Cipher List
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384
Cipher Suites
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
I'm wondering if there is something here that can help achieve creating a cert for content filtering. Anyone have any experience with this?No offense, but this is meant to be a tutorial related to HAProxy in a reverse proxy setup. :)
The PLEX_backend looks very similiar to the SSL_backend. Only "Name: PLEX_backend" and "Servers: PLEX_server" are different. :)
The PLEX_backend looks very similiar to the SSL_backend. Only "Name: PLEX_backend" and "Servers: PLEX_server" are different. :)
I assumed that it would be the case, so thanks for confirming ;D
One part that's tripping me up is in my plex_backend pool and other ones I set for my internal services like Resilio Sync, if I set the mode to TCP (Layer 4) then I get a syntax error below. Switching the mode to HTTP [...]
[/font]
If there's a particular charity you support, send me a private message and I'll happily donate to one in your name, along with a donation to the OPNsense project. :DA donation to OPNsense would be happily welcome I guess. :)
1. You dont need to use virtual IP's.
2. Use map files {Advanced --> Map files}
1. You dont need to use virtual IP's.
I totally get your point! This makes indeed sense but I think only if you have a static WAN IP.
As it would break the access from internal networks to the external URLs "service.subdomain.mydomain.tld" if one enabled that access using DNS rewrite rules. I am not aware of a way to rewrite DNS entries in Unbound to the WAN interface address.
With NAT reflection your way of setting this up can of course work.
Since HAProxy is already listening on 0.0.0.0 (all available IPv4 interfaces) I resolve the Split DNS to the internal IP of my DMZ CARP IP (but any internal IPv4 interface will do as long as you allow 80/443).So this means you are actually also using sort of a virtual IP. :D
I also have certain domains I don't want reachable from the Internet so I use two map file rules, one for internal domains along with a condition that checks that source is RFC1918.For this I guess you have to use 0.0.0.0 on the SNI_frontend otherwise you would need another NAT rule forwarding 443-LAN traffic to the virtual IP.
I am using google domain, how do I go about setting up the 1st part (Dynamic DNS), do I need to create 3 custom records:
domain.com (A type)
*.domain.com (A type)
www.domain.com (CNAME)
Thanks a lot for the write up, I will try this out as soon as I can :)
The only thing that could be added on Part 4.3 is to use an Alias for Port 80 and 443 to only use one Firewall Rule ;)
I also have certain domains I don't want reachable from the Internet so I use two map file rules, one for internal domains along with a condition that checks that source is RFC1918.
And one for external domains where I also require additional authentication.
I followed this, however, decided against using the LE and now not getting 100% A+. is there something I am missing...
ggetting this from hap:
[WARNING] 210/114212 (27105) : Proxy '1_HTTPS_Frontend': no-sslv3/no-tlsv1x are ignored for bind '192.168.1.50:443' at [/usr/local/etc/haproxy.conf.staging:71]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.
Warnings were found.
Configuration file is valid
# Frontend: 1_HTTPS_Frontend
frontend 1_HTTPS_Frontend
# WARNING: ciphersuites cannot be used with flavour libressl.
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 10.10.1.50:5555 name 10.10.1.50:555 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60f9db54XXX3488.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
Code: [Select]# Frontend: 1_HTTPS_Frontend
frontend 1_HTTPS_Frontend
# WARNING: ciphersuites cannot be used with flavour libressl.
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 10.10.1.50:5555 name 10.10.1.50:555 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60f9db54XXX3488.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
What you should be aware of is that I specifically mentioned that my guide might not work well on LibreSSL due to the fact that not all features of the last HAProxy version is supported by the LibreSSL firmware variant of OPNsense, yet!Code: [Select]# Frontend: 1_HTTPS_Frontend
frontend 1_HTTPS_Frontend
# WARNING: ciphersuites cannot be used with flavour libressl.
...
Dear @TheHellSite,
thanks for the great tutorial! It works well.
Dear @sorano,
thanks for your input. The hint with map file works well. However, I am unable to create a rule with multiple "OR" conditions for various sub-domains to match and check it with an "AND" condition to test if it is an internal IP. It shall cover your described rule.
Currently I try to create a rule like:
use map file 1
IF
condition 1 "subdomain1" OR condition 2 "subdomain2"
AND condition 3 "local IP (RFC1918)" is matched
How did you solve this with the conditions and rules within OPNsense HAProxy plugin?
thanks in advance for your help and reply.
Saarko
I followed this, however, decided against using the LE and now not getting 100% A+. is there something I am missing...Firstly, when you made your one-liner about the bad SSLLabs result, I asked you for details about your config and the SSLLabs result.
- 20210730
- Added an explanation on how to configure local-access-only subdomains in HAProxy.
I was having issues connecting to my server due to handshake errors which I think got fixed after generating new ciphers using the Mozilla SSL Config generator and changing the HAProxy and OpenSSL versions to match my setup.
After that, HAProxy seemed to refuse to redirect me to my Vaultwarden server, unless I turned off the SSL option in my Real Server setting. It still shows that I'm secured with the proper (wildcard cert from Let's Encrypt).
Do I need the SSL option enabled? The SSL test still gave me an A+...
Are you on the latest version of OPNsense and are the installed plugins up to date?
Just out of interest, which versions of OPNsense, HAProxy and Let's Encrypt are you running?
The reason you couldn't connect was due to a misconfiguration in your real server, as you figured out yourself.
You enabled the "SSL - Enable or disable SSL communication with this server. " checkbox in your real server for Vaultwarden even though the port used to connect doesn't offer SSL encryption.
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
https://github.com/dani-garcia/vaultwarden/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome
Hi
If you have a fixed IP, does the DynDNS Configuration step need to be done? if skipped is there other settings i should put in?
If it is a must when we signup, there are 2 options :
configure your own domain
or
register under dyn.io
i have my own domain names about 10. Do i add each one to there system to get certs then duplicate the process to reverse proxy and cert the other domains?
update: i used my domain name. i think that was wrong.
Is dynamic dns still needed for fixed IP. You did say start from part 2 step 3. This update URL makes me think?
1st question:Yes, this is exactly what the CNAME record is for! https://en.wikipedia.org/wiki/CNAME_record
I create a subdomain for each service. Can this subdomain then point to the same DYNDNS cname entries?
For example:
openvpn.domain.com -> CNAME -> 123.dyndns.com
seafile.domain.com -> CNAME -> 123.dyndns.com
2nd question:For this your OpenVPN server needs to run in TCP mode. (Your clients need to connect to your OpenVPN server using a TCP tunnel.)
How to configure HAproxy for openvpn.
Could you explain it to me as well as you did in the tutorial or add the point to the tutorial?
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
option tcplog
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: NoSSL_condition
acl acl_6138b110159553.96461818 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6138b110159553.96461818
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6138b32401a006.77997133.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
option httplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6138b15d48a964.28077676.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: SEAFILE_backend ()
backend SEAFILE_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server SEAFILE_server 192.168.1.11:81 ssl verify none
Name: PUBLIC_SUBDOMAINS_map
Content: cloudserver SEAFILE_backend
This could be my Problem. How can i install the fix?
Oh ok.
you mean i must change the mapfile to
cloudserver.domain.com SEAFILE_backend
Gesendet von iPhone mit Tapatalk
Dropping this in here to make sure noone misses it:Thanks!
https://forum.opnsense.org/index.php?topic=24668.0
If the information you posted is correct your problem is that you are not using FQDN in your map file.
plex PLEX_backend
iot IOT_backend
...
Code: [Select]# Backend: SEAFILE_backend ()
backend SEAFILE_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server SEAFILE_server 192.168.1.11:81 ssl verify none
root@OPNsense:~ # cat /usr/local/etc/haproxy.conf
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
option tcplog
# ACTION: NOSSLservice_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/613b963c5f0851.94679524.txt)]
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: NoSSL_condition
acl acl_6138b110159553.96461818 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6138b110159553.96461818
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6138b32401a006.77997133.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
option httplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6138b15d48a964.28077676.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: SEAFILE_backend ()
backend SEAFILE_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server SEAFILE_server 192.168.30.16:80
# Backend: OPENVPN_backend ()
backend OPENVPN_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server OPENVPN_server 127.0.0.1:1194
2021-09-10T20:00:44 haproxy[11387] 192.168.1.231:51903 [10/Sep/2021:20:00:44.614] 0_SNI_frontend SSL_backend/SSL_server 1/0/4 0 -- 1/1/0/0/0 0/0
2021-09-10T20:00:44 haproxy[11387] 192.168.1.231:51903 [10/Sep/2021:20:00:44.615] 1_HTTPS_frontend/192.168.64.1:443: SSL handshake failure
2021-09-10T20:00:40 haproxy[11387] 192.168.1.231:51902 [10/Sep/2021:20:00:40.526] 0_SNI_frontend SSL_backend/SSL_server 1/0/5 0 -- 1/1/0/0/0 0/0
2021-09-10T20:00:40 haproxy[11387] 192.168.1.231:51902 [10/Sep/2021:20:00:40.527] 1_HTTPS_frontend/192.168.64.1:443: SSL handshake failure
2021-09-10T19:59:30 haproxy[11387] xx.xx.xx.162:25819 [10/Sep/2021:19:59:30.212] 0_SNI_frontend SSL_backend/SSL_server 1/0/39 0 -- 1/1/0/0/0 0/0
2021-09-10T19:59:30 haproxy[11387] xx.xx.xx.162:25819 [10/Sep/2021:19:59:30.212] 1_HTTPS_frontend/192.168.64.1:443: SSL handshake failure
2021-09-10T19:59:26 haproxy[11387] xx.xx.xx.162:25707 [10/Sep/2021:19:59:26.004] 0_SNI_frontend SSL_backend/SSL_server 1/0/35 0 -- 1/1/0/0/0 0/0
2021-09-10T19:59:30 haproxy[11387] xx.xx.xx.162:25819 [10/Sep/2021:19:59:30.212] 0_SNI_frontend SSL_backend/SSL_server 1/0/39 0 -- 1/1/0/0/0 0/0
2021-09-10T19:59:30 haproxy[11387] xx.xx.xx.162:25819 [10/Sep/2021:19:59:30.212] 1_HTTPS_frontend/192.168.64.1:443: SSL handshake failure
2021-09-10T19:59:26 haproxy[11387] xx.xx.xx.162:25707 [10/Sep/2021:19:59:26.004] 0_SNI_frontend SSL_backend/SSL_server 1/0/35 0 -- 1/1/0/0/0 0/0
dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
auth SHA256
client
resolv-retry infinite
remote vpn.xxxxx.dedyn.io 443 tcp
lport 0
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
cache opnsense-haproxy-cache
total-max-size 512
max-age 60
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on localhost:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_613eabd9cb19a0.51810931 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_613eabd9cb19a0.51810931
# Frontend: 1_HTTPS_frontend (Listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/613eae5151edb0.32207081.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/613eac85c00a60.86291436.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: Radarr_backend ()
backend Radarr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Radarr_server 192.168.1.111:7878
# Backend: Plex_backend ()
backend Plex_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Plex_server 192.168.1.159:32400
# Backend: Cams_backend ()
backend Cams_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Cams_server 192.168.1.10:81
# Backend: Ombi_backend ()
backend Ombi_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Ombi_server 192.168.1.159:5055
# Backend: Sonarr_backend ()
backend Sonarr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Sonarr_server 192.168.1.111:8989
# Backend: Tautulli_backend ()
backend Tautulli_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Tautulli_server 192.168.1.7:8181
sonarr Sonarr_backend
radarr Radarr_backend
plex Plex_backend
cams Cams_backend
Ombi Ombi_backend
Tautulli Tautulli_backend
sonarr Sonarr_backend
radarr Radarr_backend
plex Plex_backend
cams Cams_backend
ombi Ombi_backend
tautulli Tautulli_backend
@TheHellSiteI was just about to write you exactly this! ;D
I think the problem is with the SNI frontend. Here the SSL backend is specified as the default backend. He doesn't even look at the MAP file. he forwards everything to the SSL backend. When I set the openvpn backend as default Backend for a test in the SNI frontend, openvpn work but the other things not.
do you have an idea how I can solve this?
