HAProxy with OpenVPN over tcp/443 on pfSense

daggr · January 15, 2020, 6:06pm

Hi,

Recently replaced my HAProxy VM into pfSense HAProxy package instead and that works fine.
I had OpenVPN on a server before but now i want to run it in pfSense as well.
The problem is that i want to run OpenVPN over tcp/443 through HAProxy but i cant get it to work.

Today i’ve set up a frontend which listens to WAN address port 80 (type http /https(offloading)) and redirects to HTTPS.
Then a frontend listening on WAN address port 443 (type http /https(offloading)) with ACLs for different domain names and backends.

I’ve set OpenVPN to listen to TCP/1194 and a backend accordingly.
I’ve tried making a shared frontend but it seems that you can only share the same type (http, tcp and so on).

How should i proceed to configure HAProxy for using tcp/443 to my OpenVPN (on the pfSense machine)?

Thanks!

daggr · January 19, 2020, 11:22am

I got it working. Here’s the config if anyone else want to do the same thing.

# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-19 12:06
global
	maxconn			4096
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	ssl-default-bind-options no-sslv3 no-tlsv10
	ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend PROD_HTTP
	bind			WAN ADDRESS:80 name WAN ADDRESS:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_PROD_HTTP_503_MAINT
	acl			redirect	var(txn.txnhost) -m end -i domain.com
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect code 301 location https://%[hdr(host)]%[path]  if  redirect 

frontend PROD_HTTPS
	bind			127.0.0.1:9443 name 127.0.0.1:9443  no-sslv3 no-tlsv10 no-tlsv11 ssl crt-list /var/etc/haproxy/PROD_HTTPS.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_PROD_HTTPS_503_MAINT
	acl			cloud	var(txn.txnhost) -m str -i cloud.domain.com
	acl			grafana	var(txn.txnhost) -m str -i grafana.domain.com

	acl			aclcrt_PROD_HTTPS	var(txn.txnhost) -m reg -i ^cloud\.domain\.com(:([0-9]){1,5})?$
	acl			aclcrt_PROD_HTTPS	var(txn.txnhost) -m reg -i ^grafana\.domain\.com(:([0-9]){1,5})?$

	http-request set-var(txn.txnhost) hdr(host)
	use_backend webserver01_ipvANY  if  cloud aclcrt_PROD_HTTPS
	use_backend webserver02_ipvANY  if  grafana aclcrt_PROD_HTTPS

frontend TCP_HTTPS
	bind			WAN ADDRESS:443 name WAN ADDRESS:443   
	mode			tcp
	log			global
	timeout client		50000
	tcp-request content accept if { req.ssl_hello_type 1 }
	tcp-request inspect-delay	5s
	acl			http	req.ssl_ver gt 0
	tcp-request content accept if { req.ssl_ver gt 0 }
	use_backend https-term_ipvANY  if  http 
	default_backend pfsense_openvpn_tcp_1194_ipvANY

backend webserver01_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webserver01 192.168.37.14:8080 id 101 check inter 1000  

backend webserver02_ipvANY
	mode			http
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webserver02 192.168.37.15:3000 id 101 check inter 1000  

backend https-term_ipvANY
	mode			tcp
	id			110
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	mode tcp
	server			https-term 127.0.0.1:9443 id 101  

backend pfsense_openvpn_tcp_1194_ipvANY
	mode			tcp
	id			109
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	mode tcp
	server			pfsense_openvpn_tcp_1194 127.0.0.1:1194 id 101

Topic		Replies	Views
Haproxy Issue Connecting to Openvpn on TCP 433 Help!	8	4748	June 26, 2017
Binding port 443 to both HTTP and TCP Help!	3	7870	December 8, 2020
HAProxy, OPNsense and a blocked port 443 Help!	5	2034	May 2, 2021
HAProxy on PFSense - 503 Service Unavailable / No server is available to handle this request Help!	1	7158	July 17, 2019
HTTP 503 after changing port number on backend Help!	24	4215	August 31, 2018

HAProxy with OpenVPN over tcp/443 on pfSense

Related Topics