piba-nl / pfsense-haproxy-package-doc Goto Github PK

Netgate 6100 on 23.05.1-RELEASE
WAN frontend serving multiple backends, worked perfectly before the upgrade.
The haproxy logs are giving me this:
PBS_ipvANY/pbs 0/0/3/5/8 200 953 - - ---- 16/7/1/1/0 0/0 "POST //api2/json/access/ticket HTTP/1.1" - initial
PBS_ipvANY/pbs 0/0/0/-1/2 502 360 - - PH-- 16/7/1/1/0 0/0 "GET //api2/json/reader?backup-id=105&backup-time=1691789400&backup-type=vm&debug=true&store=internalnvme HTTP/1.1"

Before the upgrade it looked like this:

PBS_ipvANY/pbs 0/0/2/6/8 200 958 - - ---- 17/6/0/0/0 0/0 "POST //api2/json/access/ticket HTTP/1.1"
PBS_ipvANY/pbs 0/0/0/1/90898 101 2041921071 - - ---- 25/10/0/0/0 0/0 "GET //api2/json/reader?backup-id=105&backup-time=1691357412&backup-type=vm&debug=true&store=internalnvme HTTP/1.1"

The backend is reporting the following:
TASK ERROR: connection error: connection closed before reading preface

Have restarted HA proxy and have enabled the close all connections upon restart.

I am able to reach the backend, but for some reason the GET fails with 502 (this is a SYNC job that has been running for months without issues). I am not able to determine if it is the backend that shuts this down or haproxy.

Backend is very simple, uses port 8007 with no SSL checks - this has not been changed.

Hope you can help.

Hey, @PiBa-NL

I hope everyone is okay!

I have a multi-wan HAproxy environment, with different incoming SIP traffic, responding on two front ends on ports 80 and 443, in which traffic is successfully directed to all back ends.

But my problem starts now, at the moment when I need to add a third front-end, a new ISP for HAProxy, and direct traffic from a Backend to this new WAN-ip.

Here I can explain in more detail the steps taken in the settings:

• Performed the configuration of the new wap-ip interface, using the settings provided by my provider:

• I made a new backend with a new wap-ip interface

Finally, I published the new wan-ip address in the external DNS, but the web server is not accessible.

With kind regards!

I just updated pfsense plus to 23.01, and now Outlook for macOS can't connect to the exchange 2016 server.
Everything was working before the update, and the setup has been working for the past couple of years.
Outlook for Windows clients work, but outlook for macOS doesn't.

MacOS Monterey 12.6 on Apple M1 Pro 16".
Outlook for Mac Version 16.71.2

Things I've noticed;
-The mac mail app works
-Can't connect to OWA with any browser except for safari.
-Disconnecting from the network and hot spotting the mac to the users iPhone, and it connects fine. OWA and Outlook both connect.

It appears something in the HA Proxy update has broken the connection. Rolling back to the previous version via boot environments and everything works as it should again.

When following the docs here I had a bit of trouble getting original client IPs into the X-Forwarded-For header when doing SSL offloading. I always ended up with X-Forwarded-For: 127.0.0.1.

The PROXY protocol seems to be a good fit for the configuration. Using your docs as an example:

On the backend named frontend3-offloading, use:

Per server pass thru: send-proxy

On the frontend named Frontend3-offloading use:

Bind pass thru: accept-proxy

Here's another doc I found useful.

We do experience this bug when we use the HAProxy widget

HAPRoxy Extension Version: [0.61_9]
pfsense: 23.01-RELEASE

Crash report begins.  Anonymous machine information:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS

Crash report details:

PHP Errors:
[30-Mar-2023 12:02:11 Europe/Berlin] PHP Fatal error:  Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2126
Stack trace:
#0 /usr/local/www/widgets/widgets/haproxy.widget.php(218): format_bytes('<NEVER>')
#1 /usr/local/www/index.php(430): include('/usr/local/www/...')
#2 {main}
  thrown in /etc/inc/util.inc on line 2126
[30-Mar-2023 12:02:29 Europe/Berlin] PHP Fatal error:  Uncaught TypeError: Unsupported operand types: string / int in /etc/inc/util.inc:2126
Stack trace:
#0 /usr/local/www/widgets/widgets/haproxy.widget.php(218): format_bytes('<NEVER>')
#1 /usr/local/www/index.php(430): include('/usr/local/www/...')
#2 {main}
  thrown in /etc/inc/util.inc on line 2126


No FreeBSD crash data found.