My map File currently looks like:Code: [Select]sonarr Sonarr_backend
radarr Radarr_backend
plex Plex_backend
cams Cams_backend
Ombi Ombi_backend
Tautulli Tautulli_backend
Any advice as to what I'm doing wrong? Why would some services work and others don't when they're using the same exact config?
What's also funny is that if I reconfigure the port and IP on the one of the Real Servers that works (For example, Plex_Server has IP 192.168.1.159:32400, Ombi_server has 192.168.1.159:5055, and I replace Plex_Server port to 5055 and go to Plexi.DOMAIN.com, Ombi pops up like it should. I've cloned new Real servers and Backend Pools while updating the PUBLIC_SUBDOMAINS_map from the working Plex one, but still no go for ALL of my services.
I've also discovered that if I modify HAProxy Rules & Checks > Rules > Public_subdomains_map-rule > Default backend pool... and change it to a service that DOESN'T work with the map file.. when I hit apply I'm able to access that service on ANY rendition of my domain, as well as the root domain.com address... And if I leave the services that DO work in the map file (Plex), plex.domain.com displays plex as it should, while the rest of the domain is showing the service that doesn't work on it's own.. which further doesn't make any sense.. The map file is working for some services but not others?
Thanks in advance, I'm stumped.
Final edit:
LMFAO I think I figured out why it wasn't working... so apparently for the map file to work you have to have the first part all lowercase, cannot use any uppercase...
So when I changed my map file to:Code: [Select]sonarr Sonarr_backend
radarr Radarr_backend
plex Plex_backend
cams Cams_backend
ombi Ombi_backend
tautulli Tautulli_backend
everything started working...
2021-09-14T21:21:05 haproxy[3256] 80.187.80.8:10670 [14/Sep/2021:21:21:05.818] 0_SNI_frontend SSL_backend/SSL_server 1/0/37 0 -- 1/1/0/0/0 0/0
2021-09-14T21:21:05 haproxy[3256] 80.187.80.8:10670 [14/Sep/2021:21:21:05.818] 1_HTTPS_frontend/192.168.64.1:443: SSL handshake failure
2021-09-14T21:21:01 haproxy[3256] 80.187.80.8:10495 [14/Sep/2021:21:21:01.658] 0_SNI_frontend SSL_backend/SSL_server 1/0/36 0 -- 1/1/0/0/0 0/0
2021-09-14T21:21:01 haproxy[3256] 80.187.80.8:10495 [14/Sep/2021:21:21:01.658] 1_HTTPS_frontend/192.168.64.1:443: SSL handshake failure
My map File currently looks like:Code: [Select]sonarr Sonarr_backend
radarr Radarr_backend
plex Plex_backend
cams Cams_backend
Ombi Ombi_backend
Tautulli Tautulli_backend
Any advice as to what I'm doing wrong? Why would some services work and others don't when they're using the same exact config?
What's also funny is that if I reconfigure the port and IP on the one of the Real Servers that works (For example, Plex_Server has IP 192.168.1.159:32400, Ombi_server has 192.168.1.159:5055, and I replace Plex_Server port to 5055 and go to Plexi.DOMAIN.com, Ombi pops up like it should. I've cloned new Real servers and Backend Pools while updating the PUBLIC_SUBDOMAINS_map from the working Plex one, but still no go for ALL of my services.
I've also discovered that if I modify HAProxy Rules & Checks > Rules > Public_subdomains_map-rule > Default backend pool... and change it to a service that DOESN'T work with the map file.. when I hit apply I'm able to access that service on ANY rendition of my domain, as well as the root domain.com address... And if I leave the services that DO work in the map file (Plex), plex.domain.com displays plex as it should, while the rest of the domain is showing the service that doesn't work on it's own.. which further doesn't make any sense.. The map file is working for some services but not others?
Thanks in advance, I'm stumped.
Final edit:
LMFAO I think I figured out why it wasn't working... so apparently for the map file to work you have to have the first part all lowercase, cannot use any uppercase...
So when I changed my map file to:Code: [Select]sonarr Sonarr_backend
radarr Radarr_backend
plex Plex_backend
cams Cams_backend
ombi Ombi_backend
tautulli Tautulli_backend
everything started working...
Glad it is working for you know.
My first guess where some misconfigured real servers (ports, ssl, ssl-verify).
BTW: Your map file is exposing your domain name! You should remove it from the forum post.
Also I did a quick scan of your domain using https://dnsdumpster.com (https://dnsdumpster.com). It lists all your subdomains since you created a single "A Record" for each of them. Consider switching to a "Wildcard A Record" in order to hide them!
If an attacker can see what services you are running it makes it easier for them to find an attack surface.
You can then still create individual a records, f.e. www.domain.tld, since the wildcard a record is resolved after all other a records have been resolved.
This is why my tutorial is using a "Wildcard A Record / Subdomain" in the form of "*.domain.tld".
Im using a Synology NAS + Docker with different services. So they are available on same LAN IP adress, but different Ports....
I would llike to setup the "access from internatl network" as on your part 6. I do understand that with my setup I cannot use the unbound split DNS option, as this doesnt work with ports...
So my services IP & port are configured inHAproxy map file. (everything working fine, comming from WAN with certificate)..
.
this server IP for me on LANis 192.168.1.20
only using 1st level subdomains like:
audio.mydomain.tld
photo.mydomain.tld
video.mydomain.tld
etc...
My "LAN" port for opnsense on appliance is 192.168.1.1 and I did used a "virtual IP" as per your tutorial which is 192.168.50.1...
Using "hosts overrides in unbound" (not "domain") should my configuration look like this :
HOST : audio
DOMAIN: mydomain.tld
IP: 192.168.1.1
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_Frontend ()
frontend SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: HTTP_Frontend ()
frontend HTTP_Frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: No_SSL_condition
acl acl_6160768c129757.05678189 req.ssl_ver gt 0
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_6160768c129757.05678189
# Frontend: HTTPS_Frontend ()
frontend HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6160790e8358e2.93807756.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: Public_Subdomain_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61607700a205d2.15896401.txt)]
# Backend: SSL_backend (HAProxy SSL Backend)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: homeassistant_backend (Home Assistant Backend)
backend homeassistant_backend
# health check: homeassistant_tcp_check
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server homeassistant 10.0.0.9:8123 check inter 2s port 8123 ssl verify none
# Backend: jellyfin_backend (Jellyfin Backend)
backend jellyfin_backend
# health check: jellyfin_http_check
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server jellyfin 10.0.0.10:8090 check inter 2s port 8090 ssl verify none
# public access subdomains
homeassistant homeassistant_backend
jellyfin jellyfin_backend
Please confirm you are accessing your servers internally using:
http://10.0.0.10:8090/
http://10.0.0.9:8123/
So no https?
Even though it shouldn't matter test the access with health checks disabled.
server jellyfin 10.0.0.10:8090 check inter 2s port 8090 ssl verify none
You see that "ssl" word in your server config? The error is not related to your dual WAN setup. ;D
I misread something in your HAProxy config...Code: [Select]server jellyfin 10.0.0.10:8090 check inter 2s port 8090 ssl verify none
You see that "ssl" word in your server config?
SSL and HTTP don't like each other! ;)
Since your services are NOT using HTTPS but only HTTP locally... you need to UNCHECK the SSL checkbox in the HAProxy real server config for both of your servers.
@TheHellSiteI was just about to write you exactly this! ;D
I think the problem is with the SNI frontend. Here the SSL backend is specified as the default backend. He doesn't even look at the MAP file. he forwards everything to the SSL backend. When I set the openvpn backend as default Backend for a test in the SNI frontend, openvpn work but the other things not.
do you have an idea how I can solve this?
Your reply confirmed my guess.
Looking through the manual pages of HAProxy it seems that the "Default Backend" setting can only be overwritten by a "Use Backend" rule! Which a "Use map file" rule isn't able to.
https://www.haproxy.com/de/blog/the-four-essential-sections-of-an-haproxy-configuration/
But I can't imagine that this is the intended behaviour.
Anyways... you simply need to create a VPN_condition "host starts with vpn" and a "use backend OPENVPN_backend if VPN_condition=true" rule.
Add this rule to the SNI_frontend and set the default backend back to the SSL_backend.
I was just about to write you exactly this! ;D
Your reply confirmed my guess.
Looking through the manual pages of HAProxy it seems that the "Default Backend" setting can only be overwritten by a "Use Backend" rule! Which a "Use map file" rule isn't able to.
https://www.haproxy.com/de/blog/the-four-essential-sections-of-an-haproxy-configuration/
But I can't imagine that this is the intended behaviour.
Anyways... you simply need to create a VPN_condition "host starts with vpn" and a "use backend OPENVPN_backend if VPN_condition=true" rule.
Add this rule to the SNI_frontend and set the default backend back to the SSL_backend.
Am I confused about this?
It looks like the current set up on page one will not work due to "default backend"??
Hi everyone
First of all.. Awesome guide and even so, that you update it with new stuff as it comes along.
Iv been kinda hitting my head for a day or two now and gotta throw in the towel, and put my troubles in here.
im running a small test setup, where im gonna have a couple of web services running, but the thing is here, they are running traefik with there own LE ssl validation and so. but i cant get HAproxy to work propper.
I configured my Dyndns as suggested with dedyn.io and have now a domain.dedyn.io properly working. Your tutorial now assumes to create wildcard certificates for the *.domain.dedyn.io (in my case)
I have a main domain registered with a poster somewhere else which is domain.com. Historically I reach my dyndns based subdomains via CNAME DNS entries at my main domain provider's DNS systems, eg home.domain.com points then to home.domain.dedyn.io.
It is now possible to let the acme client generate wildcard certificates also for *.domain.com accordingly in addition/replacing the wildcard certs for *.domain.dedyn.io?
Hey @TheHellSite, Do you know a way I can add Basic Auth to one of the sub domains?
I have a dashboard which just runs without login and I would really like it secured behind just basic auth if possible.
I tried creating a condition and a rule and applying it to the sub domain but it doesnt seem to work.
I also saw on the backend there is an option on the domain for basic auth checkbox, so I tried that but no dice either.
Any chance you can add a section to the guide about securing singular domains with basic auth?
Hi there,
I tried to activate DDNS via the API with ionos as suggested but miserably failed yet. ??? Might be somewhat unusual but I only want to activate DDNS for two subdomains, not my entire domain ‚domain.com‘ (only ‚sub.domain.com‘).
I come up to the step that I have created my update URL, the server responds with 200 properly on the Ionos API page. This should then have activated DDNS for the requested subdomains according to the doc. However there is the no entry for these subdomain on the DNS page.
When I apply Update URL in the opnsense dyndns config and press ‚save and enforce update‘, my public IP is properly shown in the opnsense dyndns config page. But still the subdomain is not shown as a DynDNS subdomain at ionos ..
as to be feared there is also no DNS with my public IP for the subdomain distributed …
Do i miss a step ?? I am looking forward to any idea.
Br br
FYI I got it working the Basic Auth.
So 21.7.4 has an issue with HAProxy where changes to config are not being saved: https://forum.opnsense.org/index.php?topic=25480.0
After I applied the patch it is working.
For Basic Auth all I did was create a user under User Management
(There does seem to be some restrictions around password length or complexity, I didnt spend a load of time testing)
My 20+ Char passwords would not work until I dumbed it down a bit.
So once you have a user go to your Backend Pools, choose your desired service, scroll down to Basic Authentication -> tick the box and add the username you just created.
Boom it works.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 4
hard-stop-after 60s
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_Backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_Frontend (Listening on 192.168.1.50:80)
frontend 1_HTTP_Frontend
bind 192.168.1.50:80 name 192.168.1.50:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NOSSL_Condition
acl acl_60f9d6d0118252.11362730 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_Rule
http-request redirect scheme https code 301 if !acl_60f9d6d0118252.11362730
# Frontend: 1_HTTPS_Frontend (listening on 192.168.1.50:443)
frontend 1_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.1.50:443 name 192.168.1.50:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60f9db5421ce96.24863488.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: Public_Sub_MapRule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61698448328ff6.66158166.txt)]
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server HAP_VIP 192.168.1.50 send-proxy-v2 check-send-proxy
# Backend: TruePlex_Backend ()
backend TruePlex_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server TruePlex 192.168.1.12:32400 ssl verify none
It was fixed after the latest update, however, I am still having connections issues... I am getting handshake failures.
