
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_Server (myloopbackip) send-proxy-v2 check-send-proxy

# Backend (DISABLED): router_Backend (router Backend)

# Backend: truenas_Backend (truenas Backend)
backend truenas_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-reuse safe
    server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy

# Backend: plex_backend (plex Backend)
backend plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Plex truenasip:32400 send-proxy-v2 check-send-proxy


This is my map file:

Code: [Select]

# public access domains
truenas truenas_backend
plex plex_backend


1. The map file is case sensitive. Fix it.

2. Remove the "send-proxy-v2 check-send-proxy" directives from the backends of your actual services. These two options are only necessary on the "SSL_backend".

3. Why do you have the sni setting configured in your truenas real server? that shouldn't be necessary at all. Also remove the "send-proxy-v2 check-send-proxy" directives from the backend (see 1.).

Code: [Select]

server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy
4. Your "HTTP_frontend" and "HTTPS_frontend" should ONLY be listening to your SSL_server IP address. Not to "0.0.0.0:0" or "::::0". Just think about it and take a look at my diagram in the first post... You should quickly figure that this doesn't make any sense.

[brynjolm]

1. The map file is case sensitive. Fix it.

2. Remove the "send-proxy-v2 check-send-proxy" directives from the backends of your actual services. These two options are only necessary on the "SSL_backend".
4. Your "HTTP_frontend" and "HTTPS_frontend" should ONLY be listening to your SSL_server IP address. Not to "0.0.0.0:0" or "::::0". Just think about it and take a look at my diagram in the first post... You should quickly figure that this doesn't make any sense.

Thanks! That solved a lot of the problems i had.

I also had to edit some settings on my cloudflare setup in order for it to work. I now have full access to everything aside from nextcloud and some other stuff. while still being proxied behind cloudflare. I dont know if it will be useful for other cloudflare users. But for me at least since i wanted to go cloudflare for everything. I ended up also using the cloudflare certs and uploading it to HAP while still being onf Full(Strict) mode. i dont know if its and intended sideffect but i didnt have to use split dns for this. I could just call up everything by subdomain.domain.com locally.
Also with regards to the map file for the local subdomanins. The format should look like this?

local loca_backend

plex plex_backend

Should there be a space in between?
Last questions. Is it possible to use the generated Cert for both truenas and opnsense instead of the self signed one? would it break the config? Also is there a specifi HAP sub, or should i just post in the General section?

[TheHellSite]

I could just call up everything by subdomain.domain.com locally.

This is because your domains resolve to cloudflares IP and not your own public IP.

Also with regards to the map file for the local subdomanins. The format should look like this?

local loca_backend

plex plex_backend

Should there be a space in between?

https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/

Last questions. Is it possible to use the generated Cert for both truenas and opnsense instead of the self signed one? would it break the config? Also is there a specifi HAP sub, or should i just post in the General section?

Shouldn't break anything but isn't neccessary.
https://discourse.haproxy.org/
or
https://forum.opnsense.org/index.php?board=28.0

[xxavarlonxx]

Thnak you very much. Thats the best guide about HAProxy - Lets Encrypt I've ever found. Everything works and its not a mickey mouse setup, its a good setup for production..

[meyergru]

I am fighting with this setup - what is most troubling is that it worked a few days ago, but for the life of me I cannot find what went wrong.

I now have a stripped-down version of the setup where I just want to use a map-based setup with SSL offloading for some internal servers (now my setup contains only one).

This is my setup:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_Frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_Frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: No_SSL_Condition
    acl acl_629b7d353dc6e8.95969175 ssl_fc

    # ACTION: HTTP_to_HTTPS
    http-request redirect scheme https code 301 if !acl_629b7d353dc6e8.95969175

# Frontend: 1_HTTPS_Frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/629b82033c9ac6.13569566.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: PUBLIC_Subdomains_Map_Rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/629b7dc0816c90.87321785.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend (DISABLED): PLEX_backend (PLEX Backend)

# Backend: BLOB_backend (BLOB Webserver Backend)
backend BLOB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server BLOB_server 192.168.10.3 ssl sni str(ssl.xyz.de) verify none resolve-prefer ipv4

The corresponding map file would be:

Code: [Select]

ssl.xyz.de BLOB_backend

Symptoms are: I can see the certificate containing ssl.xyz.de (and others) when I connect to my OpnSense via 'openssl s_client'.

