How to configure HAProxy pfSense? Read the article to learn more. As part of our pfSense Support Services, Bobcares provides answers to all of your questions.
Overview
An Introduction to HAProxy pfSense Configuration
We may set up the free and open-source pfSense firewall on the home network. It works really well, and I have been using it for a while. We could use it as a pretty stable firewall as well. pfSense is the principal firewall used by some enterprise users. On the other hand, official pfSense firewall hardware and netgate support are preferable for enterprise networks.
Here, we will discuss the pfSense firewall’s webserver load-balancing capability in this blog. Additionally, we’ll use three http web servers on the pfSense LAN side to demonstrate load balancing.
HAProxy is a free program that divides incoming traffic and ensures that servers are open to keep websites up and running properly. Both standard web pages and other internet services are compatible with it. It is possible to use it with an ordinary Linux-running machine instead of a specialized firewall such as pfSense.
The front-end and back-end comprise HAProxy’s two main parts. The front end looks outward and waits for user requests. The real website or service is hosted on our own servers on the back end. To transmit requests to the back-end servers, we configure the front-end. We’ll examine how to configure HAProxy with the well-known firewall program pfSense in this article. This is our setup, which is as follows:
The LAN side of Pfsense is home to three web servers that are all running Apache on port 80. Round-robin load balancing will be implemented on all three web servers. We have no trouble accessing the web services from the LAN side. We will set up the web server using pfSense HAProxy load balancing so that external users can access it while the pfSense firewall has load balancing activated.
Installation
For the pfSense firewall, the HAProxy service must be downloaded as a separate package, in contrast to load balancing, which is accessible by default. Proceed to System –>Package Manager to obtain the HAProxy package. On the installed packages page, HAProxy must be visible if it is installed. It is necessary to click on the available packages if we do not currently have the package loaded. This will list every package that is compatible with pfSense. The HAProxy package can be found by searching for it; after it is found, click Install to confirm.
The package will appear on the installed packages page after a few seconds after installation.
Setup Steps
Load Balancing Setup
For our three web servers that are using http ports, we will now set up HAProxy load balancing. Under the services menu –>HAProxy. The load balancing option, located directly below the server list, needs to be configured at this point.
Even though there are other possibilities, we’ll load the back-end server equally and employ the round-robin method, which is a common technique for load matching.
Based on the needs, we can select a variety of solutions. Although we can adjust the ACL (access control lists), actions, and timeout/retry settings further, we’ll stick with a basic setup.
Backend Server Setup
1. We will start by configuring the back-end servers, which are the web servers 1, 2, and 3 that are virtual servers on my LAN.
2. Select the tab for the back end. It will be blank.
3. In order to specify the back-end servers, click Add.
4. Now, complete the required name field as a user-friendly name. Here, it is http_web_server_pool1.
5. To add servers one at a time, click the “Add Server” button beneath the list of servers. The following are the fields that must be filled in.
Mode: Active
Name: web1
Address:10.1.1.11
Port:80
6. The next server can then be added by using the add button located on the bottom left. Add the second server as shown below in the field that follows.
Mode: Active
Name: web2
Address: 10.1.1.12
Port:80
7. Click the add button once again to add the last server. Provide the third server and its file as follows:
Mode: Active
Name: web3
IP: 10.1.1.13
Port: 80
8. To keep track of our backend servers’ health, we’ll use health-checking options. This helps us know if our servers are working properly. We’ll use HTTP as the method because it checks servers using the web protocol. We can also enable Log checks, so if a web server goes down, it’ll create a log. For the health check method, select HTTP and set it to GET.
9. Just save these settings, and now our backend servers will show up in pfSense.
But why are they greyed out? It’s because we haven’t connected them to the front end yet. We’ll do that next.
Frontend Setup
1. To set up the front end, select the Front-end tab and then click the Add button.
2. Edit the front end of HAProxy.
Name: http_access
Description: To provide http access to web1,2 and 3
Status: Active
External address: Keep the default settings
Listen address: WAN address (ipv4)
Port: 80
This setting will make the front-end IP address to start listening in on port 80
Linking Backend & Frontend
To access control lists and actions, scroll down under Default back-end. Click Save to save the changes after selecting the recently built back-end servers from the dropdown menu.
pfSense HAProxy Settings Setup
Once we’ve set up the front end, head to the settings tab in the HAProxy configuration. Here, we’ll enable HAProxy by checking the box that says “enable HAProxy.” Set the maximum connections per process to 1000.
Scroll down to the Stats tab and choose an internal stats port. We can pick any available port, like 2000. It’s up to the user which port number they want to use. Keep other settings as default and click Save. Now, we’ve configured load balancing for HTTP traffic. Now, we need to allow external users to access our web servers.
Security Policy Setup
We can grant the web server access from a single, reliable public IP address. But we must exercise caution whenever we allow something external to connect to the inside. Before permitting access, especially from a big subnet or permitting any connection, we must take the required precautions.
The Demilitarized Zone (DMZ) is where web servers are typically located, therefore we should point the policy there and keep it apart from the local area network. The internal network will remain more secure as a result. We’ve to run the following steps:
1. Select Firewall, Rules, and WAN.
2. To add a new policy, click add.
3. Edit firewall Rule.
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: TCP
4. As the Source, we must add the IP address of the Windows machine (Test PC IP). If the source is located somewhere else than where we are, we will probably need to obtain the remote’s public IP address and enter it here.
5. For Destination, we must add the below fields:
Destination: Wan address
Destination port range: HTTP(80)
6. We may log the session if we want to and click on Save.
Testing
Now, let’s test our load balancing service on pfSense. Before we start, let’s check the stats table. We should see all the web servers showing green, indicating they’re healthy and ready to handle requests. To access the stats table, go to the HAProxy configuration window. We can view the stats on the same screen or on a full screen. Right-click on the Stats FS and select “open link in new tab.” This will open the stats table in a new tab.
Now, access the web page. Use the firewall’s outside IP address. The first request will go to web1, the second to web2, and so on. Each time we access the web page, it’ll go to a different virtual server on the LAN side. This shows that our load balancing is working as expected.
[Need to know more? Get in touch with us if you have any further inquiries.]
Conclusion
In conclusion, effective load balancing and high availability for TCP/HTTP services are made possible by setting HAProxy on pfSense. Optimizing web server performance and improving network security can be achieved by setting front-end and back-end arrangements, keeping an eye on server health, and permitting restricted external access.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
0 Comments