[SOLVED] Can't get HAProxy working

Started by fire, June 01, 2016, 05:32:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 01, 2016, 05:32:53 PM Last Edit: June 02, 2016, 02:07:00 PM by fire
Hi everyone,
Thanks for this wonderfull project. I'm using it on serverals dedicated and it work like a charm.
I have some apache reverse proxies running on those dedicated servers and I wonder to replace them with the integrated HAProxy plugin on OPNsense.

I created a test environment with a OPNsense and an Apache virtual machine. The firewall has one public IP and one private IP which is in the same subnet than the apache VM.
I configured a minimal Frontend, Backend and server. Service is ON but HAProxy is not working. Port 80 seems to be closed.

Does anyone have a configuration exemple of a working infrastructure?
I have 2 cards working with the virtio driver with Hardware CRC turned off.
June 01, 2016, 05:58:33 PM #1
Hi there,

Thanks. :) There is an update 1.1 that's online now and a 1.2 that is pending for the upcoming 16.1.16. Make sure you're not on version 1.0, you can see that from the firmware updates page under plugins.

It may be good to get the author involved and let him know your exact setup to reproduce. I'll try to grab him. :)


Cheers,
Franco
June 02, 2016, 11:29:58 AM #2
Quote from: fire on June 01, 2016, 05:32:53 PM
I created a test environment with a OPNsense and an Apache virtual machine. The firewall has one public IP and one private IP which is in the same subnet than the apache VM.
I configured a minimal Frontend, Backend and server. Service is ON but HAProxy is not working. Port 80 seems to be closed.

Some thoughts:

- make sure you have haproxy plugin version 1.1 installed
- check the haproxy log at Services->HAProxy->Log File
- make sure haproxy service is enabled in  Services->HAProxy->Settings->General Settings; click "Apply" button

What happens when you click on "Test Syntax" in Services->HAProxy->Settings->Frontend?

Regards
- Frank
June 02, 2016, 11:43:52 AM #3 Last Edit: June 02, 2016, 11:48:45 AM by fire
Hello Franco and Fraenki!
I have the latest version of OPNsense (16.1.15), and the HAproxy plugin is v1.1.
HAproxy logs aren't telling anything but "Proxy front/back started", and the test syntax is telling me everything is correct.

Regarding my setup, one image is better than thousands words.
Here is my current setup:


And here is the setup i want to archieve:


I'm an HAproxy noob, so there is a chance that my testconfiguration isn't correct. That's why I'd love to see a simple working example.

Thank you both for your help.

EDIT: From a security point of view, is this the correct way to proceed?
June 02, 2016, 12:03:17 PM #4 Last Edit: June 02, 2016, 12:59:40 PM by fraenki
Quote from: fire on June 02, 2016, 11:43:52 AM
HAproxy logs aren't telling anything but "Proxy front/back started", and the test syntax is telling me everything is correct.

This is actually good, so the HAProxy service is at least starting up. If you have access to the OPNsense console, please run (and post the output here)...
Code Select
sockstat | grep haproxy
...so we know on which IPs and ports the service is listening.

Quote from: fire on June 02, 2016, 11:43:52 AM
Regarding my setup, one image is better than thousands words.
Here is my current setup:

Looks sane to me.  :)

Quote from: fire on June 02, 2016, 11:43:52 AM
I'm an HAproxy noob, so there is a chance that my testconfiguration isn't correct. That's why I'd love to see a simple working example.

What happens when you try to access the URL you want to serve with HAProxy? Does it timeout? Did you check the firewall logs?

Could you post some quick screenshots of your Frontend and Backend configuration? (Make sure to obfuscate your public IP addresses.)

You're invited to join us on IRC (Freenode: irc.freenode.org. #opnsense), so we can directly discuss this issue, if you like.  8)

Quote from: fire on June 02, 2016, 11:43:52 AM
EDIT: From a security point of view, is this the correct way to proceed?

I don't see any security issue. (You don't need to drop your DMZ, as the picture suggests. The HAProxy service could still use an IP address from your DMZ.)

Regards
- Frank
June 02, 2016, 01:09:06 PM #5
When I try to access the URL, I have a "ERR_CONNECTION_RESET" and logs are saying:


My listen port and interface looks good:


Here are my test settings for testing HAproxy:
Frontend:


Backend:


And server:


Can you confirm it's correct? I tried to add some ACL but it doesn't work either.
June 02, 2016, 01:26:39 PM #6
Solution: Needed to add a firewall rule to allow requests to pass through to HAProxy. The plugin does not automatically generate firewall rules (I should add a hint somewhere).
June 02, 2016, 01:58:49 PM #7
As you said, the firewall rule did the trick and I can now continue testing the HAproxy plugin.

Thank you for your time! My problem is now solved.
Have a nice day!
December 27, 2016, 10:57:00 PM #8
Can you post the firewall rule?
December 27, 2016, 11:10:18 PM #9
Quote from: Mannueru on December 27, 2016, 10:57:00 PM
Can you post the firewall rule?

You just need to add rules to allow traffic to your HAProxy frontends and between your HAProxy backends and servers.


Regards
- Frank
Print
Go Up Pages1
User actions