If I try 'wget -O- https://ssl.xyz.de', the connection hangs after initial TLS handshake - when I use one of the other domains like 'abc.xyz.de' which resolve to the same IP, I get the expected 503. I can even see the HTTP->HTTPS redirection when I use http instead of https.

So, I conclude that the certificate is O.K., I get through to 1_HTTP_Frontend (otherwise there would be no 503 when I use an unmapped URL). I seems like most of the time, the frontend does not connect to the backend (server) - it does sometimes, however.

I am at a loss what causes this because I also verified that OpnSense can reach BLOB server at 192.168.10.3. It also has a Let's Encrypt certificate on ssl.xyz.de, because before, I just port-forwarded port 443. I can get data via 'curl --connect-to 192.168.10.3:443 https://ssl.xyz.de' from it.

[TheHellSite]

So, I conclude that the certificate is O.K., I get through to 1_HTTP_Frontend (otherwise there would be no 503 when I use an unmapped URL). I seems like most of the time, the frontend does not connect to the backend (server) - it does sometimes, however.

I am at a loss what causes this because I also verified that OpnSense can reach BLOB server at 192.168.10.3. It also has a Let's Encrypt certificate on ssl.xyz.de, because before, I just port-forwarded port 443. I can get data via 'curl --connect-to 192.168.10.3:443 https://ssl.xyz.de' from it.

Code: [Select]

server BLOB_server 192.168.10.3 ssl sni str(ssl.xyz.de) verify none resolve-prefer ipv4
1. You have to include the server port in the config of the server, obviously...
2. Remove the SNI string in the server config, not neccessary at all. I also DID NOT use it in my tutorial, so why are you using it?
3. Remove the resolve-prefer directive. Again, I did not use it in my tutorial...

[meyergru]

1. I thought that the server port would be 443 per default, but I now set it and it did not change anything.
2. I need the SNI string because the server reacts to different names but I cannot use the "external" name since I want to contact the LAN IP. However, I set an alternative name so that I can leave out the SNI for testing and - no dice.
3. Disabling resolve-prefer did nothing as well.

4. I even tried without SSL, same result. So it must be something before that.

New config:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_Frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_Frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: No_SSL_Condition
    acl acl_629b7d353dc6e8.95969175 ssl_fc

    # ACTION: HTTP_to_HTTPS
    http-request redirect scheme https code 301 if !acl_629b7d353dc6e8.95969175

# Frontend: 1_HTTPS_Frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/629b82033c9ac6.13569566.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: PUBLIC_Subdomains_Map_Rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/629b7dc0816c90.87321785.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend (DISABLED): PLEX_backend (PLEX Backend)

# Backend: BLOB_backend (BLOB Webserver Backend)
backend BLOB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server BLOB_server blob.xyz:80



[Bunch]

Why you use 127.0.0.1 as SSL_backend IP?
Please setup a VIP

For a server, 0.0.0.0 is ANY IP that can represent the server itself, including localhost
Thus, 0_SNI_frontend conflict with SSL_backend obviously.

[meyergru]

I already tried using 127.4.4.3 for SSL_server, HTTP and HTTPS frontends as well with no change in behaviour. The tutorial explicitely states that this is optional (see FAQ #4) and besides, if you are right, there is no difference, because 0.0.0.0/0 would also overlap 127.4.4.3/32.

Thanks for any input, though. I tried several hours and as I said, this already worked...

[TheHellSite]

Your haproxy is configured correctly. VIP is indeed optional.

Your real server IP:Port (SSL enabled yes or no / SSL verify yes or no) is the only issue left that could cause it from the haproxy side. Otherwise your web server is misconfigured.

[meyergru]

As I said, I triple-checked everything and I also cannot see what goes wrong (even sometimes, it works).

