Configuring HAProxy for Domain and Subdomain on pfSense

Overview

In this article, we will configure HAProxy on pfSense to handle requests for a main domain and a subdomain. The current setup allows access to both services, but there is an issue with session persistence that needs to be resolved.

Current Setup

The architecture is as follows:

Internet -> pfSense Firewall -> HAProxy -> SRV1 (192.168.100.1) domain.com
                     -> SRV2 (192.168.100.2) srv2.domain.com

Problem Statement

While accessing domain.com and srv2.domain.com works correctly in separate tabs, switching between them leads to unexpected behavior where one tab redirects to the other. This issue arises due to session handling in HAProxy.

HAProxy Configuration

Here’s the current configuration for HAProxy:

# Define ACLs for domain and subdomain
acl host_srv2 hdr_dom(host) -i srv2.domain.com
acl host_domain hdr_dom(host) -i domain.com

# Use backends based on the ACLs
use_backend srv2 if host_srv2
use_backend domain if host_domain

# Backend configuration for srv2
backend srv2
    balance roundrobin
    option httpclose
    option forwardfor
    cookie JSESSIONID prefix
    server srv2 192.168.100.2:80 check

# Backend configuration for domain
backend domain
    balance roundrobin
    option httpclose
    option forwardfor
    cookie JSESSIONID prefix
    server domain 192.168.100.1:80 check

Suggested Modifications

To address the session persistence issue, consider implementing sticky sessions. This can be achieved by modifying the cookie settings in your backend configurations. Here’s an example of how to adjust the cookie settings:

# Backend configuration for srv2 with sticky sessions
backend srv2
    balance roundrobin
    option httpclose
    option forwardfor
    cookie JSESSIONID insert indirect
    server srv2 192.168.100.2:80 check

# Backend configuration for domain with sticky sessions
backend domain
    balance roundrobin
    option httpclose
    option forwardfor
    cookie JSESSIONID insert indirect
    server domain 192.168.100.1:80 check

Conclusion

By implementing sticky sessions, you can ensure that users remain connected to the correct backend server when switching between tabs. This configuration should resolve the redirection issue you are experiencing. If you continue to face challenges, consider reviewing the HAProxy logs for further insights into the traffic flow.