pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - PiBa

Pages: [1] 2 3 4 5 ... 55
1
Cache/Proxy / Re: HAProxy timeouts for any subdomain
« on: January 13, 2018, 06:10:00 pm »
In case of 'shared frontends' only 1 frontend is written to the config, and the configuration settings are 'combined' so that might be ok.

The webserver server line does also count bytes in/out ?

What if you run a 'curl http://webserver.example.net/' request to the haproxy frontend.? Does that timeout as well? Or does it perhaps redirect to a https://wanip:443/ while haproxy is listening on :80 or perhaps a redirect to https://url:9001 ? In which case the timeout would make sense as those ports are likely not open..

What do haproxy logs tell for the request? Either send them to a syslog server elsewhere on the network, or to the local log socket so it will show in status\packagelogs.

3
Cache/Proxy / Re: HAProxy timeouts for any subdomain
« on: January 11, 2018, 01:16:21 pm »
Yes a 503 would be returned by haproxy when no backend is 'available'. It confirms that the browser is talking with haproxy.

If you enable health checks on the backend, does the stats page show the servers as 'up' ?

4
Italiano / Re: Pfsense load balancing redirect errati
« on: January 11, 2018, 01:04:59 pm »
Did you disable 'webgui redirect' under system/advanced settings? Might help..

5
Cache/Proxy / Re: HAproxy 1.8.0
« on: January 11, 2018, 01:01:12 pm »
I think your right about that h2 on frontend only for the moment.

6
Cache/Proxy / Re: HAproxy email notifications
« on: January 11, 2018, 12:59:39 pm »
Haproxy just makes a plain tcp connection to port 25 and sends a few commands.. to push out a receiver subject and body.. the mailserver must be configured to not require authentication from haproxy's ip for this to work.

No authentication setting is available:
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#3.6

7
Cache/Proxy / Re: HAproxy 1.8.0
« on: January 10, 2018, 05:22:57 pm »
Ok 1.8.3 got pulled in :) including a few webgui improvements.. Give it a try.?

8
General Questions / Re: Wan IP to multiple hosts
« on: January 10, 2018, 04:39:01 pm »
HAproxy can help for the HTTP / HTTPS traffic, for ftp and udp that wont work..

9
Cache/Proxy / Re: HAProxy timeouts for any subdomain
« on: January 10, 2018, 04:37:03 pm »
'example.net' is not send to a backend.. as the acl selects specifically on the webserver.example.net domainname.. Perhaps you should change that criteria? Or use a 'defaultbackend' ?

Also if testing from internally try without the 'transparent client ip' option on the backend as that is a 'usual suspect' for causing local connections to fail..

b.t.w. the 9001 port is using ssl / https ? does this locally work?: 'curl -k https://192.168.6.100:9001/'  (might need to disable transparentclientip feature before testing that..)

10
The topic you linked to explains it all in text&pictures.

-Go to Services/HAProxy/Files (in the webgui), add a 'file' there and paste in the Lua script with a name and type Lua.
-Go to a frontend and add a acl and action like the screenshots to call the lua function acme-http01 .

No need to change global config settings, or adding files on the filesystem.

11
By default haproxy does not send SNI to the webserver.. Needs 1.8 to fully support those configuration options.. If you can do without for now at least wait for 1.8.3 to become available on pfSense before trying that...
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-sni

A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

12
Does https://172.16.0.7/ work when requested with a browser? Or is some page/url needed behind it? If so add that to the url used for the health check.

13
For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?
If its 'down' then check what the LastCheck column says, maybe the server returns a authentication request.? Or some other error? Try changing 'OPTIONS' to 'GET' for the health-check , or add a "Host: webserver" in the request ?

As for the certificate error, probably the top domain is not included in the certificate as a valid alternative name.? (With some CA's you must specifically ask for this..)

Code: [Select]
p.s. Please just copy paste the text of the config and obfuscate where needed.. And put it inside some code tags instead of a image.

14
Cache/Proxy / Re: HAproxy 1.8.0
« on: January 04, 2018, 03:37:14 pm »
And the day after that release again some issues jumped up :(, i guess it will never be perfect.
Ill try and get 1.8.3 pulled, that should at least be 'way better' than the current 1.8.0..

Thanks for the bump ;)

15
The description 'sounds' good..
Can you share the haproxy.conf from bottom of settings tab?

Does any part work? What part doesn't? How are you requesting it? What (doesn't) happen exactly?

Pages: [1] 2 3 4 5 ... 55