Skip to content
PiBa-NL edited this page Dec 15, 2015 · 24 revisions

First draft... Lets see what it looks like..

Intro

Purpose of this little wiki is to show hwo to configure some of the most requested haproxy configuration options within the pfSense haproxy package.

HAProxy is a small but powerful reverse proxy, and allows for loadbalancing between multiple (web)servers, but also acl (Access Control Lists) allow for selecting a specific backend or action depending on flexible criteria. And though many features are available through the created webgui, lots more are only available as 'advanced settings' which can be added into several places into the webgui. For all possible options please look at the official HAProxy documentation.

How to configure haproxy package on pfSense

  1. Configuring the general settings.
  2. Scenario that will be used in below examples.
  3. Single frontend serving multiple different domains using http.
  4. HTTPS for multiple domains using SNI from 1 frontend
  5. HTTPS for multiple backend using offloading from 1 frontend

General note.

I strongly recommend that the webgui of pfSense will be configured on a different port that those that haproxy will listen on. As you will likely want to have haproxy listen on 80 and or 443 those ports will need to be opened in the firewall. If for some case haproxy does not run, connections could get served by the pfSense webgui. Which is in my opinion not supposed to be accessible directly from the internet. (Disabling the webgui-redirect on port 80 in pfSense advanced settings also helps avoid confusion.)

Configuring the general settings.

It is required to enable the package, and configure the total number of connections that haproxy will accept in a single process. I adviced to configure a local stats port, this allows to use the integrated haproxy stats directly from the pfSense webgui.

Scenario that will be used in below examples.

In each of the scenarios below i will asume that you have a domain name yourdomain.tld and serveral subdomains pointing to the pfSense wan-ip or perhaps a secondary ipalias or carpip. The examples will asume that the follow subdomains will be used for seperate webapplications running on seperate webservers:

  • www.yourdomain.tld
  • forum.yourdomain.tld
  • support.yourdomain.tld
  • portal.yourdomain.tld
  • ssh.yourdomain.tld

For each of these domains 1 or more servers will be used to serve each website. The exeption is the ssh.yourdomain.tld where only a ssh server is listening on port 22.

Single frontend serving multiple different domains using http.

HTTPS for multiple domains using SNI from 1 frontend

Haproxy can use SNI to read the requested destination domain from a ssl-handshake, this allows haproxy to direct traffic for different domains to correct backend.

  • Create a backend for each domain you want to be handled by a seperate group of servers.
  • Configure the servers for each of the backends.
  • Create a Frontend new frontend and give it a name (mainsites).
  • Select the interface and port it should listen on wan:ip and 443, leave the SSL checkbox empty here.
  • Select the mode: "SSL/HTTPS (TCP)"
  • Select the default backend (www.yourdomain.tld) to use when the user acls and actions dont select a different backend or operation to use. For the example lets direct users that type http://ssh.yourdomain.tld in their browser they will be directed to the www backend. Instead of getting no valid reply.
  • Add a acl with the name 'forum-acl' for the forum.yourdomain.tld by adding a acl and selecting the 'SNI matches' option for the value fill in the domain
  • Add a action 'use backend' and select the forum backend, also fill in the forum-acl. Repeat above steps for the other domains change the acl name and value accordingly.
  • Save the frontend configuration
  • Apply the configuration.
  • Check on the stats page all servers are shown as 'up'.
  • Create a firewall rules to allow access to the frontends that haproxy should serve. In this case we should configure on the firewall/rules/wan page the access from any source and any source-port should be allowed to wan:ip 443.
  • Ready to test connections from the outside

HTTPS for multiple backend using offloading from 1 frontend

Haproxy can offload / decrypt https traffic on the frontend. For this it is required to load the certificates including the psk and intermediate certifcate into pfSense.

Clone this wiki locally