From all clients, nothing works.
I can connect to the plex with the local IP without an issue.
I thought you were asking about an HAProxy + Let's Encrypt issue...
Since you are using cloudflare certificates I am unable to help you. You are better off asking for help in the HAProxy forums or the cloudflare support regarding your issues.
Let me finish by giving you these informations:
1. The SSL Labs test pictures you sent me indicate that your certificate content (cn + alt name) seems to be wrong.
2. Your HAProxy HTTPS frontend settings do not match the ones I provide in my guide.
You could however just follow my tutorial step by step and would end up with a working setup. ;)
Part 4, step 1. It says to change OPN Admin interface to another port(s) for http and https, usual 80, 443 because HA would expect traffic there.
Is it obligatory or could I keep my real server on 8082 and setup HA to exect that and keep OPN as is on 80 & 443?
I expect to use https with a self signed cert on the real server -instead of the current cert now in OPN-, or maybe only http on that port at the beginning.
Thanks.
I am not sure what I am missing... I went over the HA HTTPS Frontend a dozen times and I am not seeing what's not matching... :(
Thank you for taking the time to answer. The problem with conflicting ip+ports is one I understand but I failed to articulate my question to explain what I meant.
Web Server = Interface = IP:Port
HAProxy = ALL = 0.0.0.0:0 or 0.0.0.0:80+443
OPNsense = LAN = 192.168.1.1:443
This is the conflict! You can't have two or more services listening on the same "Interface + IP:Port". How would they know which traffic belongs to whom? As soon as one of them grabs the traffic the other one will never get it.
TL;DR:
1. Yes, you can run your real servers on any port (f.e. 8082).
2. No you can't change the OPNsense back to port 443 because you wouldn't be able to reach the OPNsense web interface anymore and or HAProxy will refuse to start.
3. I strongly advise you to also run your real server(s) with a self-signed SSL certificate to increase security. It is however not necessary.
(https://i.ibb.co/WNXCxbb/HAP-understanding.png)
Essentially my question was if I could bind the SNI front end internally to a custom port instead of the usual 80,443.
Hello,
when I started implementing HAProxy in my network I couldn't find any complete and well written guide out there. I had to puzzle everything together from various websites.
So I thought I would save many of you a lot of time and provide my ultimate HAProxy on OPNsense guide. :)
This tutorial will show you how to configure HAProxy as a reverse proxy on OPNsense using wildcard certificates from Let's Encrypt.
It is going to be a step-by-step guide with images on how to set things up while also explaining why we set things up in a certain way.
I will try to make this as complete and detailed as possible.
If you think that there is anything wrong or missing, feel free to tell me about it and I will consider changing it.
If this guide was helpful to you then please leave me a thanks down below as it took me several days to write this down.
Kind Regards
TheHellSite
Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Cipher Suites: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
After a couple of hours of tinkering with the ciphers, I figured out that the test doesn't like 128bit ciphers. So I removed those from the Cipher List (TLSv1.2) and Cipher Suites (TLSv1.3) of the HTTPS_frontend, and I finally got the A+ 100% score.
In case anyone faces the same issue, these are the cipher settings for HTTPS_frontend:QuoteCipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Cipher Suites: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Thanks again,
Alessandro
My Tutorial
Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384
Cipher Suites: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
yours
Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Cipher Suites: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Happy to hear it is working for you.
I think you missed the part of my tutorial where I am giving needed ciphers and cipher suites to get an 100% A+ rating.
The only difference between my guide and your list is the "DHE-RSA-AES256-GCM-SHA384" cipher.
Both will be scoring 100 % A+ while mine offer even more client compatibility.
Seems like I forgot to mention it again during tutorial at the part where the HTTPS_frontend is created. I now put a reference in there pointing to the beginning of my post where I provide the current best cipher list and cipher suits.
One thing I wanted to ask you: I followed your naming conventions and I noticed you had the 1_ prefix both for the HTTP and HTTPS frontend. I renamed the HTTPS to 2_HTTPS_frontend, don't know if it was intentional or not, but I interpreted it as a progressive number so that one was a 2.
I did that on purpose to express the "level" of reverse proxying.
Level 1 - SNI traffic
Level 2 - HTTP + HTTPS traffic
However you can name it as you like. It doesn't matter in terms of functionality.
Seems like I forgot to mention it again during tutorial at the part where the HTTPS_frontend is created. I now put a reference in there pointing to the beginning of my post where I provide the current best cipher list and cipher suits.
Arguable! ;)
If you have many HTTPS frontends (on different ports) that might need different SSL settings then my way is better.
Otherwise it doesn't really matter where you put the settings. Just note that the SSL default settings get overwritten once you set anything in the associated boxes on the HTTPS frontends.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log audit debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend (DISABLED): LetsEncrypt_443 ()
# Frontend (DISABLED): LetsEncrypt_80 ()
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_61a24897421141.86617043 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_61a24897421141.86617043
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61a24a78aa9cc4.11915455.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61a249350142e3.01879320.txt)]
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Backend: Mail ()
backend Mail
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Main 192.168.111.2:443 ssl verify none
# Backend (DISABLED): acme_challenge_backend (Added by Let's Encrypt plugin)
# Backend: Nextcloud ()
backend Nextcloud
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Nextcloud 192.168.111.3:443 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: Bitwarden_Backend ()
backend Bitwarden_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Vaultwarden80 192.168.111.77:80
Hello,
what is wrong here?
In Firefox I get the following error: PR_END_OF_FILE_ERROR
In Firefox I get the following error: PR_END_OF_FILE_ERROR
In Firefox I get the following error: PR_END_OF_FILE_ERROR
Hello,
I have same issue in firefox and chrome. In logs it is said "Received something which does not look like a PROXY protocol header"
I thought at first that it is a proxy problem and double checked your 20210613 update but my bind option pass-through set as accept-proxy
My current HAProxy version is 3.7 and opnsense is 21.7.6
In Part 6, NAT Reflection: it applies to port forwarding rules, but in the guide you switched to a simple filter rule.
So there's only one option remaining: split DNS.
HAProxy has been rock solid, thanks again for your guide. I'm having a hard time only for Uptime Kuma, it uses websockets, and it's the only service that doesn't work behind HAProxy. The dev published a guide for the configuration behind several reverse proxies, unfortunately the only one missing is HAProxy: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy#nginx
I'm sure there's a way to make it work but I can't find it...
Thank you for pointing this out! I changed the guide some time ago and forgot to update that part.
Just keep in mind that there is nothing wrong with Split DNS, it is even the preferred way of doing it!
Isn't that just a simple web service displaying uptime of servers?
How are you accessing it on your local network? f.e. http://192.168.2.55:3001/ or https://192.168.2.55:3001/
If it is http then you will need to DISABLE SSL in the real server settings for uptime kuma.
If it is https then you will need to ENABLE SSL but DISABLE SSL verification in the real server settings for uptime kuma.
I've already reverse-proxied a lot of services, I know how that works. The problem is how Uptime Kuma works: it uses ws:// (websockets) connections in addition to HTTP, so you connect in http first to auth, then it starts communicating through WS, through a sort of tunnel. If you check that link I provided, you will see that for many proxies there's some custom configs to support that. The only proxy that does one-line config magic is caddy...it's tempting me a lot...everybody told me that caddy is the simplest one and it simply works, without doing any hard config work. But I already have HAProxy in place, and would like to stick to it.
Did you try something like this?
https://stackoverflow.com/a/22735431/17193869
or this
https://discourse.haproxy.org/t/using-reverse-proxy-with-secured-web-sockets-wss/2917
I found this article from HAProxy guys:
https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/#simple-configuration
That's why I wanted to know if I can configure it via shell, working on the files directly. Do you know if that's possible?
## routing based on websocket protocol header
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
use_backend bk_ws if hdr_connection_upgrade hdr_upgrade_websocket
default_backend bk_web
As far as I am aware settings these options on the frontend will apply them to ALL services that are going through it. But you should also be able to set them on the corresponding backend so that it will only apply to the specific service.
Post your haproxy export in a code box. (redact any sensitive information, but leave in the local IPs!)
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 127.0.0.1:80, 127.0.0.1:443)
frontend 0_SNI_frontend
bind 127.0.0.1:443 name 127.0.0.1:443
bind 127.0.0.1:80 name 127.0.0.1:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_61a3f4fdabe975.79392880 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_61a3f4fdabe975.79392880
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61a3f8200d98a7.85727127.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: LOCAL_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61a3f5af2446f3.11405534.txt)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: unraid_backend ()
backend unraid_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server unraid_server 192.168.0.20:443 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: opnsense_backend ()
backend opnsense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server opnsense_server 192.168.0.1:1443 ssl verify none
Thank you for reply.
I only have map for internal network because I don't pass-through external traffic. And I also set host binding via unbound overrides all to 192.168.64.1.
You are allowing inbound traffic on your WAN address 80+443 with our firewall rule but your SNI_frontend is only listening on the localhost address. This way it will never catch any traffic at all!
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_61a3f4fdabe975.79392880 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_61a3f4fdabe975.79392880
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61a3f8200d98a7.85727127.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNET_condition
acl acl_61a3f9b4ed7092.44798843 src 192.168.0.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61a3f5af2446f3.11405534.txt)] if acl_61a3f9b4ed7092.44798843
# Backend: unraid_backend ()
backend unraid_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server unraid_server 192.168.0.20:443 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: opnsense_backend ()
backend opnsense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server opnsense_server 192.168.0.1:1443 ssl verify none
# Backend: qbittorrent_backend ()
backend qbittorrent_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server qbittorrent_server 192.168.0.20:8080
Hello,
when I started implementing HAProxy in my network I couldn't find any complete and well written guide out there. I had to puzzle everything together from various websites.
So I thought I would save many of you a lot of time and provide my ultimate HAProxy on OPNsense guide. :)
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_61d029838380d8.68540995 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_61d029838380d8.68540995
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61d02d156c0846.98881851.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACL: EXTERNAL_conditions
acl acl_61d066f2cc9639.62892989 src 193.138.218.219
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_61d05461151001.71548589 src 192.168.1.0/24 192.168.70.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61d053aef188f4.27343600.txt)] if acl_61d066f2cc9639.62892989 || acl_61d05461151001.71548589
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61d029eb5a9da6.54806678.txt)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: nextcloud_backend ()
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nextcloud_server 192.168.1.12:444 ssl verify none
# Backend: miniflux_backend ()
backend miniflux_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server miniflux_server 192.168.1.12:5600
# Backend: joplin_backend ()
backend joplin_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server joplin_server 192.168.1.12:22300
# Backend: calibre_backend ()
backend calibre_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server calibre_server 192.168.1.12:8083
# Backend: emby_backend ()
backend emby_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server emby_server 192.168.1.12:8096
# Backend: grocy_backend ()
backend grocy_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server grocy_server 192.168.1.12:9283
# Backend: hydra_backend ()
backend hydra_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server hydra_server 192.168.1.12:5076
# Backend: piwigo_backend ()
backend piwigo_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server piwigo_server 192.168.1.12:8099
# Backend: collabora_backend ()
backend collabora_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server collabora_server 192.168.1.12:9980
# Backend: freshrss_backend ()
backend freshrss_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server freshrss_server 192.168.1.12:8066
# Backend: wallabag_backend ()
backend wallabag_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server wallabag_server 192.168.1.12:6500
# Backend: wikijs_backend ()
backend wikijs_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server wikijs_server 192.168.1.12:3000
# Backend: heimdall_backend ()
backend heimdall_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server heimdall_server 192.168.1.12:8538
# Backend: monica_backend ()
backend monica_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server monica_server 192.168.1.12:8956
# Backend: firefly_backend ()
backend firefly_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server firefly_server 192.168.1.12:8088
# Backend: paperless_1_backend ()
backend paperless_1_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server paperless_1_server 192.168.1.12:8016
# Backend: paperless_2_backend ()
backend paperless_2_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server paperless_2_server 192.168.1.12:8006
First of all please use the correct cipher list and suites, see the beginning of my OP.
