How can I use HAProxy to connect to tentacles that aren't publicly accessible?

I have a number of virtual machines running Listening Tentacles that I want to connect to. They are on a private network accessible only through the VM host.

I also have HAProxy installed on the VM host. Can connect to the Tentacles through HAProxy?

Configuring HAProxy

Note: I am not an HAProxy expert. This solution is an example and may require more configuration before it is ready for a production environment.

Starting configuration:

  • HAProxy is running on hostname octavius.lan
  • DNS entries are set up for each tentacle that point to the same IP as octavius.lan
    • These are the octofx-*.lan domain names used in the config below
    • These entries are on the network that hosts the Octopus server. This is what allows the Octopus server to map the octofx-*.lan domain name to the HAProxy server.
  • The tentacles have local hostnames that they are referenced by on the HAProxy side.
    • These are the names like octofx-web-development used in the backends.
    • These can also be the internal IP addresses.

Add a frontend similar to this to your haproxy.cfg:

frontend tentacle
        bind *:10933
        mode tcp
        option tcplog

        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        acl octofx_worker req.ssl_sni -i octofx-worker.lan
        acl octofx_development_web req.ssl_sni -i octofx-development-web.lan
        acl octofx_test_web req.ssl_sni -i octofx-test-web.lan
        acl octofx_production_web1 req.ssl_sni -i octofx-production-web1.lan
        acl octofx_production_web2 req.ssl_sni -i octofx-production-web2.lan
        acl octofx_production_service req.ssl_sni -i octofx-production-service.lan

        use_backend octofx_worker_tentacle if octofx_worker
        use_backend octofx_development_web_lan if octofx_development_web
        use_backend octofx_test_web_lan if octofx_test_web
        use_backend octofx_production_web1_lan if octofx_production_web1
        use_backend octofx_production_web2_lan if octofx_production_web2
        use_backend octofx_production_service_lan if octofx_production_service

This sets up HAProxy to listen on port 10933. It will inspect the domain name via req.ssl_sni and then route the request to the appropriate backend. It is possible to use a map instead of listing each backend individually.

The backends for each tentacle will look similar to this:

backend octofx_development_web_lan
        mode tcp

        server octofx_development_web_tentacle

This forwards the request to the correct domain or IP and port for the tentacle.

The tcp and tcplog values in the settings are necessary for the SSL connection to pass through.

Configuring the Target in Octopus

When configuring a target in Octopus that is behind HAProxy, there is no extra configuration needed. Enter the hostname and port that will be used to connect through HAProxy. HAProxy will route the request to the target based on your configuration.

For example, with the configuration above, I would use the hostname octofx-development-web.lan and port 10933. When the request reaches HAProxy, it will forward the request to the tentacle at