I am using HAProxy to facilitate connections to various web management tools for various aspects of my network. I have a frontend listening on 443 which is doing SSL offloading and pushing connections through to various backends on 80/HTTP. I use certs on the frontend to present a secure connection.
This works well for every site, bar one (Zyxel NWA1123-AC access point). I can get to the logon page on HTTPS which is presented with the valid cert from HAProxy, but as soon as I login I get a 404 not found error from NGINX (from pfSense hosting the HAProxy package). The URL seems to be changing to HTTP so it’s no wonder I’m getting this error as I have no listener on that port. It looks like the Zyxel is actually trimming HTTPS from the URL as it probably thinks the connection is plain HTTP because that is what is coming from HAProxy.
Does anyone have any suggestions as to what I can do to provide the access? I’ve got my config below. It’s the ap backend that is giving me grief!
Any help would be much appreciated!
global maxconn 10000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend fe_mgt_443 bind 10.1.0.1:443 name 10.1.0.1:443 ssl crt-list /var/etc/haproxy/fe_mgt_443.crt_list mode http log global option http-server-close timeout client 30000 acl ap var(txn.txnhost) -m str -i ap.domain.com acl switch var(txn.txnhost) -m str -i switch.domain.com acl sense var(txn.txnhost) -m str -i sense.domain.com http-request set-var(txn.txnhost) hdr(host) use_backend ap_ipvANY if ap use_backend switch_ipvANY if switch use_backend sense_ipvANY if sense backend ap_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk GET / server ap.domain.com 10.1.0.3:80 id 101 check inter 10000 backend switch_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 server switch.domain.com 10.1.0.2:80 id 103 check inter 1000 backend sense_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk GET / server sense.domain.com 10.1.0.1:80 id 101 check inter 10000