You are still using AES128 ciphers indicating you didn't read my tutorial correctly.
Next thing would be to clear your browser cache.
Is it only firefly that is not working or are others also affected?
Are you using a trusted lets encrypt cert or a selfsigned one?
Two of my services aren't working as expected at the moment, and that's Firefly III and Grocy. Everything else is working.
For Firefly, I came across this thread (https://github.com/firefly-iii/firefly-iii/discussions/5118) on Github discussing my exact issue. It was apparently fixed in this comment (https://github.com/firefly-iii/firefly-iii/discussions/5118#discussioncomment-1398790). My Docker env TRUSTED_PROXIES is set to ** already. Do I need to edit 1_HTTPS_frontend or 1_HTTP_frontend? I see that both of those have the option X-Forwarded-For header enabled in my HAProxy.
For Grocy, I'm having the issue described here (https://github.com/linuxserver/docker-grocy/issues/18), on Github. Someone using nginx mentioned they solved the issue by adding proxy_set_header X-Forwarded-Proto https; to their nginx config.
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
The links you posted both imply that your issues COULD be resolved by adding the following to your "HTTPS_frontend".
HAProxy --> Virtual Services --> Public Services --> 1_HTTPS_frontend --> Edit --> Enable "advanced mode" (top left corner) --> Scroll down to "Advanced settings" --> Option pass-through --> insert the below code --> Save --> ApplyCode: [Select]http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
You might not need both lines so play around until you find the necessary line(s) and please post the final solution!
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
hard-stop-after 60s
maxconn 10
tune.ssl.default-dh-param 2048
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 10
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80, 0.0.0.0:443, 0.0.0.0:853)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:853 name 0.0.0.0:853
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (listening on 192.168.5.100:80 i.e. http only)
frontend 1_HTTP_frontend
bind 192.168.5.100:80 name 192.168.5.100:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_Condition
acl acl_619439805021f2.97978352 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_619439805021f2.97978352
# Frontend: 1_HTTPS_frontend (Listening on 192.168.5.100:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.5.100:443 name 192.168.5.100:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61952b9d47d700.25962675.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)]
# Frontend: 1_TCP_frontend (Listening on 192.168.5.100:853)
frontend 1_TCP_frontend
bind 192.168.5.100:853 name 192.168.5.100:853 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61dc51606078d9.11258474.certlist
mode tcp
default_backend nginx_backend-tcp
# tuning options
timeout client 15m
# logging options
option tcplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.5.100 send-proxy-v2 check-send-proxy
# Backend: nginx_backend-tcp ()
backend nginx_backend-tcp
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server nginx_1 192.168.5.152:8053
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend <myBackend(Pool)> if is_websocket
[WARNING] (20353) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:70).
Warnings were found.
Configuration file is valid
First of all thank you for the Guide it was great and helped me out a lot.
I just have a question as I have to use a vpn adapter call for work called Zscaler and it try to make a tunnel using port 443. How do i tell HAproxy as a default to only route only thing in the map file and dont intercept anything else. So the vpn client can create a tunnel.
tcp-request inspect-delay 5s
use_backend OPENVPN_backend if req_ssl_hello_type 1
tcp-request content accept if !{ req_ssl_hello_type 1 }
I have two Server with several vhosts behind a OPNsense Router/Firewall
Is this also possible to have two server which need certs? Or only one?
When if it’s possible, how I have to do it?
I got this errorQuote[WARNING] (20353) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:70).
Warnings were found.
Configuration file is valid
What is wrong?
<VirtualHost *:80>My HAproxy.conf file looks like this
ServerAdmin mail@xxx.com
ServerName xxx.ch
ServerAlias www.xxxx.ch
DocumentRoot /usr/share/webapps/blog/
DirectoryIndex index.php
RemoteIPProxyProtocol On
<Directory /usr/share/webapps/blog>
Options +Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
<FilesMatch \.php$>
# For Apache version 2.4.10 and above, use SetHandler to run PHP as a fastCGI process server
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost"
</FilesMatch>
<Files "*.php">
MultiviewsMatch Any
</Files>
</Directory>
ErrorLog /var/log/httpd/blog_error.log
CustomLog /var/log/httpd/blog_access.log combined
</VirtualHost>
#My map files looks like this
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: O_SNI_fronted (Listening 0.0.0.0:80 0.0.0.0:443)
frontend O_SNI_fronted
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NO_SSL_Rule
acl acl_620808a860e296.91534155 req.ssl_ver gt 0
# ACTION: HTTP_TO_HTTPS_RULE
http-request redirect scheme https code 301 if !acl_620808a860e296.91534155
# Frontend: 1_HTTPS_frontend (Listening 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6208140971a7a3.08696099.certlist
mode http
option http-keep-alive
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_MAP_RULE
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/620809e036a6d1.87483247.txt)]
# Backend: SSL_backend (SSL backend)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: 5erver_backend (Server backend)
backend 5erver_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80
# ERROR: server data not found (0b989d9b-eb50-4dff-8a2f-6bc56245fd74)
# Backend: NAS_backend (NAS backend)
backend NAS_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nas_Server_80 192.168.1.118:80
# ERROR: server data not found (36c63574-bd94-43f7-836e-cd78c8edc6c0)
#public subdomains mappingHow I can fix this error
flood 5erver_backend
frank 5erver_backend
www 5erver_backend
torrent 5erver_backend
grafana 5erver_backend
nas 5erver_backend
kvm 5erver_backend
monitoring 5erver_backend
speedtest 5erver_backend
sync 5erver_backend
tracker 5erver_backend
cloud NAS_backend
dav NAS_backend
Now we create the backend that belongs to an actual service. You will need one backend for each service.
If you have multiple servers serving the exact same content than you will want to add all servers into a single backend so HAProxy can actually balance the load between the servers.
FIRST: You should remove your personal info from your post.
SECOND: Another issue from not properly reading my guide.
Your solution is in Part 5 - Step 6.QuoteNow we create the backend that belongs to an actual service. You will need one backend for each service.
If you have multiple servers serving the exact same content than you will want to add all servers into a single backend so HAProxy can actually balance the load between the servers.
YOU NEED: ... one backend for each service.
YOU DID: ... one backend for each server hosting individual services.
Just think about it... How should HAProxy even be able to talk to one of your services when you are only pointing him to the IP:Port of the server virtually hosting the service!? This makes no sense...
It is like telling someone "Meet me in New York in a bar." without telling him which bar.
#public subdomains mapping
flood 5erver_backend
frank 5erver_backend
www 5erver_backend
torrent 5erver_backend
grafana 5erver_backend
nas 5erver_backend
kvm 5erver_backend
monitoring 5erver_backend
speedtest 5erver_backend
sync 5erver_backend
tracker 5erver_backend
cloud NAS_backend
dav NAS_backend
nas 5erver_backend
nas.yourdomain.com --> NAS_backendwww 5erver_backend
www.yourdomain.com --> 5erver_backend grafana 5erver_backend
grafana.yourdomain.com --> 5erver_backend
cat haproxy.conf
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: O_SNI_fronted (Listening MYIP:80 MYIP:443)
frontend O_SNI_fronted
bind MY IP:80 name MYIP:80
bind MY IP:443 name MY IP:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening 192.168.1.1:80)
frontend 1_HTTP_frontend
bind 192.168.1.1:80 name 192.168.1.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NO_SSL_Rule
acl acl_620808a860e296.91534155 req.ssl_ver gt 0
# ACTION: HTTP_TO_HTTPS_RULE
http-request redirect scheme https code 301 if !acl_620808a860e296.91534155
# Frontend: 1_HTTPS_frontend (Listening 192.168.1.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.1.1:443 name 192.168.1.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6208140971a7a3.08696099.certlist
mode http
option http-keep-alive
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_MAP_RULE
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/620809e036a6d1.87483247.txt)]
# Backend: SSL_backend (SSL backend)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 192.168.1.1 send-proxy-v2 check-send-proxy
# Backend: blog_server_backend (Server backend blog)
backend blog_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: cloud_nas_backend (cloud backend NAS)
backend cloud_nas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nas_Server_80 192.168.1.118:80 send-proxy-v2 check-send-proxy
# Backend: dav_nas_backend (dav backend NAS)
backend dav_nas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nas_Server_80 192.168.1.118:80 send-proxy-v2 check-send-proxy
# Backend: frank_server_backend (Server backend frank)
backend frank_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: flood_server_backend (Server backend flood)
backend flood_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: sync_server_backend (Server backend sync)
backend sync_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: monitoring_server_backend (Server backend monitoring)
backend monitoring_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: kvm_server_backend (Server backend kvm)
backend kvm_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: nas_server_backend (Server backend nas)
backend nas_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
# Backend: tracker_server_backend (Server backend tracker)
backend tracker_server_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server 5erver_Server_80 192.168.1.100:80 send-proxy-v2 check-send-proxy
#public subdomains mapping
flood flood_server_backend
frank frank_server_backend
grafana grafana_server_backend
nas nas_server_backend
kvm kvm_server_backend
monitoring monitoring_server_backend
sync sync_server_backend
tracker tracker_server_backend
cloud cloud_nas_backend
dav dav_nas_backend
#public subdomains mapping
flood WEBSERVER_backend
frank WEBSERVER_backend
www WEBSERVER_backend
torrent WEBSERVER_backend
grafana WEBSERVER_backend
nas WEBSERVER_backend
kvm WEBSERVER_backend
monitoring WEBSERVER_backend
speedtest WEBSERVER_backend
sync WEBSERVER_backend
tracker WEBSERVER_backend
cloud NAS_backend
dav NAS_backend
WEBSERVER_backend --> contains --> WEBSERVER_server
WEBSERVER_server=192.168.1.100:80
NAS_backend --> contains --> NAS_server
NAS_server=192.168.1.118:80
# WEBSERVER_backend
flood.yourdomain.com
frank.yourdomain.com
www.yourdomain.com
torrent.yourdomain.com
grafana.yourdomain.com
nas.yourdomain.com
kvm.yourdomain.com
monitoring.yourdomain.com
speedtest.yourdomain.com
sync.yourdomain.com
tracker.yourdomain.com
# NAS_backend
cloud.yourdomain.com
dav.yourdomain.com
I got this errorQuote[WARNING] (20353) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:70).
Warnings were found.
Configuration file is valid
What is wrong?
Have you Disable web GUI redirect rule in Part 4-1?I got this errorQuote[WARNING] (20353) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:70).
Warnings were found.
Configuration file is valid
What is wrong?
https://forum.opnsense.org/index.php?topic=27065.msg131206#msg131206
I have http webui with port 4444 impossible that listen on 80
I have just tried TCP mode with map file, there is a few more steps to achieve the goal instead of placing the map rule directly to 0_SNI
(I checked the package and found SNI inside, however, haproxy doesn't recognize it in TCP mode, that's why we need to force it to recognize SNI)
Just take a look at the config file, I feel strange for some part of it
1. You don't need to type WAN IP in 0_SNI_frontend
instead, it should be 0.0.0.0:80 and 0.0.0.0:443
0.0.0.0 means any IP that points to your router.
2. What is your router IP?
If your router is 192.168.1.1, then 1_HTTP_frontend and 1_HTTPS_frontend will obviously conflict with 0_SNI_fronted
Since 0_SNI_fronted is already listening to 80 and 443 port of your router, you won't able to listen it with 192.168.1.1
Please follow Part 4-2 to create Virtual IP, and set 1_HTTP_frontend and 1_HTTPS_frontend to the virtual IP
If you don't want to create any Virtual IP, please remove 0_SNI_frontend
set 1_HTTP_frontend with 0.0.0.0:80 and 1_HTTPS_frontend 0.0.0.0:443 instead
Since all of your servers are running in http mode, it should work for having no SNI frontend
Sure, just add it to your tutorial if you like.
I have 2 TCP servers running. OpenVPN and v2ray
(both of them have SNI header with it)
I'm sure not all of the TCP services can use haproxy, for example minecraft server without additional tools.
