pfsense-haproxy-package-doc's People
Forkers
ittchmh anomizer patlegu setya sttwebs asiellb balc3r dialloamadou abanoubrezkrasmy 4ng3lp jasond2014 chopeta jagadeesh-s2104 vlkostin mohamadathaiderpfsense-haproxy-package-doc's Issues
Upgrade to 0.63_1 caused 502 Bad gateway
Netgate 6100 on 23.05.1-RELEASE
WAN frontend serving multiple backends, worked perfectly before the upgrade.
The haproxy logs are giving me this:
PBS_ipvANY/pbs 0/0/3/5/8 200 953 - - ---- 16/7/1/1/0 0/0 "POST //api2/json/access/ticket HTTP/1.1" - initial
PBS_ipvANY/pbs 0/0/0/-1/2 502 360 - - PH-- 16/7/1/1/0 0/0 "GET //api2/json/reader?backup-id=105&backup-time=1691789400&backup-type=vm&debug=true&store=internalnvme HTTP/1.1"
Before the upgrade it looked like this:
PBS_ipvANY/pbs 0/0/2/6/8 200 958 - - ---- 17/6/0/0/0 0/0 "POST //api2/json/access/ticket HTTP/1.1"
PBS_ipvANY/pbs 0/0/0/1/90898 101 2041921071 - - ---- 25/10/0/0/0 0/0 "GET //api2/json/reader?backup-id=105&backup-time=1691357412&backup-type=vm&debug=true&store=internalnvme HTTP/1.1"
The backend is reporting the following:
TASK ERROR: connection error: connection closed before reading preface
Have restarted HA proxy and have enabled the close all connections upon restart.
I am able to reach the backend, but for some reason the GET fails with 502 (this is a SYNC job that has been running for months without issues). I am not able to determine if it is the backend that shuts this down or haproxy.
Backend is very simple, uses port 8007 with no SSL checks - this has not been changed.
Hope you can help.
HAproxy multi-wan
Hey, @PiBa-NL
I hope everyone is okay!
I have a multi-wan HAproxy environment, with different incoming SIP traffic, responding on two front ends on ports 80 and 443, in which traffic is successfully directed to all back ends.
But my problem starts now, at the moment when I need to add a third front-end, a new ISP for HAProxy, and direct traffic from a Backend to this new WAN-ip.
Here I can explain in more detail the steps taken in the settings:
- Performed the configuration of the new wap-ip interface, using the settings provided by my provider:
- I made a new backend with a new wap-ip interface
Finally, I published the new wan-ip address in the external DNS, but the web server is not accessible.
With kind regards!
Outlook for macOS can't connect to on prem Exchange 2016 after update
I just updated pfsense plus to 23.01, and now Outlook for macOS can't connect to the exchange 2016 server.
Everything was working before the update, and the setup has been working for the past couple of years.
Outlook for Windows clients work, but outlook for macOS doesn't.
MacOS Monterey 12.6 on Apple M1 Pro 16".
Outlook for Mac Version 16.71.2
Things I've noticed;
-The mac mail app works
-Can't connect to OWA with any browser except for safari.
-Disconnecting from the network and hot spotting the mac to the users iPhone, and it connects fine. OWA and Outlook both connect.
It appears something in the HA Proxy update has broken the connection. Rolling back to the previous version via boot environments and everything works as it should again.
Consider using send-proxy and accept-proxy in SNI + offloading docs.
When following the docs here I had a bit of trouble getting original client IPs into the X-Forwarded-For
header when doing SSL offloading. I always ended up with X-Forwarded-For: 127.0.0.1
.
The PROXY protocol seems to be a good fit for the configuration. Using your docs as an example:
On the backend named frontend3-offloading
, use:
Per server pass thru: send-proxy
On the frontend named Frontend3-offloading
use:
Bind pass thru: accept-proxy
Here's another doc I found useful.
Bug in Widget
We do experience this bug when we use the HAProxy widget
HAPRoxy Extension Version: [0.61_9]
pfsense: 23.01-RELEASE
Crash report begins. Anonymous machine information:
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS
Crash report details:
PHP Errors:
[30-Mar-2023 12:02:11 Europe/Berlin] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2126
Stack trace:
#0 /usr/local/www/widgets/widgets/haproxy.widget.php(218): format_bytes('<NEVER>')
#1 /usr/local/www/index.php(430): include('/usr/local/www/...')
#2 {main}
thrown in /etc/inc/util.inc on line 2126
[30-Mar-2023 12:02:29 Europe/Berlin] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2126
Stack trace:
#0 /usr/local/www/widgets/widgets/haproxy.widget.php(218): format_bytes('<NEVER>')
#1 /usr/local/www/index.php(430): include('/usr/local/www/...')