I also tried a non-SSL backend, including another server to eliminate problems on the backend.

[TheHellSite]

Here is my reference config.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends


# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60a6828680bca8.63910725.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/60bdf8931a97c9.33132019.txt)]

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_607ae66cdeaed1.61504267 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_607ae66cdeaed1.61504267

# Backend: PLEX_backend ()
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 1h
    http-reuse safe
    server PLEX_server 192.168.215.60:32400 ssl verify none

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy


If you compare it with yours. You will see that your real server is the problem!

[meyergru]

Wow. This was a tough one...

I also believed that my real server is the problem - or to put it another way: ALL my real servers seemed to be the problem.

I replaced the real server by 127.0.0.1 (i.e. OpnSense itself) and guess what? It works.
Then with the LAN IP of my OpnSense - works. I replaced it with www.google.com - works!!!

None of my LAN servers work, however. First, I re-did all of the HAProxy configuration from scratch - with the same result.
I found out that curl has problems as well (most of the time) - so in effect, OpnSense cannot make (reliably) any outgoing TCP connections (while pings work!).

So I asked myself: Is that a firewall or NAT problem? I disabled all firewall rules, but no dice.
After that, I did a tcpdump on the receiving side, only to find out that packets were sent from the OpnSense, and answers also went out but seem to get eaten, although there were no firewall log entries.

Before that, I already had tried to disable all hardware offloading, but only in the global settings.
Looking into that again, I noticed a hint that you have to reconfigure the interfaces in order to take over the defaults, so I disabled all offloading on the LAN interface.

After that - hey, presto! Everything works!

Matter-of-fact, this is a very subtle error: On the AMD 10 GBe (ax) interfaces, the hardware CRC offloading is obviously broken, but you will notice this only in the direction which is rarely used.
I had no problems with "through" traffic. The problem must have surfaced when I trusted my hardware too much, which explains why the whole HAProxy setup once worked.

Thanks for all hints!

[shuvitcrew]

Hello,

first I have to say thank you for this perfect tutorial. I have setup my haproxy for my webservers and everything works fine for internal and external use. Now I've tried to implement OpenVPN on Port 443 in TCP mode. I added the configuration parts as mentioned in Reply #171. The config of haproxy seems to be corrrect, but I can't connect via vpn. I've tried to setup a second vpn-server on port 1194 with upd and i works staight away. Only the vpn in tcp-mode on port 443 refuses to work. Here is my haproxy config:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 40s
    timeout server 40s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Hört auf 0.0.0.0:80 und 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: SSL_hello
    acl acl_62c874b4f2fdc4.23213917 req_ssl_hello_type 1

    # ACTION: tcp_request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: tcp_request_content_accept_ssl
    tcp-request content accept if acl_62c874b4f2fdc4.23213917
    # ACTION: VPN_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62c87ba1538c16.11776198.txt)]

# Frontend: 1_HTTP_frontend (Hört auf 192.168.161.1:80)
frontend 1_HTTP_frontend
    bind 192.168.161.1:80 name 192.168.161.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_62360185bf9055.41837138 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_62360185bf9055.41837138

# Frontend: 1_HTTPS_frontend (Hört auf 192.168.161.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.161.1:443 name 192.168.161.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62360bcec06250.52672470.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_FQDN_condition
    acl acl_62361ba046b312.42897137 src darkstar.example.xyz
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_62361a89a23796.93721092 src 192.168.110.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623619b6c7da11.06632077.txt)] if acl_62361ba046b312.42897137 || acl_62361a89a23796.93721092
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623607a0728a46.68273508.txt)]

# Backend: nextcloud_backend (Nextcloud Backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    # ACL: nextcloud-caldav
    acl acl_6236326bbeed09.73911658 path_beg -i /.well-known/caldav
    # ACL: nextcloud-carddav
    acl acl_6236329a31b372.83647612 path_beg -i /.well-known/carddav

    # ACTION: nextcloud-caldav-carddav
    http-request set-path /remote.php/dav if acl_6236326bbeed09.73911658 || acl_6236329a31b372.83647612
    http-reuse safe
    server nextcloud_host 192.168.160.10:443 ssl verify none