(One of the ways is to add one more rule to redirect other SSL connections to SSL_backend, and set minecraft server as default backend of 0_SNI, as no conditions or rules in haproxy can catch connections that doesn't have SNI header).
int warnif_tcp_http_cond(const struct proxy *px, const struct acl_cond *cond)
{
if (!cond || px->mode != PR_MODE_HTTP)
return 0;
if (cond->use & (SMP_USE_L6REQ|SMP_USE_L6RES)) {
ha_warning("Proxy '%s': L6 sample fetches ignored on HTTP proxies (declared at %s:%d).\n",
px->id, cond->file, cond->line);
return ERR_WARN;
}
return 0;
}
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: tcp_front (Listen to 0.0.0.0:443, TCP SNI handler, redirect if xray)
frontend tcp_front
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_back
# tuning options
timeout client 30s
# logging options
# ACL: SSL_hello
acl acl_6212326a7c07e4.28981163 req_ssl_hello_type 1
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_6212326a7c07e4.28981163
# ACTION: hmdir_ru
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6214a3ae639096.17472719.txt)]
# Frontend: http_front (Listen to VIP:80 and redirect to 443)
frontend http_front
bind 192.168.6.1:80 name 192.168.6.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: http
acl acl_62123bbee27260.60165685 ssl_fc
# ACTION: http_to_https
http-request redirect scheme https code 301 if !acl_62123bbee27260.60165685
# Frontend: ssl_front (Listen to VIP 443, SSL offload cert)
frontend ssl_front
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.6.1:443 name 192.168.6.1:443 accept-proxy ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621244f0de5919.36753000.certlist
mode http
option http-keep-alive
default_backend hkbn_back
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: local
acl acl_62123a1cebe813.09309501 src 192.168.3.0/24 192.168.5.0/24
# ACTION: local_ru
use_backend opn_back if acl_62123a1cebe813.09309501
# Backend: hmdir_back (Backend of v2ray)
backend hmdir_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server hmdir 192.168.3.3:443
# Backend: hkbn_back (Backend of HKBN)
backend hkbn_back
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server hkbn 192.168.4.2:443 ssl verify none
# Backend: SSL_back (Backend to redirect SSL servers)
backend SSL_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server ssl 192.168.6.1 send-proxy-v2 check-send-proxy
# Backend: opn_back (Backend of opnsense with SSL)
backend opn_back
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server opn 192.168.3.1:8443 ssl verify none
# Backend: open_back (Backend of OpenVPN)
backend open_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server open 192.168.3.1:10443
Would be possible to adjust the tutorial with ipv6 support or a hint how to add ipv6 support to a existing configuration?
I got this errorQuote[WARNING] (20353) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:70).
Warnings were found.
Configuration file is valid
What is wrong?
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 6
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend (DISABLED): https_passthrough ()
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_622eebaf197419.36314953 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_622eebaf197419.36314953
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/622eef9a9d7268.16491040.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/622eeaa3044ba7.74145133.txt)]
# Backend: backend_pool_abc ()
backend backend_pool_meet_huuich_vn
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server PLEX_server 192.168.82.11:32400 ssl verify none
# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# public access subdomains
plex PLEX_backend
server {
listen 32400;
listen [::]:32400;
root /var/www/mywebsite.com/html;
index index.html index.htm index.nginx-debian.html;
server_name mywebsite.com;
location / {
try_files $uri $uri/ =404;
}
}
503 Service Unavailable
No server is available to handle this request.
I can go my website on internal http://192.168.82.11:32400 is ok but when I access http://mywebsite.com browser go to https://mywebsite.com and show errorCode: [Select]503 Service Unavailable
No server is available to handle this request.
How can I fix this and show my website https://mywebsite.com ok? Thanks!
First.
The entry "plex PLEX_backend" in the mapfile means that you will have to access it using the "plex" subdomain. --> In your case "plex.mywebsite.com"!
Alternatively just set the PLEX_backend as default backend on your HTTPS_frontend.
Second.
http will always get redirected to https. This is intended and you will most probably want this! This is configured using the HTTPtoHTTPS_rule and NoSSL_condition.
Third.
Apart from the above your config looks good. (just took a very short look at it)
Fourth.
You might have to disable the SSL checkbox in the PLEX_server settings.
But only if you are REALLY accessing it locally using http://IP:32400 and the service is NOT redirecting you to HTTPS. But I highly doubt this since Plex is running on a self-signed SSL cert by default...
I want to set up HAProxy just for routing traffic based on URLs (https://xyz.domain.com goes to server 1 and https://abc.domain.com goes to server 2, etc...).Did you find solution for your purpose? I wanna do same like you.
All SSL stuff for the destination web servers is being handled by a separate Linux certificate server and the web servers themselfes, independent from OPNsense/HAProxy. HAProxy is really only needed for routing traffic based on URLs, nothing more, nothing less.I want to set up HAProxy just for routing traffic based on URLs (https://xyz.domain.com goes to server 1 and https://abc.domain.com goes to server 2, etc...).
All SSL stuff for the destination web servers is being handled by a separate Linux certificate server and the web servers themselfes, independent from OPNsense/HAProxy. HAProxy is really only needed for routing traffic based on URLs, nothing more, nothing less.
You have to set your backends and frontends to HTTP Mode.I can do that using SSL passthrough follow step by step this guide (https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958) from @alh
Also disable SSL offloading on the frontends.
But I can't guarantee for sure that it will work.
TCP Mode will never (with a few exceptions) work because there is no header in the packets that would tell HAProxy which service to send the traffic to.
HTTP Mode could work, but you might need to create some "http header contains..." conditions.
This should work for any TCP-based SSL/TLS encrypted service in passthrough (HAProxy: TCP) mode... It does NOT work for STARTTLS!
In this example I use TCP port 443.
HAProxy plugin: Create "Real Server" (enter name, IP/FQDN and port number if different from 443, the rest can be left at default)
HAProxy plugin: Create "Backend Pool" (enter name, set mode to TCP and select the real server from step 1)
HAProxy plugin: Create "Condition" (enter name ["traffic_ssl"], condition type is "custom condition (option pass-through)" with value "req_ssl_hello_type 1")
HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)
HAProxy plugin: Create "Rule" (enter name ["request_inspect_delay"], select no condition, function is "tcp-request inspect delay" with value "5s" or whatever suits you)
HAProxy plugin: Create "Rule" (enter name ["request_content_accept_ssl"], select condition of 3 ["traffic_ssl"], function is "tcp-request content accept")
HAProxy plugin: Create "Rule" (enter name ["myservice_sni"], select condition of 4 ["myservice_sni"], function is "Use specific backend pool" with your pool from 2)
HAProxy plugin: Create "Public service" (enter name ["https_passthrough"], choose a listen address [":443" for all], type is "TCP" and select the 3 rules created earlier)
HAProxy plugin: Enable plugin or test/apply
Firewall: allow incoming traffic to WAN (address) or whatever for TCP port 443.
That works at least for me. If you have double NAT you would need to disable port randomization for the proxied port...
Does that help you?
If all SSL certificate are handled by webserver themselves.I've follow your guide but though my backend server ctl_backend has code
Follow #176 (https://forum.opnsense.org/index.php?topic=23339.msg131354#msg131354), step 1-4 will allow 0_SNI_FRONTEND to recognize TLS package and redirect under TCP mode
Note: All backend redirect from 0_SNI_FRONTEND should be in TCP mode
HAProxy only work with server that using TLS package. For those server that doesn't contain TLS package (for example, game servers), HAProxy won't work. Although you can set default backend server to game server, but there's only one default backend server.
BTW, for backend server getting source IP, enabling X-Forwarded-For header for all frontend should work
However, this one only apply to HTTP.
reference (https://www.haproxy.com/fr/blog/preserve-source-ip-address-despite-reverse-proxies/)
reference 2 (https://www.haproxy.com/blog/layer-7-load-balancing-transparent-proxy-mode/)
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 6
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend (DISABLED): https_passthrough ()
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# tuning options
timeout client 30s
# logging options
# ACL: traffic_ssl
acl acl_601a842f14cee3.17646593 req_ssl_hello_type 1
# ACTION: request_content_accept_ssl
tcp-request content accept if acl_601a842f14cee3.17646593
# ACTION: request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/622eeaa3044ba7.74145133.txt)]
# Frontend (DISABLED): 1_HTTP_frontend (Listening on 192.168.64.1:80)
# Frontend (DISABLED): 1_HTTPS_frontend (Listening on 192.168.64.1:443)
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
http-reuse safe
server PLEX_server 192.168.82.11:32400
# Backend (DISABLED): acme_challenge_backend (Added by Let's Encrypt plugin)
# Backend (DISABLED): SSL_backend ()
# Backend: ctl_backend ()
backend ctl_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
http-reuse safe
server ctl_server 192.168.82.11:32401
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: tcp_front (Listen to 0.0.0.0:443, TCP SNI handler, redirect if v2ray)
frontend tcp_front
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_back
# tuning options
timeout client 30s
# logging options
# ACL: SSL_hello
acl acl_6212326a7c07e4.28981163 req_ssl_hello_type 1
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_6212326a7c07e4.28981163
# ACTION: hmdir_ru
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6214a3ae639096.17472719.txt)]
# Frontend: http_front (Listen to VIP:80 and redirect to 443)
frontend http_front
bind 192.168.6.1:80 name 192.168.6.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: http
acl acl_62123bbee27260.60165685 ssl_fc
# ACTION: http_to_https
http-request redirect scheme https code 301 if !acl_62123bbee27260.60165685
# Frontend: ssl_front (Listen to VIP 443, SSL offload cert)
frontend ssl_front
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.6.1:443 name 192.168.6.1:443 accept-proxy ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621244f0de5919.36753000.certlist
mode http
option http-keep-alive
default_backend hkbn_back
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: local
acl acl_62123a1cebe813.09309501 src 192.168.3.0/24 192.168.5.0/24
# ACTION: local_map_ru
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623230d7bffd04.94702836.txt)] if acl_62123a1cebe813.09309501
# Backend: hmdir_back (Backend of v2ray)
backend hmdir_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server hmdir 192.168.3.3:443 send-proxy-v2 check-send-proxy
# Backend: hkbn_back (Backend of HKBN)
backend hkbn_back
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server hkbn 192.168.4.2:443 ssl verify none
# Backend: SSL_back (Backend to redirect SSL servers)
backend SSL_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server ssl 192.168.6.1 send-proxy-v2 check-send-proxy
# Backend: opn_back (Backend of opnsense with SSL)
backend opn_back
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server opn 192.168.3.1:8443 ssl verify none
# Backend: unifi_back (Backend of unifi with SSL)
backend unifi_back
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server unifi 192.168.3.4:8443 ssl verify none
# Backend: open_back (Backend of OpenVPN)
backend open_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server open 192.168.3.1:10443
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 6
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend (DISABLED): https_passthrough ()
# Frontend: tcp_front (Listen to 0.0.0.0:443, TCP SNI handler, redirect if v2ray))
frontend tcp_front
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_back
# tuning options
timeout client 30s
# logging options
# ACL: traffic_ssl
acl acl_601a842f14cee3.17646593 req_ssl_hello_type 1
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_601a842f14cee3.17646593
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: hmdir_ru
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/622eeaa3044ba7.74145133.txt)]
# Frontend: http_front (Listening on 192.168.64.1:80)
frontend http_front
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_622eebaf197419.36314953 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_622eebaf197419.36314953
# Frontend: ssl_front (Listening on 192.168.64.1:443)
frontend ssl_front
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/622eef9a9d7268.16491040.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: hmdir_ru
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/622eeaa3044ba7.74145133.txt)]
# Backend: hmdir_back ()
backend hmdir_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server hmdir 192.168.82.11:32401 send-proxy-v2 check-send-proxy
# Backend (DISABLED): PLEX_backend ()
# Backend (DISABLED): acme_challenge_backend (Added by Let's Encrypt plugin)
# Backend: SSL_back ()
backend SSL_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend (DISABLED): ctl_backend ()
# public access subdomains
c hmdir_back
# ACTION: local_map_ru
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623230d7bffd04.94702836.txt)] if acl_62123a1cebe813.09309501
# logging options
# ACL: http
acl acl_62123bbee27260.60165685 ssl_fc
opn opn_back
unifi unifi_back
Example: my v2ray server is living in TCP mode (although I don't care about the IP log)
I will get router IP in log if I don't user proxy protocol.