#2 {main}
thrown in /etc/inc/util.inc on line 2126
No FreeBSD crash data found.
Upgrading to 0.63_3 causing 503 Server not Available
I recently upgraded my PFsense and HAProxy on it. After upgrading to the latest haproxy version, whenever I try and reach my servers, I get a 503 Server unavailable. I have not changed anything on the configuration side or the server side. I tried to reinstall haproxy, recreate the frontend and backend in haproxy, and reissue the ACME certificate, and have had no luck. I am not sure what is causing the 503 error.
CVEs update
https://www.kb.cert.org/vuls/id/605641/
And https://www.cvedetails.com/vulnerability-list/vendor_id-11969/product_id-22372/year-2019/Haproxy-Haproxy.html
Is there any info when haproxy devel package will be updated on pfSense stable?
Use UNLESS condition instead of default IF
For r-proxying OnlyOffice docker I need to add some custom ACLs and conditions on the backend. I use the following example: https://github.com/ONLYOFFICE/document-server-proxy/blob/master/haproxy/proxy-https-to-http.cfg based on these patterns: https://helpcenter.onlyoffice.com/installation/docs-community-proxy.aspx
I am able to configure all via the GUI however I have no option to change the default IF condition to an UNLESS statement as described for OnlyOffice. Isn't there any option or am I missing something?
In the haproxy.cfg file the GUI configuration results in the following
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] if existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https if existing-x-forwarded-proto
What Onlyoffice describes but unable to configure
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
Health check method Agent not configurable
Cannot configure Agent Health check method in backend. Whenever I apply the config got this error:
[ALERT] 008/215924 (49440) : parsing [/var/etc/haproxy_test/haproxy.cfg:330] : unknown option 'lb-agent-chk'.
Moreover the field Agentport is changed during the saving process, and gets the same value of the backaend Name field
Haproxy on second node lost connection and all properties
Hello!
I use pfSense community edition v. 2.3.2-RELEASE-p1 and Haproxy-devel package.
Setup a 2-cluster nodes with XMLRPC for sync haproxy config.
All work, but after creating some new backends and setuping them in frontend on main node, syncing with second node is lost and all preferences on second node dissapear and haproxy on it stop working.
After some dancing with a tambourine on second node (i.e. reinstall haproxy-devel package) haproxy start working, but if i made some changes on main node Haproxy stop working again.
Why?
Port range in frontend
Hello,
I can't figure how to configure a port range in haproxy.
Version:
Pfsense 2.4.5
haproxy 1.8.25
package 0.60_6
When I try to set a port range instead of 1 port on Frontend, I have this error message:
The external address field 'Port' value '30000-40000' is not a number or alias thereof.
I also try with syntax 30000:40000
I can set nothing, so I guess it will take all ports, but that's bad. Looks like using port range is possible from a long time in haproxy.
This is to set up an FTP service with nodes.
Thanks in avance for your help
HAProxy 0.59_4 is broken
Hi, I dont see any other way of reaching you other than through here. Please have a read through the post I created this morning on this subject on the pfsense fourms.
https://forum.netgate.com/topic/133234/haproxy-0-59_4-is-broken
I would like to see a fix for this. Others on Reddit have confirmed its broken.
https://www.reddit.com/r/PFSENSE/comments/92it0e/haproxy_setup_issue/
Thanks! ๐
Performance issues on official Netgate hardware
I have an XG7100U and I enabled a backend pointing to apache2 on an Ubuntu 20.04 machine. If I NAT directly to the machine using a pfsense NAT rule I can download from external server at around 40MB/s so far so good.
If I enable a backend like this:
backend srv-frs_ipvANY
mode http
id 126
log global
# use mailers
# level err
email-alert mailers globalmailers
email-alert level err
email-alert from [email protected]
email-alert to [email protected]
email-alert myhostname xxx.com
http-response set-header Strict-Transport-Security max-age=31536000;
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server srv-frs 10.192.3.54:80 id 127 check inter 10000 resolvers globalresolvers
and a frontend like this:
global
maxconn 10000
log /var/run/log local0 info
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 4
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-engine cryptodev
tune.ssl.cachesize 1000000
cache webcache
total-max-size 256
max-age 1800s
frontend http-88-test
bind 94.103.xx.yy:80 name 94.103.xx.yy:80
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
default_backend srv-frs_ipvANY
and I put HAproxy in between I get external speeds of 1MB/s any clues as to what might be wrong? bare in mind these are almost all default settings, and the non defaults aren't used in the frontend or backend config.
