我是 OPNsense/HAProxy 的新手,努力了三天多的时间才让它工作起来,但不幸的是没有任何成果。
简而言之,尝试实现这种逻辑:
专用服务器(Proxmox VE/1 公共 IP)->(NAT)OPNsense + HAProxy -> 连接到 OPNsense LAN 接口的其他虚拟机。
配置Proxmox 服务器如下:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto enp0s31f6
iface enp0s31f6 inet static
address 94.130.x.x/26
gateway 94.130..x.x
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
auto vmbr1
iface vmbr1 inet static
address 172.16.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
好的,这样就创建了新的 VM(OPNsense),并按如下方式安装和配置它:
- WAN -> vtnet0(桥接到 Proxmox 服务器上的 vmbr0)
- LAN -> vtnet1(桥接到 Proxmox 服务器上的 vmbr1)
- WAN 配置
10.10.10.10/24
- LAN 配置
172.16.0.1/24
- LAN 上的 DHCP 服务器,
172.16.0.2-172.16.0.254
现在服务器部分:
- 虚拟机 1
VM #1(Ubuntu 服务器)运行 OpenLiteSpeed Web 服务器example.com
并使用 Postfix/Dovecot 用于电子邮件,并连接到 vmbr1(OPNsense 的 LAN 连接到 Proxmox vtnet1)Ubuntu 服务器通过 OPNsense DHCP 成功获取 IP(IP 172.16.0.2
、网关172.16.0.1
)。
VM #2 VM(Ubuntu 服务器)配备 OpenLiteSpeed Web 服务器,运行 anotherexample.com 和 Postfix/Dovecot 用于电子邮件目的,并连接到 vmbr1(OPNsense 的 LAN 连接到 Proxmox vtnet1)Ubuntu 服务器通过 OPNsense DHCP 成功获取 IP(IP 172.16.0.3
,网关172.16.0.1
)。
两台虚拟机都通过 OPNsense LAN 连接,并能够成功与公共互联网通信。
example.com 的 CloudFlare DNS:
A Record example.com pointing to Public IP of Proxmox Server ->
94.130.x.x
创建了一些 iptables 规则,以便从公共 IP 到本地 OPNsense 和 HAProxy 进行通信:
对于 OPNsense:
iptables -t nat -A PREROUTING -p tcp --dport 10443 -j DNAT --to-destination 10.10.10.10:10443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.10.10.10:443
HAProxy 配置:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: Public_Facing_Pool ()
frontend Public_Facing_Pool
bind *:443 name *:443 proto h2
bind *:80 name *:80 proto h2
mode http
option http-keep-alive
maxconn 500
# logging options
# ACL: Web-Server
acl acl_65baf2832edf80.37086579 hdr_beg(host) -i example.com
# ACL: Web-Server1
acl acl_66baf2832edf80.37086579 hdr_beg(host) -i anotherexample.com
# ACTION: Web-Server
use_backend Web-Server if acl_65baf2832edf80.37086579
# ACTION: Web-Server
use_backend Web-Server1 if acl_66baf2832edf80.37086579
# Backend: Web-Server ()
backend Web-Server
# health checking is DISABLED
mode http
balance roundrobin
http-reuse safe
server Web-Server 172.16.0.2:443
# Backend: Web-Server1 ()
backend Web-Server
# health checking is DISABLED
mode http
balance roundrobin
http-reuse safe
server Web-Server 172.16.0.3:443
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
统计数据已禁用
Trying to open in browser `example.com` or `anotherexample.com` it fails to open.
What am I missing?