Hello,
I have setup an HAProxy service (version 2.8) with OPNSense and I’m struggling to make it work consistently.
I tried to follow a guide that was available on OPNsense forum as base for my setup.
Here is my current configuration for HAProxy
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.ocsp-update.mindelay 300
tune.ssl.ocsp-update.maxdelay 3600
httpclient.resolvers.prefer ipv4
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 60s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend (DISABLED): Frontend_HTTP ()
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# logging options
option log-separate-errors
option tcplog
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.10.10.2:80 name 127.10.10.2:80 accept-proxy
mode http
option http-keep-alive
# logging options
option log-separate-errors
option httplog
# ACL: no-ssl
acl acl_606b47270c87a3.09968459 ssl_fc
# ACTION: HTTPRedirect
http-request redirect scheme https code 301 if !acl_606b47270c87a3.09968459
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000"
bind 127.10.10.2:443 name 127.10.10.2:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66a957c77230c2.86454741.certlist
mode http
option http-keep-alive
# logging options
option log-separate-errors
option httplog
# ACL: nc-host
acl acl_606b4708173456.71367641 hdr_sub(host) -i nc.roxblic.xyz
# ACTION: NC_rule
use_backend NC_backend if acl_606b4708173456.71367641
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.10.10.2 send-proxy-v2 check-send-proxy
# Backend: NC_backend ()
backend NC_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
option forwardfor
server NC_server 10.1.1.2:443 ssl verify none
# statistics are DISABLED
First of all why frontend
needs to be prefixed with 0_
/ 1_
? Without these prefixes, I consistently encountered the error below when accessing the HTTP port. After adding the 0_
prefix to SNI_frontend
, the error now only occurs approximately once in every four attempts.
$ curl -vv http://domain.tld/
* Host domain.tld:80 was resolved.
* IPv6: (none)
* IPv4: 10.1.1.2
* Trying 10.1.1.2:80...
* Connected to domain.tld (10.1.1.2) port 80
> GET / HTTP/1.1
> Host: domain.tld
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
* Empty reply from server
* Closing connection
curl: (52) Empty reply from server
Debug log corresponding in HAProxy :
2024-08-02T13:23:47 Informational 10.2.2.1:41028 [02/Aug/2024:13:23:47.399] SNI_frontend SSL_backend/SSL_server 1/0/22 0 -- 1/1/0/0/0 0/0
2024-08-02T13:23:47 Error 127.10.10.2:19006 [02/Aug/2024:13:23:47.399] 1_HTTP_frontend/127.10.10.2:80: Received something which does not look like a PROXY protocol header
Also, I am getting SSL_ERROR_SYSCALL
error (or PR_END_OF_FILE_ERROR
with Chrome/Firefox) for HTTPS requests that occurs approximately one time out of every 2/3 attempts.
$ curl -vv https://domain.tld/
* Host domain.tld:443 was resolved.
* IPv6: (none)
* IPv4: 10.1.1.2
* Trying 10.1.1.2:443...
* Connected to domain.tld (10.1.1.2) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to domain.tld:443
* Closing connection
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to domain.tld:443
Debug log corresponding in HAProxy :
2024-08-02T13:21:24 Informational 10.2.2.1:60118 [02/Aug/2024:13:21:24.339] SNI_frontend SSL_backend/SSL_server 1/0/19 0 -- 1/1/0/0/0 0/0
2024-08-02T13:21:24 Error 127.10.10.2:15595 [02/Aug/2024:13:21:24.339] 2_HTTPS_frontend/127.10.10.2:443: Received something which does not look like a PROXY protocol header
I have run a TCP dump and it’s seems that sometimes I don’t receive the proxy header the first packet being “Client Hello”.