Hi all.
I am using HAProxy to facilitate connections to various web management tools for various aspects of my network. I have a frontend listening on 443 which is doing SSL offloading and pushing connections through to various backends on 80/HTTP. I use certs on the frontend to present a secure connection.
This works well for every site, bar one (Zyxel NWA1123-AC access point). I can get to the logon page on HTTPS which is presented with the valid cert from HAProxy, but as soon as I login I get a 404 not found error from NGINX (from pfSense hosting the HAProxy package). The URL seems to be changing to HTTP so it’s no wonder I’m getting this error as I have no listener on that port. It looks like the Zyxel is actually trimming HTTPS from the URL as it probably thinks the connection is plain HTTP because that is what is coming from HAProxy.
Does anyone have any suggestions as to what I can do to provide the access? I’ve got my config below. It’s the ap backend that is giving me grief!
Any help would be much appreciated!
global
maxconn 10000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend fe_mgt_443
bind 10.1.0.1:443 name 10.1.0.1:443 ssl crt-list /var/etc/haproxy/fe_mgt_443.crt_list
mode http
log global
option http-server-close
timeout client 30000
acl ap var(txn.txnhost) -m str -i ap.domain.com
acl switch var(txn.txnhost) -m str -i switch.domain.com
acl sense var(txn.txnhost) -m str -i sense.domain.com
http-request set-var(txn.txnhost) hdr(host)
use_backend ap_ipvANY if ap
use_backend switch_ipvANY if switch
use_backend sense_ipvANY if sense
backend ap_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk GET /
server ap.domain.com 10.1.0.3:80 id 101 check inter 10000
backend switch_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
server switch.domain.com 10.1.0.2:80 id 103 check inter 1000
backend sense_ipvANY
mode http
id 104
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk GET /
server sense.domain.com 10.1.0.1:80 id 101 check inter 10000