I cannot reach v2ray server if I use proxy protocol in haproxy but not changing any config of v2ray server (probably rejected by the server itself)
I will get correct client IP if I use proxy protocol in haproxy and changing the config of v2ray to accept proxy protocol
For testing why it won't work in your case,
You can try not using Proxy Protocol first. If you can access your backend, that means your webserver config is not accepting proxy protocol (It won't work both way at the same time)
You need to use Proxy Protocol and modify webserver config ( for example, /etc/nginx/sites-enabled/default) at the same time
Similar test case mentioned in previous postQuoteExample: my v2ray server is living in TCP mode (although I don't care about the IP log)
I will get router IP in log if I don't user proxy protocol.
I cannot reach v2ray server if I use proxy protocol in haproxy but not changing any config of v2ray server (probably rejected by the server itself)
I will get correct client IP if I use proxy protocol in haproxy and changing the config of v2ray to accept proxy protocol
server {
listen 32401;
listen [::]:32401;
server_name c.mywebsite.com;
root /var/www/html;
location / {
try_files $uri $uri/ /yourls-loader.php$is_args$args;
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
server {
listen 32401 proxy_protocol;
listen [::]:32401 proxy_protocol;
server_name c.mywebsite.com;
root /var/www/html;
location / {
try_files $uri $uri/ /yourls-loader.php$is_args$args;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
log_format combined '$proxy_protocol_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
The modification method is mentioned in Nginx guide (https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/)Your code "haven't tested but working for me with http website, but when I change to https with certbot
Should be modified as below (haven't tested it)
certbot --nginx -d c.mywebsite.com
server {
listen 32401 proxy_protocol;
listen [::]:32401 proxy_protocol;
listen [::]:443 ssl ipv6only=on proxy_protocol; # managed by Certbot
listen 443 ssl proxy_protocol; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/c.mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/c.mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name c.mywebsite.com;
root /var/www/html;
location / {
try_files $uri $uri/ /yourls-loader.php$is_args$args;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
}
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 6
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend (DISABLED): https_passthrough ()
# Frontend: tcp_front (Listen to 0.0.0.0:443, TCP SNI handler, redirect if v2ray))
frontend tcp_front
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_back
# tuning options
timeout client 30s
# logging options
# ACL: traffic_ssl
acl acl_601a842f14cee3.17646593 req_ssl_hello_type 1
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_601a842f14cee3.17646593
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: hmdir_ru
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/622eeaa3044ba7.74145133.txt)]
# Frontend: http_front (Listening on 192.168.64.1:80)
frontend http_front
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_622eebaf197419.36314953 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_622eebaf197419.36314953
# Frontend: ssl_front (Listening on 192.168.64.1:443)
frontend ssl_front
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/622eef9a9d7268.16491040.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: hmdir_ru
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/622eeaa3044ba7.74145133.txt)]
# Backend: hmdir_back ()
backend hmdir_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server hmdir 192.168.82.11:443 ssl verify none send-proxy-v2 check-send-proxy
# Backend (DISABLED): PLEX_backend ()
# Backend (DISABLED): acme_challenge_backend (Added by Let's Encrypt plugin)
# Backend: SSL_back ()
backend SSL_back
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend (DISABLED): ctl_backend ()
For the log config, I forgot rather it is /etc/nginx/nginx.conf by defaultFire I use above code has a error, so I google and found a solution for working log, I post here for anyone need
You need to change the log format inside http{} to something likeCode: [Select]log_format combined '$proxy_protocol_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
log_format my_log '$proxy_protocol_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log my_log;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
root@OPNsense:/home/David # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT] (21351) : Starting frontend 1_HTTP_frontend: cannot bind socket (Can't assign requested address) [192.168.64.1:80]
[ALERT] (21351) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Can't assign requested address) [192.168.64.1:443]
[ALERT] (21351) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy
For temporary fix, edit the VIP, save without any changes, then apply.
2022/03/20 15:00:53 [error] 1124599#1124599: *22208 upstream prematurely closed connection while reading response header from upstream, client: 192.168.1.1, server: sync.xxx.ch, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/run/uwsgi/mozilla-firefox-sync-server.sock:", host: "sync.xxx.ch"
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 1000s
timeout connect 1000s
timeout server 1000s
retries 3
default-server init-addr libc,last
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend (Listening o)
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
bind :::80 name :::80
bind :::443 name :::443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 1000s
# logging options
# Frontend: HTTP_frontend (Listening 127.0.0.1:80)
frontend HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
bind [::1]:80 name [::1]:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 1000s
# logging options
# ACL: NoSSL_condition
acl acl_621d0b77c74989.24704837 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_621d0b77c74989.24704837
# Frontend: HTTPS_frontend (Listinging on 127.0.0.1:443)
frontend HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621d11c7cad951.61400293.certlist
bind [::1]:443 name [::1]:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621d11c7cad951.61400293.certlist
mode http
option http-keep-alive
default_backend WEBSERVER_backend
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/621d0c7054ddb7.46420139.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: WEBSERVER_backend ()
backend WEBSERVER_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server WEBSERVER_server 192.168.1.100:80 send-proxy-v2 check-send-proxy
server WEBSERVER_server_ipv6 2a02:XXX:XXX::2000:80 send-proxy-v2 check-send-proxy
# Backend: NAS_backend ()
backend NAS_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server NAS_server 192.168.1.118:80
server NAS_server_ipv6 2a02:XXX:XXX::1000:80
# Backend: WEBSERVER_SSL_backend ()
backend WEBSERVER_SSL_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server WEBSERVER_server_ssl 192.168.1.100:443
server WEBSERVER_server_ssl_ipv6 2a02:XXX:XXX::2000:443
I don't think you need to create another ipv6 real server, as long as it is the same sever in ipv4
You only need to add :::443 and :::80 to frontend listener (in frontend, [::]:80 is the same as :::80, in case you confused with the syntax)
That will be ipv6 to 4 setup.
If you add 2 real server to the same backend, you are load balancing them.
I have a very serious problem with this haproxy config since I updated to 22.1.3. Suddenly haproxy didn't start anymore. On further investigation trying to start haproxy through the commandline showed that suddenly the ipadresses for the frontend cannot be bound anymore:
Just tested it out myself. Basic Auth is so easy to set up that I am not really willing to cover it in this guide.
First create the user(s) in HAProxy. Then in the relevant backends activate basic auth and select the user(s).
I'm probably out of place saying this, as is not my thread, but should't this discussion go to another thread and leave this one for it's original purpose?
It has branched off now to "how can I enable TLS on my website", from "how can I log the client ip not the proxy ip on the backend webserver" and "how do I use proxy_protocol".
What do you think?
It seems that it is the same issue as This thread (https://forum.opnsense.org/index.php?topic=27547.msg133659#msg133659)
I have the same issue after update and reboot.
For temporary fix, edit the VIP, save without any changes, then apply.
You will able to start HAProxy again.
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind website.com:443 name website.com:443
bind website.com:80 name website.com:80
mode tcp
default_backend SSL_backend
timeout client 30s
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 10.10.10.1:80 name 10.10.10.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
timeout client 30s
# ACL: NoSSL_cond
acl acl_62548efaf067e6.21908045 req.ssl_ver gt 0
# ACTION: HTTPupgrade_rule
http-request redirect scheme https if !acl_62548efaf067e6.21908045
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 10.10.10.1:443 name 10.10.10.1:443 accept-proxy ssl ssl-min-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62549082216928.65241361.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 30s
# ACTION: PUBLIC_SUBDOMAINS_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62548f2d97ef05.80304462.txt)]
# Backend: club_backend ()
backend club_backend
website.com mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
server club_host 10.0.0.94:3000 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
website.com mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
server SSL_host 10.10.10.1 send-proxy-v2 check-send-proxy
This technique will only work when using mode http because it redirects at the HTTP layer using a 302 Found HTTP response status, which is known as a temporary redirect. Once you’re fully committed to using HTTPS and have tested it thoroughly on your website, you may wish to instruct the browser to cache the redirect, which will save one round trip between the browser and HAProxy, speeding up page load times. Set the code parameter to 301 to send a 301 Moved Permanently status back, which browsers can cache:
# Backend: SSL_backend ()And
backend SSL_backend
website.com mode tcp
# Backend: club_backend ()
backend club_backend
website.com mode http
2022-04-13T18:53:42 php AcmeClient: running automation (configd): Restart HAProxy
2022-04-13T18:53:42 php AcmeClient: running automations for certificate: *.example.com
2022-04-13T18:53:42 opnsense AcmeClient: updated ACME X.509 certificate: *.example.com
2022-04-13T18:53:42 opnsense AcmeClient: successfully issued/renewed certificate: *.example.com
2022-04-13T18:51:27 opnsense AcmeClient: using challenge type: CloudFlare_DNS-01
2022-04-13T18:51:27 opnsense AcmeClient: account is registered: example.com
2022-04-13T18:51:27 opnsense AcmeClient: using CA: letsencrypt
2022-04-13T18:51:27 opnsense AcmeClient: issue certificate: *.example.com
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62565b172acae6.05588153 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62565b172acae6.05588153
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62565eb5d0ff12.02152772.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62565c00b116b3.27816426.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: MineOS_backend ()
backend MineOS_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server MineOS_server 192.168.1.103:8443 ssl verify none
0_SNI_frontend > Listen Addresses:0.0.0.0:80, 0.0.0.0:443
should this need to be the Virtual IP as opnsense runs on 192.168.1.1
^^fyi thankyou for the tips on tracing
/firewall_virtual_ip.php: The command `/sbin/ifconfig 'lo0' inet '192.168.64.1' -alias' failed to execute
Please create another thread under 22.1 Production Series (https://forum.opnsense.org/index.php?board=41.0)2022-04-14T16:42:58 Error opnsense /firewall_virtual_ip.php: The command `/sbin/ifconfig 'lo0' inet '192.168.64.1' -alias' failed to execute
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62565b172acae6.05588153 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62565b172acae6.05588153
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62565eb5d0ff12.02152772.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6257dfacde7e16.43417850 src_is_local
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6257d684d34507.32920094.txt)] if acl_6257dfacde7e16.43417850
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62565c00b116b3.27816426.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: MineOS_backend ()
backend MineOS_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server MineOS_server 192.168.1.103:8443 ssl verify none
# Backend: Prism_backend ()
backend Prism_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Prism_server 192.168.1.103:2342
# public access subdomains
mineos MineOS_backend
LOCAL_SUBDOMAINS_map# local access subdomains
prism Prism_backend
# public access subdomains
mineos MineOS_backend
mineos.website.com > works locally and externallySorry, I haven't read the error 503.
prism.website.com > 503 error locally and externally
Try to use "Source IP matches a specific IP" instead
Informational haproxy 10.10.10.206:63264 [19/Apr/2022:17:26:27.483] 1_HTTPS_frontend/10.12.0.1:443: Received something which does not look like a PROXY protocol header
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 10.12.0.1:80 name 10.12.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_60d1a0c1b278f7.63252237 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_60d1a0c1b278f7.63252237
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 10.12.0.1:443 name 10.12.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6256591773a972.14047672.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/625655d89e4274.43878203.txt)]
# Backend: bitwarden_backend ()
backend bitwarden_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server bitwarden_host 10.10.10.11:8080
# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 10.12.0.1 send-proxy-v2 check-send-proxy
My services are available from the outside.
But from inside they are not accessible.
Well, there you got the point of error.
You probably configured the wrong IP in your DNS overwrites.
What is your OPNsense LAN IP, what is the DNS Overwrite IP and what is the virtual IP of the "HAProxy SSL Server"?
Edit: Ok, changed the Override IP to my LAN IP (10.10.10.1). Now it works.
But to be honest, i do not understand why.
Informational haproxy 10.10.10.206:63264 [19/Apr/2022:17:26:27.483] 1_HTTPS_frontend/10.12.0.1:443: Received something which does not look like a PROXY protocol header
Edit: Ok, changed the Override IP to my LAN IP (10.10.10.1). Now it works.
But to be honest, i do not understand why.
You error explains why!Code: [Select]Informational haproxy 10.10.10.206:63264 [19/Apr/2022:17:26:27.483] 1_HTTPS_frontend/10.12.0.1:443: Received something which does not look like a PROXY protocol header
The HTTPS_frontend expects that all data sent to it has the "proxy protocol header".
