net/haproxy: help with ACL/Action configuration

[Julien-nl]

Hi guys,
lately we have moved from pfsense to opnsense.
we have installed haproxy but I can't get it to work to get https forwarded to 3 different host o the lan.
front and back end are created I just need to know which the option to use Compose expression

we have dns1.domain.com and dns2.domain.com
dns1.domain.com forward to 10.10.10.10
and dns2.domain.com forward to 10.10.10.11
over https

hope someone can help me get this working

thank you

[fraenki]

Hi @Julien-nl, HAProxy is a complex beast, so you'll need to add some configuration to make this work:

(assuming that you have already setup frontends/backends)

You need to add Servers to be able to send traffic to a specific host:

• Create a Server configuration for your first server 10.10.10.10:
  Name: server1
  FQDN or IP: 10.10.10.10
  Port: 80 (or whatever port your server uses)

• Create a Server configuration for your second server 10.10.10.11:
  Name: server2
  FQDN or IP: 10.10.10.11
  Port: 80 (or whatever port your server uses)

You need ACLs to check for the HTTP Host Header to distinguish between dns1.domain.com and dns2.domain.com:

• Create a ACL for hostname dns1.domain.com:
  Name: check_host_dns1
  Expression: Host starts with
  Value: dns1.domain.com

• Create a ACL for hostname dns2.domain.com:
  Name: check_host_dns2
  Expression: Host starts with
  Value: dns2.domain.com

And you need Actions to specify what should be done if an ACL matches:

• Create an Action for hostname dns1.domain.com:
  Name: use_server_for_dns1
  Test type: IF
  Select ACLs: check_host_dns1
  Choose action: Use Server
  Use server: server1

• Create an Action for hostname dns2.domain.com:
  Name: use_server_for_dns2
  Test type: IF
  Select ACLs: check_host_dns2
  Choose action: Use Server
  Use server: server2

To actually use the newly created Actions you need to add them to your Frontend:

• Edit your Frontend(s) and add the Actions:
  Actions: use_server_for_dns1
  -OR-
  Actions: use_server_for_dns2
  -OR-
  Actions: use_server_for_dns1 use_server_for_dns2
  (depending on how you've setup the frontends)

(Note that you're free to change the Name of every configuration item... I've chosen these names to make it easier to provide an example.)

FYI, we're aware that the current ACL/Action UI can be quite confusing, especially for users that are not too familiar with HAProxy's internals. We're working on an improvement that will be available in one of the next releases (#208).

[Julien-nl]

Hi Fraenki,
your answer is really appreciate it.
when are we expecting this release ?
after I've created those settings, do I have to disable the NAT I already have and port forwarding as well?
when I try to create a frontend its not accepting the ip of the host and error out .
Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443. Port range as start-end, i.e. 127.0.0.1:1220-1240.
am I supposed to use 127.0.0.1:443 or 10.10.10.10:443 ?
after I have configured everything the hasproxy seems not to start.

log
File /var/log/haproxy.log yielded no results.

File /var/log/haproxy.log doesn't exist.

[fraenki]

when are we expecting this release ?

No ETA, sorry. (The new release will make things a little less confusing, but it would not solve your configuration error.)

after I've created those settings, do I have to disable the NAT I already have and port forwarding as well?

If I understand you correctly, your previous configuration was a NAT Port Forward to forward HTTPS traffic from OPNsense to your internal servers.

If you want to use HAProxy instead, you need to disable these NAT Port Forward rules, yes. Otherwise HAProxy would never receive the traffic.

when I try to create a frontend its not accepting the ip of the host and error out .
Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443.
am I supposed to use 127.0.0.1:443 or 10.10.10.10:443?

You need to use an IP address that is locally configured on OPNsense, otherwise HAProxy fails to start. Most likely you want to use the same IP address that you were using as "source address" in your NAT rule.

[Julien-nl]

when I try to create a frontend its not accepting the ip of the host and error out .
Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443.
am I supposed to use 127.0.0.1:443 or 10.10.10.10:443?
You need to use an IP address that is locally configured on OPNsense, otherwise HAProxy fails to start. Most likely you want to use the same IP address that you were using as "source address" in your NAT rule.

I am not sure I can follow you here.
so after configuring the HAPROXY not NAT or port forwarding are needed?

what do you mean use IP locally configure on OPNsense?
if the OPNsense IP is 10.10.10.1
Server 1 10.10.10.10
Server 2 10.10.10.20

which IP need to use ?

Thank you

[fraenki]

when I try to create a frontend its not accepting the ip of the host and error out .
Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443.

You need to hit the TAB key after entering the IP:PORT information. (opnsense/core#1689)

so after configuring the HAPROXY not NAT or port forwarding are needed?

It does not make sense to me to keep using a port forward.

what do you mean use IP locally configure on OPNsense?
if the OPNsense IP is 10.10.10.1
which IP need to use ?

I can't answer this question without knowing your setup.
Like I said, use the same IP address that was configured in your NAT port forward.

I'm guessing that the services that you have mentioned ("dns1.domain.com" and "dns2.domain.com") currently point to an official IP address that is configured on OPNsense (WAN interface?). If this is the case, use this WAN IP address as listen address for your HAProxy frontend.

