HAProxy and pfSense are both wonderful solutions on their own. pfSense is a firewall distribution sitting at the edge of your network. Incoming request from external clients has to pass through pfSense. Hence it is very desirable to have features on our network edge where we can perform various tasks on these incoming requests before forwarding them to actual servers. These tasks can be like:
- Load balance requests to various servers based on weight or there availability.
- Throttle client requests based on clients properties.
- Redirect some links straight away before even sending it to servers.
- Secure your servers from malicious clients or requests with malicious content.
- Collect health and performance stats of your web infrastructure.
- Terminate SSL at the edge. Off-load SSL processing from actual servers.
This is where HAProxy stands out. HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. Integrating both of these solutions in one package on our network edge is very desirable.
There are couples of ways to integrate them.
Using pfSense Packages:
Users wishing to extend the functionality of their pfSense installation can use pfSense packages. Packages are very easy to install. They show up in pfSense menu and packages even support their own GUI. Package manager is one of the best things in pfSense. There are so many useful packages in that list like pfflowd, squid3, iperf etc. There are two packages available for HAProxy.
haproxy (1.4.21 pkg v 1.2) – This package implements HTTP balance features from HAProxy.
haproxy-full (1.4.21 pkg v 1.0) – This package implements both TCP and HTTP balance features from HAProxy.
Just install any one of these packages and you can see “HAProxy” under “Services” menu in pfSense. These packages help you with basic configuration of HAProxy using GUI. However, these packages don’t let us harness all features of HAProxy. For example if you want to use ACLs, you won’t find any GUI setting for that in haproxy-full package. Haproxy-full package aims at TCP and Http load balancing, where as “haproxy” package is specifically for http load balancing. Also you cannot go for latest build of HAProxy which continues to add latest features and bug fixes like SSL termination.
Something so powerful and important component of our network edge should not be bound in packages. It deserves a complete attention on its maintainability, easy configuration and full feature access and control.
Directly Installing FreeBSD package of HAProxy on pfSense
pfSense is basically a FreeBSD distribution and in FreeBSD the preferred way to install applications is using FreeBSD Ports Collection.
However, there is no port tree available under pfSense. Also installation of portsnap is strictly prohibited in pfSense. I think it is good not to install such utilities directly under pfsense.
However you can add FreeBSD packages (Not pfSense Packages via Package Manager) in pfSense using pkg_add command.
However you may encounter following error while adding a FreeBSD package for HAProxy.
“Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/haproxy.tbz: File unavailable (e.g., file not found, no access)”
You may find some packages for HAProxy here:
If you can find the package for version you are looking for, then you can add package by using full URL.
pkg_add –r http://files.pfsense.com/packages/amd64/8/All/haproxy-devel-1.5.d6.tbz
However, I will not suggest installing HAProxy using package directly under pfSense. First, it is hard to find packages of latest versions or some specific versions. Secondly, keeping applications up to date along with its dependencies is not as smooth as with using FreeBSD Ports Collection. Both pfSense and HAProxy are such a critical part of your web stack that their availability really depends a lot on the maintainability of these components in production environment. So what is the solution? Enter FreeBSD jails.
Installing HAProxy inside a JAIL in pfSense
I would rather like to take this opportunity of “Installing HAProxy in pfSense” to setup a framework which is capable to integrate components like HAProxy with pfSense, in such a way that they harness full power of the component and maintains a good isolation with pfSense, so that it is a viable option for production environments.
Solution is to install HAProxy inside a JAIL with its own IP address and environment, well isolated from pfSense. This gives you the flexibility to install whatever you want for HAProxy without interfering with pfSense.
This is not as simple as installing packages. However it makes your life easy and gives you complete control over HAProxy and pfSense once set.
First we need to setup a jail administration framework on pfSense. This will allow us to easily create, update, remove, start, stop and restart jails. Again there is a pfSense package “pfJailctl” available for the purpose. However I found it quite unstable for production environment. So my choice is ezjail. It offers a lot of advantages and goes very well with pfSense.
I have separate post in two parts on “Setting Up ezJail and Ports Collection on pfSense” for this purpose.
Once done with setting up the required infrastructure, integrating HAProxy with pfSense is just a matter of installing another port on a FreeBSD system (pfSense in our case). Setting up a FreeBSD jail infrastructure on pfSense makes it possible to harness full power of HAProxy, while maintaining pfSense’s integrity as a top class firewall distribution.
Use following commands to install HAProxy in the Jail you created in above posts.
Login into Jail:
jexec 2 sh
cd /usr/ports/net ls hapro* cd haproxy-devel make install clean
Enable HAProxy Startup
echo ‘haproxy_enable=&quot;YES&quot;’ &gt;&gt; /etc/rc.conf
Either create a file in /usr/local/etc or upload configuration.
Sample Configuration file:
# Simple configuration for an HTTP proxy listening on port 80 on all # interfaces and forwarding requests to a single backend &quot;servers&quot; with a # single server &quot;server1&quot; listening on 127.0.0.1:8000 global daemon maxconn 256 defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend http-in bind *:80 default_backend servers backend servers server server1 127.0.0.1:8000 maxconn 32
Using HAProxy binary:
haproxy -f haproxy.conf –c
Using Startup script
cd /usr/local/etc/rc.d ./haproxy configtest
Start-Stop HAProxy Daemon
/usr/local/etc/rc.d/haproxy start /usr/local/etc/rc.d/haproxy stop
Upload files into Jail
Use pfSense’s “Diagnostics -> Command Prompt” to upload files to pfSense’s tmp directory.
Exit Jail and then copy it into Jail Directory:
cp /tmp/ /jails/ha.testnet.local/tmp/
Note: When uploading configuration files created on a Windows machine, make sure you first convert EOL (End of Line) characters to Unix format. This can be done using Notepad++’s option “Edit -> EOL Conversion -> Unix”.