Since you pointed your internal requests directly to your HTTPS_frontend (HAProxy_VIP) instead of your SNI_frontend (any of the real local IPs of your OPNsense) the data didn't get the PROXY protocol header attached by the SSL_backend.
I am not sure if this is the correct way to achieve multiple domains pointing to different backends but it seems to be working for me.Just the steps above are necessary and the following step.
At first I ran into a issue were all domains could access the same subdomain, this is when I realized I just needed some extra conditions.
Here are the steps to achieve; service.example.com & service1.example1.com
Services --> ACME Client --> Certificates
Add the certificate for your extra domains and forcefully issue your certificate
Services --> HAProxy --> Settings --> Virtual Services --> Public Services
Finally we edit our "1_HTTPS_frontend"
Add all extra domains in the "Certificates" input.
old
===
nas NAS_backend
new
===
nas.domain1.com NAS_1_backend
nas.domain2.com NAS_2_backend
@theHellSite
Hello
When I overide the dns Server will the haproxy still be used or not?
[WARNING] (51339) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:69).
Warnings were found.
Configuration file is valid
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_629f48c6073c95.86527303 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_629f48c6073c95.86527303
# logging options
# ACL: NoSSL_condition
- acl acl_629f48c6073c95.86527303 req.ssl_ver gt 0
+ acl acl_629f48c6073c95.86527303 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_629f48c6073c95.86527303
The issue seems to be the NoSSL_condition. The suggested solution is to replace the condition type from Traffic is SSL (TCP request content inspection) to Traffic is SSL (locally deciphered):Code: [Select]# logging options
# ACL: NoSSL_condition
- acl acl_629f48c6073c95.86527303 req.ssl_ver gt 0
+ acl acl_629f48c6073c95.86527303 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_629f48c6073c95.86527303
When doing so, the warning is gone. However, this is the first time I'm using HAProxy and I don't really know what I'm doing, so I wanted to check-in with you guys to ensure my solution is correct?
If so, I'd appreciate if you updated the screenshot in step 5.7 @TheHellSite
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62a76f360f0732.68695084 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62a76f360f0732.68695084
# Frontend: 2_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 2_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets no-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62a772caaae308.49400660.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62a76fbf29df39.71162057.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Nextcloud 192.168.10.40:443 ssl verify none
#public access subdomains
nextcloud NEXTCLOUD_backend
Informational haproxy 192.168.10.101:4054 [14/Jun/2022:11:11:05.082] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
Hello,
I just recently upgraded my home network with an opnsense and want to reconfigure some stuff in the same run.
Luckily I found this tutorial which was really easy to follow through, especally because of the screenshots :-)
Sadly I must have done something wrong but I can't put my finger on it.
When I try to access from internal LAN (IP address or Name), I get the following error:From external (via mobile data):
- Firefox:SSL_ERROR_RX_RECORD_TOO_LONG
- Edge:ERR_SSL_PROTOCOL_ERROR
503 Service Unavailable
If I enter http://IP_ADRESS then it opens the Nextcloud Login page but after entering the login data, it switches to https:// and the error appears.
HAProxy configCode: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62a76f360f0732.68695084 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62a76f360f0732.68695084
# Frontend: 2_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 2_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets no-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62a772caaae308.49400660.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62a76fbf29df39.71162057.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Nextcloud 192.168.10.40:443 ssl verify none
Map filesCode: [Select]#public access subdomains
nextcloud NEXTCLOUD_backend
Log filesCode: [Select]Informational haproxy 192.168.10.101:4054 [14/Jun/2022:11:11:05.082] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
My Network:
ISP --> Modem --> OPNSense --> Proxmox --> Server 1 Nextcloud
Maybe you can push me in the right direction :-)
A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).
Firefox vertraut dieser Website nicht, weil das von der Website verwendete Zertifikat nicht für DOMAIN.dedyn.io gilt. Das Zertifikat ist nur gültig für *.DOMAIN.dedyn.io.I can accept the risk but this is something I need to do on all devices...
SSL_ERROR_BAD_CERT_DOMAIN
When I try to access from internal LAN (IP address or Name), I get the following error:
- Firefox:SSL_ERROR_RX_RECORD_TOO_LONG
- Edge:ERR_SSL_PROTOCOL_ERROR
internal LAN (IP address or Name)What do you mean by that? You should use the FQDN and not the local hostname / IP in order to use the reverse proxy (HAProxy).
If I enter http://IP_ADRESS then it opens the Nextcloud Login page but after entering the login data, it switches to https:// and the error appears.Again, which IP are you entering? The nextcloud local IP or your public IP?
My Network:Is the firewall in your modem disabled or is it still doing NAT?
ISP --> Modem --> OPNSense --> Proxmox --> Server 1 Nextcloud
Thanks for your input. I changed the cipher accordingly to https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1d&guideline=5.6 (https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1d&guideline=5.6) and also applied your rule but still no success.
I am just curios because in the main post the value TLS_AES_128_GCM_SHA256 is also left out ???
Out of curiosity I tried do enter the only the main domain DOMAIN.dedyn.io and not SUBDOMAIN.DOMAIN.dedyn.io. Then I get a different errorQuoteFirefox vertraut dieser Website nicht, weil das von der Website verwendete Zertifikat nicht für DOMAIN.dedyn.io gilt. Das Zertifikat ist nur gültig für *.DOMAIN.dedyn.io.I can accept the risk but this is something I need to do on all devices...
SSL_ERROR_BAD_CERT_DOMAIN
Could the problem be that I already had DynDNS by another provider and LE certificate? If yes how can I revoke it?
# currently configured
Common Name = *.DOMAIN.dedyn.io
# what you MIGHT want
Common Name = DOMAIN.dedyn.io
Alt Names = *.DOMAIN.dedyn.io
Since you are forcing HAProxy to use TLS 1.3. (As you use no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets no-tlsv12)
There might be issue taking out TLS_AES_128_GCM_SHA256.
According to RFC 8446, S9.1 (https://www.rfc-editor.org/rfc/rfc8446#section-9.1)QuoteA TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).
Does this mean I need an additional vhost config for the Nextcloud? One for :80 and one for :443? But the certificate lies on a different machine (opnsense). How can I point it there? Or am I missing something?When I try to access from internal LAN (IP address or Name), I get the following error:
- Firefox:SSL_ERROR_RX_RECORD_TOO_LONG
- Edge:ERR_SSL_PROTOCOL_ERROR
This error usually means that you tried to access a service using HTTPS that only supports HTTP.
It was the IP address of the Nextcloud machine. But if it doesn't work that way that is new for me but thanks for pointing it out.Quoteinternal LAN (IP address or Name)What do you mean by that? You should use the FQDN and not the local hostname / IP in order to use the reverse proxy (HAProxy).
I entered the local IP address of the nextcloud machine. But this also happens when I enter the FQDN.If I enter http://IP_ADRESS then it opens the Nextcloud Login page but after entering the login data, it switches to https:// and the error appears.Again, which IP are you entering? The nextcloud local IP or your public IP?
Your public IP should ALWAYS forward HTTP to HTTPS and not display any webpages via HTTP whatsoever! (HTTPtoHTTPS_rule)
It is dumb modem (TC-4400) therefor it should not have NAT. It only provides the connection to my ISP (Vodafone Cable).My Network:Is the firewall in your modem disabled or is it still doing NAT?
ISP --> Modem --> OPNSense --> Proxmox --> Server 1 Nextcloud
OKThanks for your input. I changed the cipher accordingly to https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1d&guideline=5.6 (https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1d&guideline=5.6) and also applied your rule but still no success.
I am just curios because in the main post the value TLS_AES_128_GCM_SHA256 is also left out ???QuoteYou won't need any 128 bit ciphers unless you are using very very old devices to access your services which I highly doubt since you only want to enable TLS v1.3 anyway.
So you can safely use the cipher suites in my first post which are identical to the ones from the Mozilla SSL configurator but have the "insecure / weak" 128 bit ciphers removed.
I don't need the coverage of "domain.dedyn.io". So this should be fine.[/quote]Out of curiosity I tried do enter the only the main domain DOMAIN.dedyn.io and not SUBDOMAIN.DOMAIN.dedyn.io. Then I get a different errorQuoteFirefox vertraut dieser Website nicht, weil das von der Website verwendete Zertifikat nicht für DOMAIN.dedyn.io gilt. Das Zertifikat ist nur gültig für *.DOMAIN.dedyn.io.I can accept the risk but this is something I need to do on all devices...
SSL_ERROR_BAD_CERT_DOMAIN
Could the problem be that I already had DynDNS by another provider and LE certificate? If yes how can I revoke it?
Well, the error is pretty much self-explanatory isn't it?
In my tutorial the wildcard certificate is only valid for the 2nd-level subdomains "*.DOMAIN.dedyn.io" but not for the 1st-level subdomain "DOMAIN.dedyn.io" itself.
If you want the certificate to also cover for "domain.dedyn.io" then you will have to change the certificate in the ACME client to match that. See Part 3 - Step 6.
You will however only need this if you are serving a website in the domain root without "www" infront of it.Code: [Select]# currently configured
Common Name = *.DOMAIN.dedyn.io
# what you MIGHT want
Common Name = DOMAIN.dedyn.io
Alt Names = *.DOMAIN.dedyn.io
This will cover the 1st-level subdomain including all 2nd-level subdomains.
Don't forget to reissue the certificate.
Does this mean I need an additional vhost config for the Nextcloud? One for :80 and one for :443? But the certificate lies on a different machine (opnsense). How can I point it there? Or am I missing something?When I try to access from internal LAN (IP address or Name), I get the following error:
- Firefox:SSL_ERROR_RX_RECORD_TOO_LONG
- Edge:ERR_SSL_PROTOCOL_ERROR
This error usually means that you tried to access a service using HTTPS that only supports HTTP.
By deleting the "overwirte" codes in the nextcloud config I at least got access in my internal LAN. I assume the HAProxy config is correct and I need to make corrections in the nextcloud config.
server Nextcloud 192.168.10.40:443 ssl verify none
This line in your HAProxy config indicates that you are accessing your nextcloud webinterface from your local network using "https://192.168.10.40".Hi! First off, i want to thank you for the detailed guide you posted. I am new to HAProxy and have some questions regarding some configs, do you still reply to this post? or should i ask or open another thread somewhere? Thanks!
#
# Automatically generated configuration.
# Do not edit this file manually.
#
#
# NOTE: HAProxy is currently DISABLED
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr libc,last
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend (Listening on ip:80 / ip:443)
frontend SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
bind :::80 name :::80
bind :::443 name :::443
mode tcp
default_backend SSL_Backend
# tuning options
timeout client 30s
# logging options
# Frontend: HTTP_frontend (Listening on 127.10.20.5)
frontend HTTP_frontend
bind (myloopbackip):80 name (myloopbackip):80 accept-proxy
bind :::80 name :::80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_Condition
acl acl_62aa8dcf894a87.42381056 ssl_fc
# ACTION: HTTPtoHTTPS
http-request redirect scheme https code 301 if !acl_62aa8dcf894a87.42381056
# Frontend: HTTPS_frontend (Listening on (myloopbackip))
frontend HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind (myloopbackip):443 name (myloopbackip):443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
bind :::443 name :::443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: Public_subdomains_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62aa8e31993357.88056717.txt)]
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server (myloopbackip) send-proxy-v2 check-send-proxy
# Backend (DISABLED): router_Backend (router Backend)
# Backend: truenas_Backend (truenas Backend)
backend truenas_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy
# Backend: plex_backend (plex Backend)
backend plex_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Plex truenasip:32400 send-proxy-v2 check-send-proxy
# public access domains
truenas truenas_backend
plex plex_backend
I've followed the article and able to setup few subdomain to internal machines in my network.
I have dumb questions... when I created new real server and backend server for one my Synology packages, I initially used HTTPS port and received 400 bad request error The plain HTTP request was sent to HTTPS port
When I changed the port in real server settings to HTTP request, everything worked fine and I am able to access the internal server with SSL certificate.
Why?