Best wishes,
Sean
Backend Gui Problem
Hello, i am not able to rewrite the backend rules. As soon i want to add/update new rules, the wizard jumps to an other rule i wont update. Interestingly not recoginzing the error, hitting save and apply haproxy config crashes the rules. So how can this be eleborated and mitigated?
haproxy.cfg:72]: 'option httpchk' : hiding headers or body at the end of the version string is deprecated. Please, consider to use 'http-check send' directive instead.
pfSense version:
2.5.1-RELEASE (amd64)
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE
HAProxy version:
haproxy-devel 0.62_3
Issue/bug
'option httpchk' : hiding headers or body at the end of the version string is deprecated. Please, consider to use 'http-check send' directive instead.
Additional information
'Services' menu -> menu item 'HAProxy' -> tab 'Backend' -> (config of specific backend) -> section 'Health checking' -> Http check method and subsequent related options are not available within the GUI whereas installed version (2.2.6-3709bd4) supports it.
Related bugtracker pfSense team:
https://redmine.pfsense.org/issues/11491
https://redmine.pfsense.org/issues/10739
Haproxy get 503 on https
Hello everyone!
I have a stange situation - i setup a Haproxy like a frontend with 1 external ip-address with multiply backend hosts, on 2 ports - 80 for http and 443 for https.
All works fine, except one host - this host does not work on https, get "503 Service Unavailable", NOSRV in logs.
It works perfect via http, and this backend host has GREEN status in STATS FS.
But dont work on https....
Why?
HAproxy keeps crashing
Hello
I upgraded to 2.7.0 on my Netgate SG-2220 and after that HAproxy started to crash.
Have updated to the latest version of haproxy-devel net 0.62_13, using devel due to something I needed to setup Authelia, can't remember why.
Changed the log output to debug still just get this in the log
Jul 28 08:01:05kernelpid 90994 (haproxy), jid 0, uid 80: exited on signal 11
Jul 28 error output!: [info] 208/075233 (90637) : [acme] http-01 plugin v0.1.1
Jul 28 07:52:33php-cgi79672haproxy: started new pid:90994
Any advice on how to TS this would be helpful.
I use HAproxy for SSL offloading for all my internal services.
My config https://gist.github.com/varazir/3f743a8c2f8d5bdfea2a605a58195f6a
TIA
Daniel
ssl/https vs tcp mode is not documented
After upgrade to pfsense 2.4 i get errors
Hi
After an upgrade to newest pfsense, i get:
May 11 11:15:00 php-cgi rc.filter_configure_sync: PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy/haproxy.inc, Line: 436, Message: Cannot redeclare haproxy_version() (previously declared in /usr/local/pkg/haproxy.inc:427)
May 11 11:14:59 kernel arp: 192.168.0.115 moved from 44:6d:57:34:6e:bf to e8:40:f2:d3:1b:83 on em1
May 11 11:00:01 php-cgi rc.filter_configure_sync: PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy/haproxy.inc, Line: 436, Message: Cannot redeclare haproxy_version() (previously declared in /usr/local/pkg/haproxy.inc:427)
May 11 10:58:35 php-cgi config.inc: PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy_utils.inc, Line: 164, Message: Call to undefined function get_configured_carp_interface_list()
Widget: Allow for 'Read-Only' functionality
I want users to be able to view the dashboard but not be able to make any changes to the system. I am using the haproxy widget, but read-only users can click the 'stop' button to disable the backends (outlined in red in the screenshot).
Details:
HAProxy version: 0.48 (pfSense package) (haproxy version 1.6.4)
pfSense version: 2.3.1-RELEASE-p5
The 'read-only' users are in a single group with the following permissions:
User - Config: Deny Config Write
WebCfg - Dashboard (all)
Would it be possible to hide / disable the stop buttons unless the user has this permission:
WebCfg - Services: HAProxy package
Please let me know if there is a more appropriate place to submit this issue. Thanks for all your work on the haproxy pfSense package - it's awesome!
manage Haproxy remotely. API? ssh+cli?
Hello guys,
Is there a way to add backends and adjust fronends remotely? May be there is some api or cli available that will work and allow us to adjust haproxy config file without ROOT/ADMIN privileges. ?
Please help
Oleksandr
SSLOffloading options disappeared
There are no longer any ssloffloading options in frontends as of 0.61_10
.
When checking the SSLOffload checkbox on a frontend, it automatically gets assigned the first cert in pfsense's cert manager, regardless of what that cert is (Mine got asssigned a client VPN cert... a.k.a., NOT a "server" cert).
I tried uninstalling, rebooting, and reinstalling the package and the same behavior persists.
This was on pfsense 2.6.0 and 2.7.0.
After configuring HAProxy to use cipher excluding RC4 its still appears
While trying to secure the HAProxy to use the most secure Ciphers and protocols, I have disabled SSL3, tls1.0 and 1.1 and left 1.2 enabled only.
When running test on ssllabs.com it shows that HAproxy accepts RC4 cipher with old protocols only.
Thank you
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.