Newbee on HAProxy , help to get started

Hi
I discover HAProxy, and I start to read the documentation and I want to learn how to use it, I’m only at the beginning but I hope to get there one day. , I have a personal project that I will try to implement with HAProxy, because I have 3 computer servers that must all have access to port 80 and 443 with a single external ip, and with many subdomains that must be directed to the right server, to start I made a diagram of my needs on each server with all the subdomains and ports I will need on each server.
I wanted to have your opinion in order to know if I can start making a configuration from the diagram. Thank you for your help

HAProxy version 2.8.0-1~bpo11+1 2023/06/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.0.html
Running on: Linux 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

hi
for information, I made my first configuration according to the different domains spread over several servers and it gives this, for the moment it works correctly, and certbot seems to work on the servers behind HAproxy.
I am open to any improvement of my file, please help me to achieve a good configuration

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             50000
    #chroot              /var/lib/haproxy
    pidfile             /var/run/haproxy.pid

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
    mode http
    bind :22222
    stats enable
    stats uri            /haproxy?stats
    stats realm          Haproxy\ Statistics
    stats auth           xxxxxxx:xxxxx.
    stats refresh        30s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
    bind 0.0.0.0:443
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_seafile                 req.ssl_sni -i cloud.XXXXXX.cloud
acl acl_mailcowdatanetwork      req.ssl_sni -i mail.XXXXXXX.cloud
acl acl_mailcowboubou           req.ssl_sni -i mail.XXXXX.me
acl acl_matrix                  req.ssl_sni -i element.XXXXXX.cloud
acl acl_lenovo                  req.ssl_sni -i lenovo.XXXXX.cloud
acl acl_freebox                 req.ssl_sni -i freebox.XXXXX.cloud
acl acl_php                     req.ssl_sni -i php.XXXXX.cloud
acl acl_plex                    req.ssl_sni -i plex.XXXXXX.cloud
acl acl_mx                      req.ssl_sni -i mx.XXXXXX.cloud
acl acl_nas                     req.ssl_sni -i nas.XXXXXX.cloud
acl acl_dell380                 req.ssl_sni -i dell380.XXXXX.cloud
acl acl_tautulli                req.ssl_sni -i tautulli.XXXXXX.cloud
acl acl_element                 req.ssl_sni -i element.XXXXX.cloud
acl acl_turn                    req.ssl_sni -i turn.XXXXXX.cloud
acl acl_blog                    req.ssl_sni -i blog.XXXXX.me

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_seafile if acl_seafile
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou
use_backend backend_matrix if acl_matrix
use_backend backend_lenovo if acl_lenovo
use_backend backend_freebox if acl_freebox
use_backend backend_php if acl_php
use_backend backend_plex if acl_plex
use_backend backend_mx if acl_mx
use_backend backend_nas if acl_nas
use_backend backend_dell380 if acl_dell380
use_backend backend_tautulli if acl_tautulli
use_backend backend_element if acl_element
use_backend backend_turn if acl_turn
use_backend backend_blog if acl_blog

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 SEAFILE
backend backend_seafile
    description cloud
    mode tcp
    option ssl-hello-chk
    server server_seafile 192.168.1.5:443 check

# APP 2 MAILCOW DATANETWORK
backend backend_mailcowdatanetwork
    description mailcowdatanetwork
    mode tcp
    option ssl-hello-chk
    server server_mailcow 192.168.1.7:443 check

# APP 3 MAILCOW BOUBOU
backend backend_mailcowboubou
    description mailcowboubou
    mode tcp
    option ssl-hello-chk
    server server_mailcow 192.168.1.7:443 check


# APP 4 MATRIX
backend backend_matrix
    description matrix
    mode tcp
    option ssl-hello-chk
    server server_matrix 192.168.1.6:443 check

# APP 5 NETDATA LENOVO TS-150
backend backend_lenovo
    description netdata_TS150
    mode tcp
    option ssl-hello-chk
    server server_lenovo 192.168.1.5:443 check

# APP 6 FREEBOX DELTA 
backend backend_freebox
    description freebox
    mode tcp
    option ssl-hello-chk
    server server_freebox 192.168.1.5:443 check

