HAProxy in pfSense as a Reverse Proxy

I run a virtualized Nextcloud server on my home server and it has its own domain that is forwarded to my home IP.  While playing with Nextcloud, I ran across OnlyOffice and setup another virtual server running the OnlyOffice Document Server.  The problem that I ran into is that pfSense redirected incoming traffic to my home IP only to the Nextcloud server and I didn’t have a method for forwarding traffic to the OnlyOffice server on its own subdomain.  Basically I wanted:

myserver.com -> Nextcloud 10.1.10.10

onlyoffice.myserver.com -> OnlyOffice 10.1.10.11

haproxy_pfsense (1).png

Since I’m not really an expert on this, I didn’t know that a reverse proxy is what I needed to make this happen.  After digging a little I found that pfSense has HAProxy and that can take the incoming traffic to the home IP and analyze if it was intended for myserver.com or onlyoffice.myserver.com and forward it to the correct server on my network.

Forwarding Subdomains in 1&1

I use 1&1 for my web hosting and registering my domain names.  They allow 9,999 subdomains which should be enough!  If you use a different service, they probably have similar instructions for creating and forwarding subdomains.

1and1-Domains.png

Log in to 1&1 and select Domains

1and1-Domains-2.png

On the domain you wish to make a subdomain for, click the three dots to the side for more options and select Manage Subdomains

1and1-Subdomains.png

On the right side, click Add subdomain

1and1-Subdomains-2.png

Give your new subdomain a name and click Save

1and1-Subdomains-3.png

In the list of subdomains, click the three dots to the right of your new subdomain for more settings and select Adjust Destination

1and1-DNS.png

Select DNS Settings

1and1-DNS-2.png

In the A Record area select Other IP address and write in your destination IP (this was my home IP that pfSense is the firewall for) and then click Save

Now of you check your DNS at https://www.whatsmydns.net/ you should see the IP you just inputted begin to show.  I’ve found that this takes a few minutes to start showing up and some servers can take a few hours to show the correct IP.

If you have any other subdomains, set them up the same way, all pointing to your home server’s IP.

Setting up HAProxy in pfSense

Now that the subdomains are being routed to your firewall, we need to get pfSense to route them to the correct server.

pfSense-Package-Manager.png

Log into pfSense and select System and Package Manager

pfSense-HAProxy-Install.png

Find the HAProxy package and install it

pfSense-HAProxy-Open.png

After installing you can open it under Services and HAProxy

pfSense-HAProxy-Settings.png

Under Settings check the box to Enable HAProxy

pfSense-HAProxy-Settings-2.png

Scroll down to Stats tab and enter a random port number (I used 444 and that worked fine)

Configuring the Frontend

I defined two Frontends, one for http traffic and one for https traffic.  Anything that comes over http is redirected to https and then to whatever backend is defined.

pfSense-HAProxy-Frontend.png

HTTP Frontend

pfSense-HAProxy-Frontend-http

Create a new frontend and name it Frontend-1-http (or choose something else), have it listen to WAN address on port 80 and set the type to http/https

pfSense-HAProxy-Frontend-http-ACL

For each domain and subdomain you want to accept, name it “httpRedirectACL”, Host matches, and then the domain or subdomain you want

pfSense-HAProxy-Frontend-http-actions

Under Actions, select “http-request redirect” and set the condition to “httpRedirectACL” and under rule type “scheme https” and click Save

HTTPS Frontend

pfSense-HAProxy-Frontend-https

Create another frontend and name it Frontend-2-https (or choose something else), have it listen to WAN address on port 443 and set the type to ssl / https

pfSense-HAProxy-Frontend-https-ACL.png

For each domain and subdomain you want to accept, name it “ServerNameSNI”, “Server Name Indication TLS extension matches:”, and then the domain or subdomain you want

pfSense-HAProxy-Frontend-https-actions.png

Under Actions, select “Use Backend” and set the condition to each ACL server name you made in the step above, and under each backend select the backend server you want (you haven’t made a backend yet so leave this blank and come back to it after the next step) and click Save

Configuring the Backend

Each server will be defined in Backend and will be where traffic is routed to.

pfSense-HAProxy-Backend

pfSense-HAProxy-Backend-Server.png

For each server give it a name with the prefix Backend-1-, and under Server list choose, active, give it the same name minus the prefix, input the local IP and port you want, and select SSL 

After inputting all your servers you can go under the Stats tab and each server should be listed as green and showing UP.  Now go in your browser and try each domain and subdomain and it should take you to each server.

Sources

https://doc.pfsense.org/index.php/Haproxy_package

https://forum.pfsense.org/index.php?topic=103726.0

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

https://www.servethehome.com/how-to-haproxy-ha-load-balance-a-web-server-with-a-pfsense-sg-4860/

http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate

Posted in pfSense

Leave a Reply

Your email address will not be published. Required fields are marked *

*

15 − 6 =