Hello Experts,I've been using Opnsense with HAProxy for a few months now and i'm very happy with it.Thanks for all the hard work!However, i've stumbled on a small problem and i can't seem to find enough information (that i can understand) on how to solve it.I'm publishing an application on SSL (WAN side) and unsecure (HTTP, port 8084) on the LAN-side.However, the application does not play nice with the reverse proxy and the site is not shown.I'm looking for a few options:- Where can i configure "X-Forwarded-For" option? (It used to be a check box but that has disappeared.)- how can i enable SSL-Termination for a single publication (Rule)?I tried browsing the documents but the how-to's in the wiki are for a previous version and i'm not quite sure how i can add a general haproxy options (or what syntax to use)Thanks in advance! (and apologies if my questions are stupid )
Also, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?
# add X-FORWARDED-FORoption forwardfor# add X-CLIENT-IP# http-request add-header X-CLIENT-IP %[src]
QuoteAlso, i've read a lot of reverse-proxy guides that state the need to use x-forwarded-for option.Is this enabled by default or is it a hidden option? How can i double check this feature is enabled in HAproxy?Yes, there was an Option to enable/disable in the past You can also set it on your own:Services -> HAProxy -> Virtual Services -> Backend Pool -> Edit ServerEnable "advanced mode"Field:Option pass-throughCode: [Select]# add X-FORWARDED-FORoption forwardfor# add X-CLIENT-IP# http-request add-header X-CLIENT-IP %[src]
#force SSL redirectredirect scheme https if !{ ssl_fc }# close open connectionsoption http-server-close# add X-FORWARDED-FORoption forwardfor# add X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc }
This should work for any TCP-based SSL/TLS encrypted service in passthrough (HAProxy: TCP) mode... It does NOT work for STARTTLS!In this example I use TCP port 443.HAProxy plugin: Create "Real Server" (enter name, IP/FQDN and port number if different from 443, the rest can be left at default)HAProxy plugin: Create "Backend Pool" (enter name, set mode to TCP and select the real server from step 1)HAProxy plugin: Create "Condition" (enter name ["traffic_ssl"], condition type is "custom condition (option pass-through)" with value "req_ssl_hello_type 1")HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)HAProxy plugin: Create "Rule" (enter name ["request_inspect_delay"], select no condition, function is "tcp-request inspect delay" with value "5s" or whatever suits you)HAProxy plugin: Create "Rule" (enter name ["request_content_accept_ssl"], select condition of 3 ["traffic_ssl"], function is "tcp-request content accept")HAProxy plugin: Create "Rule" (enter name ["myservice_sni"], select condition of 4 ["myservice_sni"], function is "Use specific backend pool" with your pool from 2)HAProxy plugin: Create "Public service" (enter name ["https_passthrough"], choose a listen address [":443" for all], type is "TCP" and select the 3 rules created earlier)HAProxy plugin: Enable plugin or test/applyFirewall: allow incoming traffic to WAN (address) or whatever for TCP port 443.That works at least for me. If you have double NAT you would need to disable port randomization for the proxied port...Does that help you?
