Haproxy with nginx, ocserver and letsencrypt ssl

I use haproxy with nginx and ocserver (its vpn server which uses a certificate for authorization on my domain vpn.example.com). Works great, but my configuration uses “frontend tcp” mode, which does not allow pass “option forwardfor” to save the ip address in the nginx logs. I don’t understand how to change the configuration to make it work.


 frontend https
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend ocserv if { req_ssl_sni -i vpn.example.com }
    use_backend nginx if { req_ssl_sni -i site1.com }
    use_backend nginx if { req_ssl_sni -i site2.com }
    use_backend nginx if { req_ssl_sni -i site3.com }
    default_backend ocserv

backend ocserv
   mode tcp
   option ssl-hello-chk
   server ocserv send-proxy-v2

backend nginx
   mode tcp
   option forwardfor
   option tcp-check
   server nginx check

Hi kvadrakot

I am not an expert in this at all,

You might have to have an http mode front end in order to use forwardfor.

It is possible to have 2 front ends listening on the same port, one in TCP mode and the other in HTTP mode. Its a bit convoluted but you take one tcp mode front end and split it into two internal backends which in turn forward to your 2 new front ends. You can see my working config in the last post of this thread: https://discourse.haproxy.org/t/challenges-proxying-to-rds-gateway/7761

And, note that in one of my earlier tests I did use the forwardfor option but I used it in the front end rather than the backend. My test config worked (this was an ssl bridging test) but I don’t know if it would also work putting it in the backend as you do.

Hello terabill

I don’t have much work experience, but I’m guessing you’re wrong. You have the http set in the global settings, but on frontend Sorting_443 you override http mode to tcp mode. So you have port 443 only works on the tcp mode, but not at the same time http and tcp.

My config works as I describe it. It listens on port 443 and sends some packets to a tcp mode front end and other packets to an http mode frontend

Frontend Sorting_443 only works in tcp mode, but it then sorts requests and sends to 2 internal backends, which in turn send to 2 new front ends: frontend ts_passthrough in tcp mode and frontend https-terminated in http mode.

There are other examples of this splitting one front end into 2 on this forum, I linked to one of them in the first post in that thread.