Hi
I discover HAProxy, and I start to read the documentation and I want to learn how to use it, I’m only at the beginning but I hope to get there one day. , I have a personal project that I will try to implement with HAProxy, because I have 3 computer servers that must all have access to port 80 and 443 with a single external ip, and with many subdomains that must be directed to the right server, to start I made a diagram of my needs on each server with all the subdomains and ports I will need on each server.
I wanted to have your opinion in order to know if I can start making a configuration from the diagram. Thank you for your help
HAProxy version 2.8.0-1~bpo11+1 2023/06/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.0.html
Running on: Linux 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64
hi
for information, I made my first configuration according to the different domains spread over several servers and it gives this, for the moment it works correctly, and certbot seems to work on the servers behind HAproxy.
I am open to any improvement of my file, please help me to achieve a good configuration
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
daemon
user haproxy
group haproxy
log /dev/log local6 notice
log /dev/log local5 info
maxconn 50000
#chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp
option tcplog
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
mode http
bind :22222
stats enable
stats uri /haproxy?stats
stats realm Haproxy\ Statistics
stats auth xxxxxxx:xxxxx.
stats refresh 30s
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
bind 0.0.0.0:443
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------
# -------------------------------
# ACLs
# -------------------------------
acl acl_seafile req.ssl_sni -i cloud.XXXXXX.cloud
acl acl_mailcowdatanetwork req.ssl_sni -i mail.XXXXXXX.cloud
acl acl_mailcowboubou req.ssl_sni -i mail.XXXXX.me
acl acl_matrix req.ssl_sni -i element.XXXXXX.cloud
acl acl_lenovo req.ssl_sni -i lenovo.XXXXX.cloud
acl acl_freebox req.ssl_sni -i freebox.XXXXX.cloud
acl acl_php req.ssl_sni -i php.XXXXX.cloud
acl acl_plex req.ssl_sni -i plex.XXXXXX.cloud
acl acl_mx req.ssl_sni -i mx.XXXXXX.cloud
acl acl_nas req.ssl_sni -i nas.XXXXXX.cloud
acl acl_dell380 req.ssl_sni -i dell380.XXXXX.cloud
acl acl_tautulli req.ssl_sni -i tautulli.XXXXXX.cloud
acl acl_element req.ssl_sni -i element.XXXXX.cloud
acl acl_turn req.ssl_sni -i turn.XXXXXX.cloud
acl acl_blog req.ssl_sni -i blog.XXXXX.me
# -------------------------------
# Conditions
# -------------------------------
use_backend backend_seafile if acl_seafile
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou
use_backend backend_matrix if acl_matrix
use_backend backend_lenovo if acl_lenovo
use_backend backend_freebox if acl_freebox
use_backend backend_php if acl_php
use_backend backend_plex if acl_plex
use_backend backend_mx if acl_mx
use_backend backend_nas if acl_nas
use_backend backend_dell380 if acl_dell380
use_backend backend_tautulli if acl_tautulli
use_backend backend_element if acl_element
use_backend backend_turn if acl_turn
use_backend backend_blog if acl_blog
#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------
# APP 1 SEAFILE
backend backend_seafile
description cloud
mode tcp
option ssl-hello-chk
server server_seafile 192.168.1.5:443 check
# APP 2 MAILCOW DATANETWORK
backend backend_mailcowdatanetwork
description mailcowdatanetwork
mode tcp
option ssl-hello-chk
server server_mailcow 192.168.1.7:443 check
# APP 3 MAILCOW BOUBOU
backend backend_mailcowboubou
description mailcowboubou
mode tcp
option ssl-hello-chk
server server_mailcow 192.168.1.7:443 check
# APP 4 MATRIX
backend backend_matrix
description matrix
mode tcp
option ssl-hello-chk
server server_matrix 192.168.1.6:443 check
# APP 5 NETDATA LENOVO TS-150
backend backend_lenovo
description netdata_TS150
mode tcp
option ssl-hello-chk
server server_lenovo 192.168.1.5:443 check
# APP 6 FREEBOX DELTA
backend backend_freebox
description freebox
mode tcp
option ssl-hello-chk
server server_freebox 192.168.1.5:443 check
# APP 7 PHP
backend backend_php
description php
mode tcp
option ssl-hello-chk
server server_php 192.168.1.5:443 check
# APP 8 PLEX
backend backend_plex
description plex
mode tcp
option ssl-hello-chk
server server_plex 192.168.1.5:443 check
# APP 9
backend backend_mx
description mx
mode tcp
option ssl-hello-chk
server server_mx 192.168.1.5:443 check
# APP 10 NAS
backend backend_nas
description nas
mode tcp
option ssl-hello-chk
server server_nas 192.168.1.5:443 check
# APP 11 DELL380
backend backend_dell380
description dell380
mode tcp
option ssl-hello-chk
server server_dell380 192.168.1.5:443 check
# APP 12 TAUTULLI
backend backend_tautulli
description tautulli
mode tcp
option ssl-hello-chk
server server_tautulli 192.168.1.5:443 check
# APP 13 ELEMENT
backend backend_element
description element
mode tcp
option ssl-hello-chk
server server_element 192.168.1.6:443 check
# APP 14 TURN
backend backend_turn
description turn
mode tcp
option ssl-hello-chk
server server_turn 192.168.1.6:443 check
# APP 15 BLOG
backend backend_blog
description blog
mode tcp
option ssl-hello-chk
server server_blog 192.168.1.5:443 check
I would disable health checking on the backends though:
you don’t have multiple servers per backend you’d failover to, so knowing the backend status is irrelevant
the health check may create unnecessary complexity (if for example a backend rejects the old hello client message simulated by ssl-hello-chk, requires a custom SNI, etc) and generates unnecessary traffic
So remove the check keyword on the option ssl-hello-chk would be my suggestion.
Hi
with my config, the servers behind HAProxy no longer see the ip of external connections, the Nginx logs only display the ip of the HAProxy server, is there a solution that I could apply to my config to correct this problem
I think, this will only work in http-mode, but I’m not 100% sure. In your case I would use the http mode anyway and do the ssl-offloading on the HAproxy-side and address the backends with http.
Your acls can directly been written in den “use backend” directive - this will keep the config short (will not work in tcp-mode!)
use_backend backend_seafile if { hdr(host) -i cloud.XXXXXX.cloud }
I confirm forwardfor needs HTTP mode, and switching to it would mean moving the entire SSL and certificate configuration from your backends to haproxy.
One alternative would be using the proxy protocol instead, so the client IP is trasparently passed to nginx:
In nginx you’d add the proxy_protocol keyword to your listen statement: