pfSense/HAProxy - a little help

Networking & Firewalls
1

I followed your video on this setup and I have several sites working but I have one site I’m trying to reverse proxy and I’m getting a weird error that I don’t understand. The backend is a zimbra collaboration server community edtion self-hosted. It has an SSL Let’s Encrypt cert on it and everything is working via another of my public IPs and a different hostname. Now I’m trying to set it up through haproxy with a new hostname (which is pointed to my proxy public IP) and I’m getting “too many redirects” currently - this is different than what I had yesterday. Yesterday I was getting something about http vs https.

So I have the frontend set up to accept connections on port 443 and this ACL I have it on host matches and I put in my new hostname - let’s call it mail.example.com. (the working one on the other public ip is zimbra.example.com).

I have it set to use the backend called mail which I have set up as: address+port on port 443 and I have the encrypt(SSL) box checked.

My mail server is set up to automatically redirect port 80 to port 443 and that is an internal zimbra setting which I can turn off (and I tried it). I also have haproxy set up with a port 80 redirect rule. Thing is when I am trying to access it I’m going directly to the https url which in theory shouldn’t be redirecting at all and I am getting that too many redirects.

Zimbra also has a proxy built in and port 443 reverses to 8443 internally. I can access the web client internally on port 8443 so I also tried that in haproxy - still didn’t work. (too many redirects)

I did your openssl test in the troubleshooting video an I am getting served up the let’s encrypt certificate.

I am thinking it has something to do with Zimbra’s own proxy but I’m not sure on that.

Any ideas would be appreciated! :slight_smile:
Thanks,
Rich

2

too many redirects

This means that:

  1. you access haproxy on your browser, haproxy says HTTP 301 (permanent redirect) or 302 (non-permanent redirect) to https:// example com. Your browser then goes to https:// example com, where it gets a 301 or 302 to https:// example com/f

oobar.html. Then your browser accesses that and gets a 301 or 302 to https:// example com, which then sends you to https:// example com/foobar.html, at which point your browser will throw this “to many redirects” error.

You should check the haproxy logs - most likely something like tail -f /var/log/syslog or journalctl -f.

So I have the frontend set up to accept connections on port 443 and this ACL I have it on host matches and I put in my new hostname - let’s call it [mail example com](http:// mail example com). (the working one on the other public ip is
[zimbra example com](http:// zimbra example com)).

I read this sentence three times and dont get it. Can you please rephrase it.

I have it set to use the backend called mail

99% sure you refer to a haproxy backend configuration.

I have set up as: address+port on port 443 and I have the encrypt(SSL) box checked

box? do you use a graphical haproxy frontend for configuring haproxy?

I also have haproxy set up with a port 80 redirect rule.

I think what you have is you access https:// mail example com, which establishes httpS with your browser, and then your haproxy sends a plain text request to zimbra, which is confused and returns a 301 to httpS.

I did your openssl test in the troubleshooting video an I am getting served up the let’s encrypt certificate.

Nah, thats MOST likely not it. Your ssl certs should be fine if you use letsencrypt, hard to misconfigure that.

I am thinking it has something to do with Zimbra’s own proxy but I’m not sure on that.

I think its zimbra talking to haproxy being confused that it gets requests without httpS.

Can you please paste me your complete haproxy config and maybe a few lines of its log files (both zimbra’s nginx(?) (or does it use apache?) and haproxy)

PS: Im new here and have some issues posting links (to example com x) hence i put a space behind the http:// and https:// and removed the dots in the domains. please ignore that.

3

I am using pfSense haproxy graphical frontend so this would make more sense if you saw the interface. The second part is that I have my mail server working without the proxy on [zimbra example com]

Yes, this is part of the haproxy interface for pfSense

Not sure how to do that with pfSense.

I am the same - I’m not sure why they put that limitation on a technical support forum.

4

Ah - them I’m very sorry, but without the configs I can’t really help.

You might try something like this:

apt install locate
updatedb
locate haproxy.cfg

And then paste this file. This file would be what you edit when you use the WebUI.

I’m not much familiar with pfsense I have to say, but I can debug a haproxy config.

I will need logs though - if you google “pfsense where are the logfiles” you should find those though.

I am the same - I’m not sure why they put that limitation on a technical support forum.

I just signed up, I think after a few posts it works. Let me try: best search engine - except if you use more than two keywords x)

jup, works now. should work for you too then.