# Backend: SSL_backend (SSL Backend TCP)
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    server SSL_Server 192.168.161.1 send-proxy-v2 check-send-proxy

# Backend: bitwarden_backend (Bitwarden Backend)
backend bitwarden_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    # ACL: bitwarden-admin
    acl acl_62362f799a0826.60491269 path_beg -i /admin

    # ACTION: bitwarden-admin_block
    http-request deny if acl_62362f799a0826.60491269
    http-reuse safe
    server bitwarden_host 192.168.160.20:80

# Backend: zyxel-1_backend (Zyxel-1 Backend)
backend zyxel-1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server zyxel-1 192.168.150.8:443 ssl verify none

# Backend: zyxel-2_backend (Zyxel-2 Backend)
backend zyxel-2_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server zyxel-2 192.168.150.9:443 ssl verify none

# Backend: checkmk_backend (CheckMK Backend)
backend checkmk_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server checkmk_host 192.168.150.21:8080

# Backend: ampache_backend (Ampache Backend)
backend ampache_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server ampache_host 192.168.160.15:443 ssl verify none

# Backend: jellyfin_backend (Jellyfin Backend)
backend jellyfin_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server jellyfin_host 192.168.160.16:8096

# Backend: guacamole_backend (Guacamole Backend)
backend guacamole_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server guacamole_host 192.168.150.22:8080

# Backend: vpn_backend (OpenVPN Backend)
backend vpn_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    server vpn_host 192.168.110.1:1195
Here the OpenVPN config:

Code: [Select]

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.110.1
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
server 10.10.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'vpn.shuvit.space' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.110.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
I hope, that someone could help! Thanks in advance.

[TheHellSite]

Hello,

first I have to say thank you for this perfect tutorial. I have setup my haproxy for my webservers and everything works fine for internal and external use. Now I've tried to implement OpenVPN on Port 443 in TCP mode. I added the configuration parts as mentioned in Reply #171. The config of haproxy seems to be corrrect, but I can't connect via vpn. I've tried to setup a second vpn-server on port 1194 with upd and i works staight away. Only the vpn in tcp-mode on port 443 refuses to work. Here is my haproxy config:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 40s
    timeout server 40s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Hört auf 0.0.0.0:80 und 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: SSL_hello
    acl acl_62c874b4f2fdc4.23213917 req_ssl_hello_type 1

    # ACTION: tcp_request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: tcp_request_content_accept_ssl
    tcp-request content accept if acl_62c874b4f2fdc4.23213917
    # ACTION: VPN_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62c87ba1538c16.11776198.txt)]

# Frontend: 1_HTTP_frontend (Hört auf 192.168.161.1:80)
frontend 1_HTTP_frontend
    bind 192.168.161.1:80 name 192.168.161.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_62360185bf9055.41837138 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_62360185bf9055.41837138

# Frontend: 1_HTTPS_frontend (Hört auf 192.168.161.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.161.1:443 name 192.168.161.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62360bcec06250.52672470.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_FQDN_condition
    acl acl_62361ba046b312.42897137 src darkstar.example.xyz
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_62361a89a23796.93721092 src 192.168.110.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623619b6c7da11.06632077.txt)] if acl_62361ba046b312.42897137 || acl_62361a89a23796.93721092
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623607a0728a46.68273508.txt)]

# Backend: nextcloud_backend (Nextcloud Backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    # ACL: nextcloud-caldav
    acl acl_6236326bbeed09.73911658 path_beg -i /.well-known/caldav
    # ACL: nextcloud-carddav
    acl acl_6236329a31b372.83647612 path_beg -i /.well-known/carddav

    # ACTION: nextcloud-caldav-carddav
    http-request set-path /remote.php/dav if acl_6236326bbeed09.73911658 || acl_6236329a31b372.83647612
    http-reuse safe
    server nextcloud_host 192.168.160.10:443 ssl verify none

# Backend: SSL_backend (SSL Backend TCP)
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    server SSL_Server 192.168.161.1 send-proxy-v2 check-send-proxy

