HAProxy and Red/Orange Network

Hi!

To use the orange network, one has to create some FW rules to redirect all incoming traffic to the orange network with source red, correct? At least this is what I’ve done so far for some months now and it works.

This single DNAT FW rule is just a forwarding for a specific port (e.g. 22222) from red to the (Raspberry Pi) server in orange network, port 80.

Now, when installing HAProxy and configure it as a reverse proxy, will the same FW rule apply or be needed as above. Or will I need a another FW rule or WOW what has to be done for this setup? Goal is to reach some NAS in the green network, running on port 443 and 80 and some more like 5000.

Michael

You will need two rules:

Sorry, for being unclear: HAProxy is running on IPFire itself and should be reached from the internet.

HAProxy as the reverse proxy, should be able to redirect the appropriate traffic to some NAS devices in green.

Mentioning the orange network was just an example for creating mandatory rules to reach the orange network from red. Hence, I assumed I have to setup similar rules to reach HAProxy on IPFire (from red interface).

So your answer may be correct because of my unclear details.
Nevertheless, are some FW rules necessary in my specific setup?

WWW -> IPFire (HAProxy) -> green -> NAS 1/NAS 2?

cu,
Michael

Got it, then you only need the rule that makes HA Proxy available on the internet. By default the IPFire box will be able to access anything on the green network, you can confirm that by opening a shell there and curl the NAS.

Unfortunately that’s the question I’m here for an answer :laughing:

I’ve not setup HAProxy properly or got it running at all, since I could not bind port 80 and/or 443 to HAproxy, obviously because IPFire itself is claiming them, but that’s another story.

Prior to properly configure HAProxy I would like to check the prerequisites for the Firewall itself.

So the question still is: which rule is necessary, how should a possible rule look like, e.g. source: red, target: ??? or is the source the public IP-address that I do not know exactly, because it may be changed by my provider…

Thanks,
Michael

So I believe this is the same problem as people trying to make the IPFire GUI available from the Internet, see for example this thread: https://forum.ipfire.org/viewtopic.php?t=21752

If it comes to ports, a simple solution would be to switch IPFire GUI to 81/444 (I believe that it’s even the default) so that HA Proxy can bind to 80/443.

Hi Nicolas,

…that’s why I’ve asked for a config file of HAProxy here because right now, when starting HAProxy I the following error:

[ALERT] 143/203259 (7282) : Starting frontend localhost: cannot bind socket [0.0.0.0:80]

My current haproxy.cfg is:

global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        nobody
    group       nobody
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend localhost
    bind *:80
    bind *:443
    mode http
    use_backend webdav if { hdr(host) -i webdav.mydomain.de }
    

backend webdav
    server webdav 192.168.6.96:80

I know that those settings are wrong, I even bet they are totally wrong hence my request for a basic haproxy.cfg in above link.

Michael