The pfSense Store

Author Topic: HAproxy - configuration help - Beginner  (Read 284 times)

0 Members and 1 Guest are viewing this topic.

Offline zwck

  • Newbie
  • *
  • Posts: 4
  • Karma: +1/-0
    • View Profile
HAproxy - configuration help - Beginner
« on: July 26, 2017, 03:42:40 am »
Hello all who might be reading this,

i am brand new to this forum and pfsense for that matter. I used to have a normal router with simple port-forwarding to do what i needed it to do. However now i would like to explore the possibilities with pfsense and HAproxy (which is also new to me).  I have the pfsense up and running now for a week after dealing with the initial setup, also with simple port forwarding to replicate what my old router did.

I attached an image to show what is currently happening and see  if what i am hoping for is actually possible.



I'd like to get rid of my freebsd nginx setup and just use HAproxy to redirect my incoming traffic.



« Last Edit: July 26, 2017, 03:46:07 am by zwck »

Offline zwck

  • Newbie
  • *
  • Posts: 4
  • Karma: +1/-0
    • View Profile
Re: HAproxy - configuration help - Beginner
« Reply #1 on: July 27, 2017, 03:02:30 am »
After reading some parts, and surfing the internet for quite some time i could manage to set it up for my self :) Eureka!

Anyway I wanted to share my setup, maybe someone has some input.


First setting:
Portforwarding

NATrules

Virtual IP


Overview of Frontends, most of the stuff i host is fine with ssl offloading, while for example nextcloud12 is not, here is what i came out with maybe there is a more elegant way.



Detail Frontends



















Backends


copy paste for the different webservices you want to server that support offloading



Backend for offloading



Backend that needed SLI (in my case nextcloud12)






What all this does is:

TLDR:

if something connects to port 80 and belongs to rss,blog,etc (except the ones that need ssl termination)  will be redirected to 127.0.0.1:1443 with ssl offloading (change of scheme as well)
if something connects to port 80 and belongs to cloud the SLi backend will beused and ssl termination happens but default is redirect to 127.0.0.1443

thats it i guess.


« Last Edit: July 27, 2017, 03:20:12 am by zwck »

Offline Kerat

  • Newbie
  • *
  • Posts: 7
  • Karma: +1/-0
    • View Profile
Re: HAproxy - configuration help - Beginner
« Reply #2 on: December 06, 2017, 08:54:37 pm »
After reading some parts, and surfing the internet for quite some time i could manage to set it up for my self :) Eureka!

Anyway I wanted to share my setup, maybe someone has some input.


First setting:
Portforwarding

NATrules

Virtual IP


Overview of Frontends, most of the stuff i host is fine with ssl offloading, while for example nextcloud12 is not, here is what i came out with maybe there is a more elegant way.



Detail Frontends



















Backends


copy paste for the different webservices you want to server that support offloading



Backend for offloading



Backend that needed SLI (in my case nextcloud12)






What all this does is:

TLDR:

if something connects to port 80 and belongs to rss,blog,etc (except the ones that need ssl termination)  will be redirected to 127.0.0.1:1443 with ssl offloading (change of scheme as well)
if something connects to port 80 and belongs to cloud the SLi backend will beused and ssl termination happens but default is redirect to 127.0.0.1443

thats it i guess.

This looks pretty good to me.  Here I do much the same. I will note a few things here:

In my firewall I enabled NAT reflection in order to allow me to access the resources while on the local LAN. 

Also, I disable deprecated or near deprecated cryptographic protocols and ciphers in:
Settings - Global Advanced pass thru -Custom options
this allows me to globally block: SSL 2, SSL3, and TLS1 as well as forcing modern cipher compatibility listed here: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

Be careful this is a double edged sword.  if you have legacy devices you are still supporting setting your browser to moden compatibility only may cause those devices to not function properly. 

I use ACL and Action rules on the front end to determine:
1.  Which backend resources the source is requesting

2.  Whether the source is on one of my local LANS or the public Internet. 
     A.  if the source is on one of my local LANs i do not forward the source IP address to the backend server. 
     B.  If the source is on the public internet, I forward the source IP address to the backend server. 
     Note: I do this because there are some features that can be dynamically turned on or off based on whether the client is a public or internal source.  Also, some software has brute force attack protection and would need to know if the source is on the public Internet to function properly. 

3. I use a separate publicly fully trusted SSL cert for each of my subdomains that ties to a separate backend server.  this means I don't need to stand up a CA locally and deploy to my clients systems.  based on the SNI I dynamically hand out the appropriate SSL cert using SSL offloading on the front end. 


Lastly, in my Action rule if the request does not match any of the ACL action rules I have setup the requester is redirected to a dead node.  I learned this from a friend that used it to address IP block port scanning and brute-force attacks that found his WAN.  The only other thing I think you could do is setup HTTP monitoring on your backend resources in order stop forwarding in the event that it goes down.