# Backend: bitwarden_backend (Bitwarden Backend)
backend bitwarden_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    # ACL: bitwarden-admin
    acl acl_62362f799a0826.60491269 path_beg -i /admin

    # ACTION: bitwarden-admin_block
    http-request deny if acl_62362f799a0826.60491269
    http-reuse safe
    server bitwarden_host 192.168.160.20:80

# Backend: zyxel-1_backend (Zyxel-1 Backend)
backend zyxel-1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server zyxel-1 192.168.150.8:443 ssl verify none

# Backend: zyxel-2_backend (Zyxel-2 Backend)
backend zyxel-2_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server zyxel-2 192.168.150.9:443 ssl verify none

# Backend: checkmk_backend (CheckMK Backend)
backend checkmk_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server checkmk_host 192.168.150.21:8080

# Backend: ampache_backend (Ampache Backend)
backend ampache_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server ampache_host 192.168.160.15:443 ssl verify none

# Backend: jellyfin_backend (Jellyfin Backend)
backend jellyfin_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server jellyfin_host 192.168.160.16:8096

# Backend: guacamole_backend (Guacamole Backend)
backend guacamole_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server guacamole_host 192.168.150.22:8080

# Backend: vpn_backend (OpenVPN Backend)
backend vpn_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    server vpn_host 192.168.110.1:1195
Here the OpenVPN config:

Code: [Select]

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.110.1
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
server 10.10.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'vpn.shuvit.space' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.110.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
I hope, that someone could help! Thanks in advance.

I have just tried TCP mode with map file, there is a few more steps to achieve the goal instead of placing the map rule directly to 0_SNI
(I checked the package and found SNI inside, however, haproxy doesn't recognize it in TCP mode, that's why we need to force it to recognize SNI)

1. Create a "Condition" to request client hello
Name: SSL_Hello
Condition type: Custom condition (option pass-through)
Option pass-through: req_ssl_hello_type 1


2. Create a "Rule" to wait accept SSL hello
Name: tcp_request_content_accept_ssl
Select conditions: SSL_Hello
Execute function: tcp-request-content-accept


3. Create a "Rule" to wait for inspect
Name: tcp_request_inspect_delay
Optional condition: none
Execute function: tcp-request-inspect-delay
TCP inspection delay: 5s


4. Place the Rule to 0_SNI_frontend in following order
tcp_request_inspect_delay
tcp_request_content_accept_ssl
map

(hmdir_ru is my map rule)


Update according to findings in #183

5. Change the no_SSL condition to Traffic is SSL (locally deciphered)


*Remark
It is advised to use another map file for 1_HTTPS_frontend if necessary
If you really don't want to create another map file, use "SNI TLS extension matches (locally deciphered)" instead

Might want to ask @Bunch for help, since I am still not using any non SSL services.

I can only give you the below config. I figured that one out a while back with another user (@Lip90).
As far as I can remeber it worked fine but it was neccessary to establish the connection twice because the first time (always) failed.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 debug

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    option log-separate-errors
    option tcplog
    # ACL: OPENVPN_condition
    acl acl_6143a3ff7e6bf2.30491250 req_ssl_hello_type 1

    # ACTION: OPENVPN_rule
    use_backend OPENVPN_backend if !acl_6143a3ff7e6bf2.30491250
    # WARNING: pass through options below this line
    tcp-request inspect-delay 5s
    tcp-request content accept if !{ req_ssl_hello_type 1 }

# Frontend: 1_HTTP_frontend (Listening on 0.0.0.0:80)
frontend 1_HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: NoSSL_condition
    acl acl_6138b110159553.96461818 req.ssl_ver gt 0

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6138b110159553.96461818

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6138b32401a006.77997133.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6141ef8f0a8841.88130105 src 192.168.0.0/16

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6141ef3275d630.55285385.txt)] if acl_6141ef8f0a8841.88130105
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6138b15d48a964.28077676.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: OPENVPN_backend ()
backend OPENVPN_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server OPENVPN_server 127.0.0.1:1194