# APP 7 PHP
backend backend_php
    description php
    mode tcp
    option ssl-hello-chk
    server server_php 192.168.1.5:443 check

# APP 8 PLEX
backend backend_plex
    description plex
    mode tcp
    option ssl-hello-chk
    server server_plex 192.168.1.5:443 check

# APP 9
backend backend_mx
    description mx
    mode tcp
    option ssl-hello-chk
    server server_mx 192.168.1.5:443 check

# APP 10 NAS
backend backend_nas
    description nas
    mode tcp
    option ssl-hello-chk
    server server_nas 192.168.1.5:443 check

# APP 11 DELL380
backend backend_dell380
    description dell380
    mode tcp
    option ssl-hello-chk
    server server_dell380 192.168.1.5:443 check

# APP 12 TAUTULLI
backend backend_tautulli
    description tautulli
    mode tcp
    option ssl-hello-chk
    server server_tautulli 192.168.1.5:443 check

# APP 13 ELEMENT
backend backend_element
    description element
    mode tcp
    option ssl-hello-chk
    server server_element 192.168.1.6:443 check

# APP 14 TURN
backend backend_turn
    description turn
    mode tcp
    option ssl-hello-chk
    server server_turn 192.168.1.6:443 check

# APP 15 BLOG
backend backend_blog
    description blog
    mode tcp
    option ssl-hello-chk
    server server_blog 192.168.1.5:443 check

Configuration looks alright.

I would disable health checking on the backends though:

  • you don’t have multiple servers per backend you’d failover to, so knowing the backend status is irrelevant
  • the health check may create unnecessary complexity (if for example a backend rejects the old hello client message simulated by ssl-hello-chk, requires a custom SNI, etc) and generates unnecessary traffic

So remove the check keyword on the option ssl-hello-chk would be my suggestion.

1 Like

Thanks for the explanation

Hi
with my config, the servers behind HAProxy no longer see the ip of external connections, the Nginx logs only display the ip of the HAProxy server, is there a solution that I could apply to my config to correct this problem

THANKS

192.168.1.8 - - [07/Jun/2023:19:04:53 +0200] "POST /seafhttp/repo/head-commits-multi/ HTTP/1.1" 200 165 "-" "Seafile/9.0.2 (Windows NT)"
192.168.1.8 - - [07/Jun/2023:19:05:01 +0200] "POST /seafhttp/repo/head-commits-multi/ HTTP/1.1" 200 739 "-" "Seafile/9.0.2 (Windows NT)"
192.168.1.8 - - [07/Jun/2023:19:05:11 +0200] "POST /seafhttp/repo/head-commits-multi/ HTTP/1.1" 200 739 "-" "Seafile/9.0.2 (Windows NT)"
192.168.1.8 - - [07/Jun/2023:19:05:23 +0200] "POST /seafhttp/repo/head-commits-multi/ HTTP/1.1" 200 165 "-" "Seafile/9.0.2 (Windows NT)"

https://cbonte.github.io/haproxy-dconv/2.6/configuration.html#option%20forwardfor

I think, this will only work in http-mode, but I’m not 100% sure. In your case I would use the http mode anyway and do the ssl-offloading on the HAproxy-side and address the backends with http.

Your acls can directly been written in den “use backend” directive - this will keep the config short (will not work in tcp-mode!)

use_backend backend_seafile if { hdr(host) -i cloud.XXXXXX.cloud }

best regards,
Markus

1 Like

I confirm forwardfor needs HTTP mode, and switching to it would mean moving the entire SSL and certificate configuration from your backends to haproxy.

One alternative would be using the proxy protocol instead, so the client IP is trasparently passed to nginx:

In nginx you’d add the proxy_protocol keyword to your listen statement:

listen 443 ssl proxy_protocol;

And configure it in the http section:

http {
 set_real_ip_from 192.168.1.8;
 real_ip_header proxy_protocol;
}

In haproxy you’d add send-proxy-v2 keyword:

backend backend_blog
 description blog
 mode tcp
 server server_blog 192.168.1.5:443 send-proxy-v2
1 Like

@lukastribus

Your solution works perfectly
with your help I put my first HAProxy server into service.
THANKS

1 Like