1

I am having trouble with the following:

I am setting up an HAProxy load balancer on CentOS 7 behind a firewall. The firewall on the HAProxy server as well as the outside firewall are configured so that the necessary ports can be accessed. Everything is working fine on the internal network. By this I mean that typing in the ip of the HAProxy server on another internal server will take you to the correct site.

The problem is that trying to access the site externally is not working. For example, typing in domainname.com first goes through the firewall but is not being correctly redirected by the proxy server.

not working
domainname.com -----> firewall ---->haproxyip----> haproxy -----> site

working (from other server on internal network)
haproxyip ----> haproxy -----> site

This is what the config file for haproxy looks like if interested.

frontend main
    bind *:80
    bind *:443 ssl crt /cerfilepath/cert.pem
           redirect scheme https if !{ ssl_fc }
    default backend                  app

backend app
    balance roundrobin
    server app1 xxx.xx.xxx.xx:port
    server app2 xxx.xx.xxx.xy:port

Through research it appears that most HAProxy setups are not placed behind a firewall. Unfortunately this is not an option in my situation. Any help would be appreciated. Thanks!

jp12345
  • 11
  • 1
  • 3

1 Answers1

1

There is no difference in haproxy configuration. If you're having problems with being behind a firewall, then the issue is likely with your firewall. Specifically in your case, I bet it's a problem with either your NAT rules or your firewall doesn't allow internal users to access resources via the external IP.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Thanks for the response. The only reason I thought it was a problem with the haproxy config was because there are several other servers running behind the firewall that can be accessed externally. – jp12345 Jun 17 '16 at 18:30
  • 1
    I would still blame the firewall first. Firewalls tend to fall in to two categories: those where hair-pinning just works for everything, and those where it has to be explicitly defined where needed. In your case, it's probably not enabled for this host/service. (And the ugly third category: no hair-pinning is ever possible.) – longneck Jun 17 '16 at 18:39
  • Doesn't sound like the question involves hairpinning to me, but it's ambiguous. It sounds like the resources are not accessible via outside requests coming in, in which case you're still correct... not likely an haproxy issue, unless of course the proxy server has no default gateway, heh, or a default route to the wrong place... still not an haproxy issue but a networking issue. – Michael - sqlbot Jun 18 '16 at 03:07