Haproxy with nginx, ocserver and letsencrypt ssl

kvadrakot · June 25, 2022, 12:41pm

I use haproxy with nginx and ocserver (its vpn server which uses a certificate for authorization on my domain vpn.example.com). Works great, but my configuration uses “frontend tcp” mode, which does not allow pass “option forwardfor” to save the ip address in the nginx logs. I don’t understand how to change the configuration to make it work.

haproxy.cfg

 frontend https
    
    bind 142.251.1.102:443
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
 
    use_backend ocserv if { req_ssl_sni -i vpn.example.com }
 
    use_backend nginx if { req_ssl_sni -i site1.com }
    use_backend nginx if { req_ssl_sni -i site2.com }
    use_backend nginx if { req_ssl_sni -i site3.com }
    
    default_backend ocserv

backend ocserv
   mode tcp
   option ssl-hello-chk
   server ocserv 127.0.0.1:443 send-proxy-v2

backend nginx
   mode tcp
   option forwardfor
   option tcp-check
   server nginx 127.0.0.2:443 check

terabill · June 27, 2022, 4:07pm

Hi kvadrakot

I am not an expert in this at all,

You might have to have an http mode front end in order to use forwardfor.

It is possible to have 2 front ends listening on the same port, one in TCP mode and the other in HTTP mode. Its a bit convoluted but you take one tcp mode front end and split it into two internal backends which in turn forward to your 2 new front ends. You can see my working config in the last post of this thread: https://discourse.haproxy.org/t/challenges-proxying-to-rds-gateway/7761

And, note that in one of my earlier tests I did use the forwardfor option but I used it in the front end rather than the backend. My test config worked (this was an ssl bridging test) but I don’t know if it would also work putting it in the backend as you do.

kvadrakot · June 27, 2022, 9:44pm

Hello terabill

I don’t have much work experience, but I’m guessing you’re wrong. You have the http set in the global settings, but on frontend Sorting_443 you override http mode to tcp mode. So you have port 443 only works on the tcp mode, but not at the same time http and tcp.

terabill · June 27, 2022, 10:58pm

My config works as I describe it. It listens on port 443 and sends some packets to a tcp mode front end and other packets to an http mode frontend

Frontend Sorting_443 only works in tcp mode, but it then sorts requests and sends to 2 internal backends, which in turn send to 2 new front ends: frontend ts_passthrough in tcp mode and frontend https-terminated in http mode.

There are other examples of this splitting one front end into 2 on this forum, I linked to one of them in the first post in that thread.

Topic		Replies	Views
HAProxy in `mode tcp` accepts HTTP with HTTPS backend Help!	1	604	March 3, 2020
Application behind Haproxy with SSL offloading Help!	3	1537	August 10, 2019
Following a tutorial but gone wrong (haproxy.service: Start request repeated too quickly.) Help!	9	1084	February 5, 2021
Tcp mode and ssl confusion Help!	4	1548	September 20, 2022
Failed to get http and ocserv on same port Help!	1	1073	August 11, 2019

Haproxy with nginx, ocserver and letsencrypt ssl

Related Topics