I am using HAProxy 2.6.15-446b02c on a physical OPNSense Firewall. Behind my firewall I have a Synology DS720+ NAS running DSM 7.2 Update 1 with Synology Drive.
Internet —> WAN → HAProxy → LAN → Synology NAS
A few points:
- I am terminating SSL on the Synology NAS as it has the appropriate certificate from Let’s Encrypt
- HAProxy is configured as a TCP Proxy and not an HTTP Proxy
I am successfully able to use Synology Drive via Web App (https://drive.mydomain.com) and the iOS Client. Here is my current working HAProxy configuration:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: tcp_ssl (Public TCP Proxy for SSL)
frontend tcp_ssl
bind *:443 name *:443
mode tcp
# logging options
option tcplog
# ACL: SSL Hello Type 1
acl acl_64ecdbe5469700.73123026 req.ssl_hello_type 1
# ACL: Synology Drive
acl acl_64ea183266baa8.47947040 req.ssl_sni -i drive.mydomain.com
# ACTION: Check SSL Hello Type
tcp-request content accept if acl_64ecdbe5469700.73123026
# ACTION: Add TCP Request Inspect Delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: Synology Drive
use_backend tcp_synology if acl_64ea183266baa8.47947040
# Backend: tcp_synology (TCP to Synology)
backend tcp_synology
# health checking is DISABLED
mode tcp
balance source
server tcp_synology_drive drive.mydomain.com
# statistics are DISABLED
My issue is, I am trying to enable the PROXY support integration between HAProxy and Synology DSM so that way all connected clients display their actual public IP address vs. the HAProxy IP address. I have added the inside IP Address of HAProxy as a Trusted Proxy in Synology DSM (Control Panel → Security → Trusted Proxies).
In my HA Proxy configuration I have tried adding accept-proxy to my frontend and send-proxy and send-proxy-v2 to my backend. I have tried it with both options configured and then separately with just send-proxy enabled on the backend.
frontend tcp_ssl
bind *:443 name *:443 accept-proxy
mode tcp
# logging options
option tcplog
# ACL: SSL Hello Type 1
acl acl_64ecdbe5469700.73123026 req.ssl_hello_type 1
# ACL: Synology Drive
acl acl_64ea183266baa8.47947040 req.ssl_sni -i drive.mydomain.com
# ACTION: Check SSL Hello Type
tcp-request content accept if acl_64ecdbe5469700.73123026
# ACTION: Add TCP Request Inspect Delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: Synology Drive
use_backend tcp_synology if acl_64ea183266baa8.47947040
# Backend: tcp_synology (TCP to Synology)
backend tcp_synology
# health checking is DISABLED
mode tcp
balance source
server tcp_synology_drive drive.mydomain.com send-proxy
I am wondering if anyone has been able to successfully implement this with Synology? Or, is this feature only available on HAProxy Enterprise? Thank you for your help.