HA Proxy on VLAN port 80

daninmanchester · September 20, 2022, 11:18pm

I’m trying to configure HA proxy on my SERVERs VLAN to expose services locally.
The problem I have is that port 80/443 are already used by the firewall web interface.
Even if I create a new virtual IP this seems to be automatically bound to the web interfaces too.

Is there a way to create an IP which I can use for HAProxy that will listen on port 80/443 without conflicting with the firewall?

I figured I could create yet another VLAN and just disable the firewall from listening on this, but this seems like an overly cumbersome way to go about it.

LTS_Tom · September 21, 2022, 10:40am

Move the interface binding for the firewall web interface to another port and disable the port 80 redirect.

paolo · September 21, 2022, 1:10pm

Making HAproxy listen on different ports and then adding a NAT rule to forward ports 80 and 443 on a virtual IP to the HAProxy ports migh work.

daninmanchester · September 21, 2022, 2:49pm

Thanks. I tried this, but because each virtual IP is automatically being bound to the firewall it seems to listen on 80/443 which causes HA Proxy to fail.

I think Toms solution is the one that would work.

However, having looked a little closer I wonder if NAT is the issue. I have a NAT with destination “this firewall”. I wonder if this includes my virtual IPs and if I disable this rule only explicit IPs will respond.

daninmanchester · September 21, 2022, 3:12pm

So looking at the way it works, the webUI is bound to an interface(s) and it appears that the IP being bound to the same interface responds as with the webUI also.

I think the simplest solution would be either to change the port, or I could disable the webUI on that particular interface (e.g. only listen on LAN).

I note that Opnsense has an option for “allow service binding”.