To use the orange network, one has to create some FW rules to redirect all incoming traffic to the orange network with source red, correct? At least this is what I’ve done so far for some months now and it works.
This single DNAT FW rule is just a forwarding for a specific port (e.g. 22222) from red to the (Raspberry Pi) server in orange network, port 80.
Now, when installing HAProxy and configure it as a reverse proxy, will the same FW rule apply or be needed as above. Or will I need a another FW rule or WOW what has to be done for this setup? Goal is to reach some NAS in the green network, running on port 443 and 80 and some more like 5000.
Sorry, for being unclear: HAProxy is running on IPFire itself and should be reached from the internet.
HAProxy as the reverse proxy, should be able to redirect the appropriate traffic to some NAS devices in green.
Mentioning the orange network was just an example for creating mandatory rules to reach the orange network from red. Hence, I assumed I have to setup similar rules to reach HAProxy on IPFire (from red interface).
So your answer may be correct because of my unclear details.
Nevertheless, are some FW rules necessary in my specific setup?
Got it, then you only need the rule that makes HA Proxy available on the internet. By default the IPFire box will be able to access anything on the green network, you can confirm that by opening a shell there and curl the NAS.
Unfortunately that’s the question I’m here for an answer
I’ve not setup HAProxy properly or got it running at all, since I could not bind port 80 and/or 443 to HAproxy, obviously because IPFire itself is claiming them, but that’s another story.
Prior to properly configure HAProxy I would like to check the prerequisites for the Firewall itself.
So the question still is: which rule is necessary, how should a possible rule look like, e.g. source: red, target: ??? or is the source the public IP-address that I do not know exactly, because it may be changed by my provider…
If it comes to ports, a simple solution would be to switch IPFire GUI to 81/444 (I believe that it’s even the default) so that HA Proxy can bind to 80/443.
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user nobody
group nobody
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend localhost
bind *:80
bind *:443
mode http
use_backend webdav if { hdr(host) -i webdav.mydomain.de }
backend webdav
server webdav 192.168.6.96:80
I know that those settings are wrong, I even bet they are totally wrong hence my request for a basic haproxy.cfg in above link.