I recently upgraded my PFsense and HAProxy on it. After upgrading to the latest haproxy version, whenever I try and reach my servers, I get a 503 Server unavailable. I have not changed anything on the configuration side or the server side. I tried to reinstall haproxy, recreate the frontend and backend in haproxy, and reissue the ACME certificate, and have had no luck. I am not sure what is causing the 503 error.

https://www.kb.cert.org/vuls/id/605641/
And https://www.cvedetails.com/vulnerability-list/vendor_id-11969/product_id-22372/year-2019/Haproxy-Haproxy.html
Is there any info when haproxy devel package will be updated on pfSense stable?

For r-proxying OnlyOffice docker I need to add some custom ACLs and conditions on the backend. I use the following example: https://github.com/ONLYOFFICE/document-server-proxy/blob/master/haproxy/proxy-https-to-http.cfg based on these patterns: https://helpcenter.onlyoffice.com/installation/docs-community-proxy.aspx

I am able to configure all via the GUI however I have no option to change the default IF condition to an UNLESS statement as described for OnlyOffice. Isn't there any option or am I missing something?

In the haproxy.cfg file the GUI configuration results in the following

acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] if existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https if existing-x-forwarded-proto

What Onlyoffice describes but unable to configure

acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto

Cannot configure Agent Health check method in backend. Whenever I apply the config got this error:
[ALERT] 008/215924 (49440) : parsing [/var/etc/haproxy_test/haproxy.cfg:330] : unknown option 'lb-agent-chk'.

Moreover the field Agentport is changed during the saving process, and gets the same value of the backaend Name field

Hello!
I use pfSense community edition v. 2.3.2-RELEASE-p1 and Haproxy-devel package.
Setup a 2-cluster nodes with XMLRPC for sync haproxy config.
All work, but after creating some new backends and setuping them in frontend on main node, syncing with second node is lost and all preferences on second node dissapear and haproxy on it stop working.
After some dancing with a tambourine on second node (i.e. reinstall haproxy-devel package) haproxy start working, but if i made some changes on main node Haproxy stop working again.
Why?

Hello,

I can't figure how to configure a port range in haproxy.
Version:
Pfsense 2.4.5
haproxy 1.8.25
package 0.60_6

When I try to set a port range instead of 1 port on Frontend, I have this error message:
The external address field 'Port' value '30000-40000' is not a number or alias thereof.
I also try with syntax 30000:40000

I can set nothing, so I guess it will take all ports, but that's bad. Looks like using port range is possible from a long time in haproxy.

This is to set up an FTP service with nodes.

Thanks in avance for your help

Hi, I dont see any other way of reaching you other than through here. Please have a read through the post I created this morning on this subject on the pfsense fourms.
https://forum.netgate.com/topic/133234/haproxy-0-59_4-is-broken

I would like to see a fix for this. Others on Reddit have confirmed its broken.
https://www.reddit.com/r/PFSENSE/comments/92it0e/haproxy_setup_issue/

Thanks! 👍

I have an XG7100U and I enabled a backend pointing to apache2 on an Ubuntu 20.04 machine. If I NAT directly to the machine using a pfsense NAT rule I can download from external server at around 40MB/s so far so good.
If I enable a backend like this:

backend srv-frs_ipvANY
    mode			http
    id			126
    log			global
    # use mailers
    # level  err 
    email-alert mailers			globalmailers
    email-alert level			err
    email-alert from			[email protected]
    email-alert to			[email protected]
    email-alert myhostname			xxx.com
    http-response set-header Strict-Transport-Security max-age=31536000;
    timeout connect		30000
    timeout server		30000
    retries			3
    option			httpchk OPTIONS / 
    server			srv-frs 10.192.3.54:80 id 127 check inter 10000  resolvers globalresolvers 

and a frontend like this:

 global
    maxconn			10000
    log			/var/run/log	local0	info
    stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    uid			80
    gid			80
    nbproc			4
    nbthread			1
    hard-stop-after		15m
    chroot				/tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param	2048
    server-state-file /tmp/haproxy_server_state
    ssl-engine cryptodev
    tune.ssl.cachesize 1000000

  cache webcache
      total-max-size 256
      max-age 1800s

frontend http-88-test
    bind			94.103.xx.yy:80 name 94.103.xx.yy:80   
    mode			http
    log			global
    option			http-keep-alive
    option			forwardfor
    acl https ssl_fc
    http-request set-header		X-Forwarded-Proto http if !https
    http-request set-header		X-Forwarded-Proto https if https
    timeout client		30000
    default_backend srv-frs_ipvANY

and I put HAproxy in between I get external speeds of 1MB/s any clues as to what might be wrong? bare in mind these are almost all default settings, and the non defaults aren't used in the frontend or backend config.