[Julien-nl]

Thank you for your answers fraenki.
I have followed your steps unfortunately the service does not wanna start.
I have disabled the NAT/Port forwarding were used on the Firewall rules. and I have used the WAN IP on the Fronted WANIP:443 and press TAB unfortunately the server is not starting up.
I have shared all the configuration on a screenshot with you in order to understand the setup.
I hope you can help me get this up.
the 1.2.3.4:445 is not real IP have to change it for security purposes.

the log

File /var/log/haproxy.log yielded no results.

Sep 21 12:17:23 | configd.py: [988917de-a6bd-4315-b643-48b3fed9081e] requesting haproxy status
-- | --
Sep 21 12:17:20 | configd.py: [28a5dea4-ac1a-4a6f-b64c-2af16b003213] returned exit status 1
Sep 21 12:17:20 | root: /usr/local/etc/rc.d/haproxy: WARNING: failed precmd routine for haproxy
Sep 21 12:17:20 | configd.py: [28a5dea4-ac1a-4a6f-b64c-2af16b003213] starting haproxy
Sep 21 12:17:19 | configd.py: generate template container OPNsense/HAProxy
Sep 21 12:17:18 | configd.py: [263a1bd7-8d9c-4c07-9443-d8fabc05d1ec] generate template OPNsense/HAProxy
Sep 21 12:17:18 | configd.py: [5e365799-e883-4f2c-a569-a00190dda148] requesting haproxy status
Sep 21 12:17:16 | configd.py: [81dfef19-9d59-4097-9048-8d64d294f150] requesting haproxy status
Sep 21 12:16:46 | configd.py: [c78696aa-8a52-4e22-9f18-97d5208d6fdf] requesting haproxy status
Sep 21 12:16:42 | configd.py: generate template container OPNsense/HAProxy
Sep 21 12:16:42 | configd.py: [41b79d75-480f-4350-9c5e-2fa8f1300506] generate template OPNsense/HAProxy
Sep 21 12:16:42 | configd.py: [af28ead2-defe-4cf4-8ac8-e84332f62c05] requesting haproxy status
Sep 21 11:52:38 | configd.py: [5bc0c0a2-587d-44e0-a145-903c84f37764] requesting haproxy status

[fraenki]

I have followed your steps unfortunately the service does not wanna start.

You haven't posted any error message. Please use the Test syntax button in our HAProxy GUI and post the output here. The error may also be available from Services -> HAProxy -> Log File.

[Julien-nl]

Thank you Fraenki,
unfortunately on the service >> HAPROXY >> Log there is nothing there.
see screenshots
thank you for your continue support.

[fraenki]

Please use the Test syntax button that can be found in Services -> HAProxy -> Settings -> Tab: Frontends and post the output here.

[Julien-nl]

Thank you fraenki for your continue support.
attached is a screenshot of the test syntax.
actually I've test all the options backend, servers, actions all comes back with no error.

[fraenki]

actually I've test all the options backend, servers, actions all comes back with no error.

That's really odd. Please try from the OPNsense console (choose option 12 from the console menu or connect through SSH):

root@opnsense: # service haproxy restart

And paste the output here.

[Julien-nl]

thank you for your continue support fraenki,
today have updated to the latest build 17,7,5
the out put is here

haproxy not running? (check /var/run/haproxy.pid).
[ALERT] 279/034444 (92299) : config : frontend 'Exchange' : unable to find serve                                                                                                 r 'EX02' referenced in a 'use-server' rule.
[ALERT] 279/034444 (92299) : config : frontend 'Filter' : unable to find server                                                                                                  'FILTER' referenced in a 'use-server' rule.
[ALERT] 279/034444 (92299) : Fatal errors found in configuration.
/usr/local/etc/rc.d/haproxy: WARNING: failed precmd routine for haproxy

in the mean while I have the NAT on, turning the services on, do.i have to turn the NAT first off? or having the NAT on doesn't affect the service to start ?
I've checked the Server EX02 exisit so the filter with their IP.

thank you

[Julien-nl]

Dear fraenki ,
do you have a update for the above issue ? it become critical to have those 443 ports.
We don't wanna go back to Pfsense, and hope you can help getting this fixed.
thank you

[fraenki]

[ALERT] 279/034444 (92299) : config : frontend 'Exchange' : unable to find server 'EX02' referenced in a 'use-server' rule.
[ALERT] 279/034444 (92299) : config : frontend 'Filter' : unable to find server 'FILTER' referenced in a 'use-server' rule.

HAProxy clearly states that there is an error in a rule. Please check the "Actions" in the GUI, they seem to be invalid/incomplete.

i have to turn the NAT first off? or having the NAT on doesn't affect the service to start ?

NAT does not affect service start/restart.

FWIW, we will release HAProxy plugin version 2.0 within the next two weeks (#330). It provides a new GUI and I hope it helps you to find the error in your configuration.

[fraenki]

I'm closing this issue, because I think it's a misconfiguration and not a bug.
Please post again on our forums and include the following information:

• a copy of your config.xml (System -> Configuration -> Backups)
• a copy of your /usr/local/etc/haproxy.conf
• relevant entries from Services -> HAProxy -> Log File
• relevant entries from System -> Log File

Please add a link to your forum thread here. Thanks!