Haproxy passthrough for split DNS

geojoh · February 15, 2021, 1:49pm

Hi all,

I hope you can help me with an issue I am having with a haproxy implementation. Not sure if it is a haproxy issue or openwrt issue/missconfig
I have haproxy 2.0 running on an OpenWRT 19.07.6 router (192.168.1.1) with several dockerized servers being served by different domains via a dockerized NGINX available at 192.168.1.106:9443

The servers are available at:

cucumber.mydomain.com > 192.168.1.106:1001
carrot.mydomain.com > 192.168.1.106:1002
apple.mydomain.com > 192.168.1.106:1003

The NGINX instance is terminating the ssl, with the backend servers running in http and would like to keep it like that, with haproxy used in passthrough mode for “split dns” functionality.
I have port forwarding on OpenWRT external :443 to internal :9443 to the NGINX.
I can perfectly reach all my servers from outside and also from inside, but the moment I cut the internet, I cannot reach them anymore from inside (well, from outside neither )My goal is to be able to reach the servers by the domain e.g. https://cucumber.mydomain.com even when there is no internet, but I cannot make it work. I have enabled tcp mode for passthrough as per the below config, but no joy. Haproxy stats show no matches to backend just the front-end.

This is my haproxy config:

global
log 192.168.1.106:514 daemon debug
maxconn 5000
ulimit-n 65535
uid 0
gid 0
daemon
nosplice
debug

defaults
timeout connect 5000ms
mode tcp
option tcplog
log global
timeout client 5000ms
timeout server 5000ms

#stats webpage

listen stat_page
bind *:8444 ssl crt /etc/ssl/private/haproxy/haproxy.pem
mode http
option tcplog
stats enable
stats uri /stats
stats realm HA_Stats
stats auth admin:admin

#proxy traffic listener

listen main_https_listen
bind 192.168.1.1:443
#Luci is running on 192.168.1.1:8443 so no overlap
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl cucumber req_ssl_sni -i cucumber.mydomain.com
use_backend bk_cucumber if { req_ssl_sni -i cucumber.mydomain.com}

backend bk_cucumber
mode tcp
timeout connect 50000ms
timeout server 30000ms
server nginx 192.168.1.106:9443 check

listen local_health_check
bind :60000
mode health

As per the logs, I see:

main_https_listen main_https_listen/ -1/-1/49 0 SC 2/1/0/0/0 0/0

which points to a disconnect between haproxy and nginx.

I have already asked for help in the haproxy forum, but since the config is correct and should work because it is pretty standard, I suspect I might be missing something on the OpenWRT end.

Thank you

stangri · February 15, 2021, 6:57pm

Do you miss something like this in your dhcp config maybe?

config dnsmasq
        list address '/cucumber.mydomain.com/192.168.1.106'
        list address '/carrot.mydomain.com/192.168.1.106'
        list address '/apple.mydomain.com/192.168.1.106'

matjon · February 15, 2021, 7:47pm

Hello,
This may be a DNS issue. Does the hostname cucumber.mydomain.com resolve to the IP address when WAN is disconnected? If the DNS response of cucumber.mydomain.com resolves to the previous public IP address of the router (say, 12.34.23.1), OpenWRT will not respond to requests to 12.34.23.1 because the interface is down.

I have port forwarding on OpenWRT external :443 to internal :9443 to the NGINX.

You mean that HAProxy is used only for handling requests from the internal network, not ones from the Internet? Is it used only to make sure that cucumber.mydomain.com is reachable from the internal network? Well, I think that this could be done much simpler without HAProxy, but only with some iptables rules or possibly with fw3.

I mean something like this:

iptables -t nat -A PREROUTING --destination $PUBLIC_IP -p tcp --dport 443 -j DNAT --to-destination 192.168.1.106:9443

bind 192.168.1.1:443

Is this configured in this manner, because another service is listening on the public IP of the router?

Greetings,
Mateusz

geojoh · February 16, 2021, 10:23am

Hi,

Thanks for the feedback. Yes, your understanding is correct. I need this only for making the domains available internally (split dns). haproxy was the solution that seemed the best for my scenario, but any other solution would be fine. Basically I want the OpenWRT to catch any traffic meant for cucumber.mydomain.com and send it to 192.168.1.106:8443
On the public interface of the router I have 443 natted to the nginx at 9443.

I tried your iptables suggestion and I think it is very close to being the solution, but I disconnected the wan port to test and it did not seem to kick in, as cucumber.mydomain.com was not reachable anymore.
Would you have other suggestions?

Thank you