Best wishes,
Sean

Hello, i am not able to rewrite the backend rules. As soon i want to add/update new rules, the wizard jumps to an other rule i wont update. Interestingly not recoginzing the error, hitting save and apply haproxy config crashes the rules. So how can this be eleborated and mitigated?

pfSense version:
2.5.1-RELEASE (amd64)
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE

HAProxy version:
haproxy-devel 0.62_3

Issue/bug
'option httpchk' : hiding headers or body at the end of the version string is deprecated. Please, consider to use 'http-check send' directive instead.

Additional information
'Services' menu -> menu item 'HAProxy' -> tab 'Backend' -> (config of specific backend) -> section 'Health checking' -> Http check method and subsequent related options are not available within the GUI whereas installed version (2.2.6-3709bd4) supports it.

Related bugtracker pfSense team:
https://redmine.pfsense.org/issues/11491
https://redmine.pfsense.org/issues/10739

Hello everyone!
I have a stange situation - i setup a Haproxy like a frontend with 1 external ip-address with multiply backend hosts, on 2 ports - 80 for http and 443 for https.
All works fine, except one host - this host does not work on https, get "503 Service Unavailable", NOSRV in logs.
It works perfect via http, and this backend host has GREEN status in STATS FS.
But dont work on https....
Why?

Hello

I upgraded to 2.7.0 on my Netgate SG-2220 and after that HAproxy started to crash.

Have updated to the latest version of haproxy-devel net 0.62_13, using devel due to something I needed to setup Authelia, can't remember why.
Changed the log output to debug still just get this in the log

Jul 28 08:01:05kernelpid 90994 (haproxy), jid 0, uid 80: exited on signal 11
Jul 28 error output!: [info] 208/075233 (90637) : [acme] http-01 plugin v0.1.1
Jul 28 07:52:33php-cgi79672haproxy: started new pid:90994

Any advice on how to TS this would be helpful.
I use HAproxy for SSL offloading for all my internal services.

My config https://gist.github.com/varazir/3f743a8c2f8d5bdfea2a605a58195f6a

TIA

Daniel

This has always confused me, what is the difference between the last two option sin the type dropdown:

ssl / https(TCP mode)
tcp

I've confirm both set the mode tcp in the front-end config, and it's unclear what the difference is.

Hi

After an upgrade to newest pfsense, i get:
May 11 11:15:00 php-cgi rc.filter_configure_sync: PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy/haproxy.inc, Line: 436, Message: Cannot redeclare haproxy_version() (previously declared in /usr/local/pkg/haproxy.inc:427)
May 11 11:14:59 kernel arp: 192.168.0.115 moved from 44:6d:57:34:6e:bf to e8:40:f2:d3:1b:83 on em1
May 11 11:00:01 php-cgi rc.filter_configure_sync: PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy/haproxy.inc, Line: 436, Message: Cannot redeclare haproxy_version() (previously declared in /usr/local/pkg/haproxy.inc:427)
May 11 10:58:35 php-cgi config.inc: PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy_utils.inc, Line: 164, Message: Call to undefined function get_configured_carp_interface_list()

I want users to be able to view the dashboard but not be able to make any changes to the system. I am using the haproxy widget, but read-only users can click the 'stop' button to disable the backends (outlined in red in the screenshot).

Details:
HAProxy version: 0.48 (pfSense package) (haproxy version 1.6.4)
pfSense version: 2.3.1-RELEASE-p5

The 'read-only' users are in a single group with the following permissions:
User - Config: Deny Config Write
WebCfg - Dashboard (all)

Would it be possible to hide / disable the stop buttons unless the user has this permission:
WebCfg - Services: HAProxy package

Please let me know if there is a more appropriate place to submit this issue. Thanks for all your work on the haproxy pfSense package - it's awesome!

Hello guys,

Is there a way to add backends and adjust fronends remotely? May be there is some api or cli available that will work and allow us to adjust haproxy config file without ROOT/ADMIN privileges. ?

Please help

Oleksandr

There are no longer any ssloffloading options in frontends as of 0.61_10.

When checking the SSLOffload checkbox on a frontend, it automatically gets assigned the first cert in pfsense's cert manager, regardless of what that cert is (Mine got asssigned a client VPN cert... a.k.a., NOT a "server" cert).

I tried uninstalling, rebooting, and reinstalling the package and the same behavior persists.

This was on pfsense 2.6.0 and 2.7.0.

While trying to secure the HAProxy to use the most secure Ciphers and protocols, I have disabled SSL3, tls1.0 and 1.1 and left 1.2 enabled only.
When running test on ssllabs.com it shows that HAproxy accepts RC4 cipher with old protocols only.
Thank you