Heres and output of my config file, i have some disabled stuff in the config file since i turn on and off stuff for testing. Also renamed some stuff, truenas is just the Physical server with the IP. (myloopbackip) is the virutal address.Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
#
# NOTE: HAProxy is currently DISABLED
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr libc,last
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend (Listening on ip:80 / ip:443)
frontend SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
bind :::80 name :::80
bind :::443 name :::443
mode tcp
default_backend SSL_Backend
# tuning options
timeout client 30s
# logging options
# Frontend: HTTP_frontend (Listening on 127.10.20.5)
frontend HTTP_frontend
bind (myloopbackip):80 name (myloopbackip):80 accept-proxy
bind :::80 name :::80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_Condition
acl acl_62aa8dcf894a87.42381056 ssl_fc
# ACTION: HTTPtoHTTPS
http-request redirect scheme https code 301 if !acl_62aa8dcf894a87.42381056
# Frontend: HTTPS_frontend (Listening on (myloopbackip))
frontend HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind (myloopbackip):443 name (myloopbackip):443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
bind :::443 name :::443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: Public_subdomains_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62aa8e31993357.88056717.txt)]
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server (myloopbackip) send-proxy-v2 check-send-proxy
# Backend (DISABLED): router_Backend (router Backend)
# Backend: truenas_Backend (truenas Backend)
backend truenas_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy
# Backend: plex_backend (plex Backend)
backend plex_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Plex truenasip:32400 send-proxy-v2 check-send-proxy
This is my map file:Code: [Select]# public access domains
truenas truenas_backend
plex plex_backend
server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy
1. The map file is case sensitive. Fix it.
2. Remove the "send-proxy-v2 check-send-proxy" directives from the backends of your actual services. These two options are only necessary on the "SSL_backend".
4. Your "HTTP_frontend" and "HTTPS_frontend" should ONLY be listening to your SSL_server IP address. Not to "0.0.0.0:0" or "::::0". Just think about it and take a look at my diagram in the first post... You should quickly figure that this doesn't make any sense.
local loca_backend
plex plex_backend
I could just call up everything by subdomain.domain.com locally.This is because your domains resolve to cloudflares IP and not your own public IP.
Also with regards to the map file for the local subdomanins. The format should look like this?https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/Quotelocal loca_backend
plex plex_backend
Should there be a space in between?
Last questions. Is it possible to use the generated Cert for both truenas and opnsense instead of the self signed one? would it break the config? Also is there a specifi HAP sub, or should i just post in the General section?Shouldn't break anything but isn't neccessary.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_Frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_Frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: No_SSL_Condition
acl acl_629b7d353dc6e8.95969175 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_629b7d353dc6e8.95969175
# Frontend: 1_HTTPS_Frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/629b82033c9ac6.13569566.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_Subdomains_Map_Rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/629b7dc0816c90.87321785.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend (DISABLED): PLEX_backend (PLEX Backend)
# Backend: BLOB_backend (BLOB Webserver Backend)
backend BLOB_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server BLOB_server 192.168.10.3 ssl sni str(ssl.xyz.de) verify none resolve-prefer ipv4
ssl.xyz.de BLOB_backend
So, I conclude that the certificate is O.K., I get through to 1_HTTP_Frontend (otherwise there would be no 503 when I use an unmapped URL). I seems like most of the time, the frontend does not connect to the backend (server) - it does sometimes, however.
I am at a loss what causes this because I also verified that OpnSense can reach BLOB server at 192.168.10.3. It also has a Let's Encrypt certificate on ssl.xyz.de, because before, I just port-forwarded port 443. I can get data via 'curl --connect-to 192.168.10.3:443 https://ssl.xyz.de' from it.
server BLOB_server 192.168.10.3 ssl sni str(ssl.xyz.de) verify none resolve-prefer ipv4
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_Frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_Frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: No_SSL_Condition
acl acl_629b7d353dc6e8.95969175 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_629b7d353dc6e8.95969175
# Frontend: 1_HTTPS_Frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/629b82033c9ac6.13569566.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_Subdomains_Map_Rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/629b7dc0816c90.87321785.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend (DISABLED): PLEX_backend (PLEX Backend)
# Backend: BLOB_backend (BLOB Webserver Backend)
backend BLOB_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server BLOB_server blob.xyz:80
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60a6828680bca8.63910725.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/60bdf8931a97c9.33132019.txt)]
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_607ae66cdeaed1.61504267 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_607ae66cdeaed1.61504267
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 1h
http-reuse safe
server PLEX_server 192.168.215.60:32400 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 40s
timeout server 40s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Hört auf 0.0.0.0:80 und 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# ACL: SSL_hello
acl acl_62c874b4f2fdc4.23213917 req_ssl_hello_type 1
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_62c874b4f2fdc4.23213917
# ACTION: VPN_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62c87ba1538c16.11776198.txt)]
# Frontend: 1_HTTP_frontend (Hört auf 192.168.161.1:80)
frontend 1_HTTP_frontend
bind 192.168.161.1:80 name 192.168.161.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62360185bf9055.41837138 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62360185bf9055.41837138
# Frontend: 1_HTTPS_frontend (Hört auf 192.168.161.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.161.1:443 name 192.168.161.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62360bcec06250.52672470.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_FQDN_condition
acl acl_62361ba046b312.42897137 src darkstar.example.xyz
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_62361a89a23796.93721092 src 192.168.110.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623619b6c7da11.06632077.txt)] if acl_62361ba046b312.42897137 || acl_62361a89a23796.93721092
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623607a0728a46.68273508.txt)]
# Backend: nextcloud_backend (Nextcloud Backend)
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
# ACL: nextcloud-caldav
acl acl_6236326bbeed09.73911658 path_beg -i /.well-known/caldav
# ACL: nextcloud-carddav
acl acl_6236329a31b372.83647612 path_beg -i /.well-known/carddav
# ACTION: nextcloud-caldav-carddav
http-request set-path /remote.php/dav if acl_6236326bbeed09.73911658 || acl_6236329a31b372.83647612
http-reuse safe
server nextcloud_host 192.168.160.10:443 ssl verify none
# Backend: SSL_backend (SSL Backend TCP)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
server SSL_Server 192.168.161.1 send-proxy-v2 check-send-proxy
# Backend: bitwarden_backend (Bitwarden Backend)
backend bitwarden_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
# ACL: bitwarden-admin
acl acl_62362f799a0826.60491269 path_beg -i /admin
# ACTION: bitwarden-admin_block
http-request deny if acl_62362f799a0826.60491269
http-reuse safe
server bitwarden_host 192.168.160.20:80
# Backend: zyxel-1_backend (Zyxel-1 Backend)
backend zyxel-1_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server zyxel-1 192.168.150.8:443 ssl verify none
# Backend: zyxel-2_backend (Zyxel-2 Backend)
backend zyxel-2_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server zyxel-2 192.168.150.9:443 ssl verify none
# Backend: checkmk_backend (CheckMK Backend)
backend checkmk_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server checkmk_host 192.168.150.21:8080
# Backend: ampache_backend (Ampache Backend)
backend ampache_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server ampache_host 192.168.160.15:443 ssl verify none
# Backend: jellyfin_backend (Jellyfin Backend)
backend jellyfin_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server jellyfin_host 192.168.160.16:8096
# Backend: guacamole_backend (Guacamole Backend)
backend guacamole_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server guacamole_host 192.168.150.22:8080
# Backend: vpn_backend (OpenVPN Backend)
backend vpn_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
server vpn_host 192.168.110.1:1195
Here the OpenVPN config:dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.110.1
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
server 10.10.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'vpn.shuvit.space' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.110.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
I hope, that someone could help! Thanks in advance.
Hello,
first I have to say thank you for this perfect tutorial. I have setup my haproxy for my webservers and everything works fine for internal and external use. Now I've tried to implement OpenVPN on Port 443 in TCP mode. I added the configuration parts as mentioned in Reply #171. The config of haproxy seems to be corrrect, but I can't connect via vpn. I've tried to setup a second vpn-server on port 1194 with upd and i works staight away. Only the vpn in tcp-mode on port 443 refuses to work. Here is my haproxy config:Code: [Select]#
Here the OpenVPN config:
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 40s
timeout server 40s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Hört auf 0.0.0.0:80 und 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# ACL: SSL_hello
acl acl_62c874b4f2fdc4.23213917 req_ssl_hello_type 1
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_62c874b4f2fdc4.23213917
# ACTION: VPN_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62c87ba1538c16.11776198.txt)]
# Frontend: 1_HTTP_frontend (Hört auf 192.168.161.1:80)
frontend 1_HTTP_frontend
bind 192.168.161.1:80 name 192.168.161.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62360185bf9055.41837138 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62360185bf9055.41837138
# Frontend: 1_HTTPS_frontend (Hört auf 192.168.161.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.161.1:443 name 192.168.161.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62360bcec06250.52672470.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_FQDN_condition
acl acl_62361ba046b312.42897137 src darkstar.example.xyz
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_62361a89a23796.93721092 src 192.168.110.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623619b6c7da11.06632077.txt)] if acl_62361ba046b312.42897137 || acl_62361a89a23796.93721092
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623607a0728a46.68273508.txt)]
# Backend: nextcloud_backend (Nextcloud Backend)
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
# ACL: nextcloud-caldav
acl acl_6236326bbeed09.73911658 path_beg -i /.well-known/caldav
# ACL: nextcloud-carddav
acl acl_6236329a31b372.83647612 path_beg -i /.well-known/carddav
# ACTION: nextcloud-caldav-carddav
http-request set-path /remote.php/dav if acl_6236326bbeed09.73911658 || acl_6236329a31b372.83647612
http-reuse safe
server nextcloud_host 192.168.160.10:443 ssl verify none
# Backend: SSL_backend (SSL Backend TCP)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
server SSL_Server 192.168.161.1 send-proxy-v2 check-send-proxy
# Backend: bitwarden_backend (Bitwarden Backend)
backend bitwarden_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
# ACL: bitwarden-admin
acl acl_62362f799a0826.60491269 path_beg -i /admin
# ACTION: bitwarden-admin_block
http-request deny if acl_62362f799a0826.60491269
http-reuse safe
server bitwarden_host 192.168.160.20:80
# Backend: zyxel-1_backend (Zyxel-1 Backend)
backend zyxel-1_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server zyxel-1 192.168.150.8:443 ssl verify none
# Backend: zyxel-2_backend (Zyxel-2 Backend)
backend zyxel-2_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server zyxel-2 192.168.150.9:443 ssl verify none
# Backend: checkmk_backend (CheckMK Backend)
backend checkmk_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server checkmk_host 192.168.150.21:8080
# Backend: ampache_backend (Ampache Backend)
backend ampache_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server ampache_host 192.168.160.15:443 ssl verify none
# Backend: jellyfin_backend (Jellyfin Backend)
backend jellyfin_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server jellyfin_host 192.168.160.16:8096
# Backend: guacamole_backend (Guacamole Backend)
backend guacamole_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
http-reuse safe
server guacamole_host 192.168.150.22:8080
# Backend: vpn_backend (OpenVPN Backend)
backend vpn_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 40s
timeout server 40s
server vpn_host 192.168.110.1:1195Code: [Select]dev ovpns1
I hope, that someone could help! Thanks in advance.
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.110.1
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
server 10.10.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'vpn.shuvit.space' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.110.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
I have just tried TCP mode with map file, there is a few more steps to achieve the goal instead of placing the map rule directly to 0_SNI
(I checked the package and found SNI inside, however, haproxy doesn't recognize it in TCP mode, that's why we need to force it to recognize SNI)
1. Create a "Condition" to request client hello
Name: SSL_Hello
Condition type: Custom condition (option pass-through)
Option pass-through: req_ssl_hello_type 1
(https://i.postimg.cc/rD89fwvk/cond-hello.jpg) (https://postimg.cc/rD89fwvk)
2. Create a "Rule" to wait accept SSL hello
Name: tcp_request_content_accept_ssl
Select conditions: SSL_Hello
Execute function: tcp-request-content-accept
(https://i.postimg.cc/mcnNZNhL/rule-ssl.jpg) (https://postimg.cc/mcnNZNhL)
3. Create a "Rule" to wait for inspect
Name: tcp_request_inspect_delay
Optional condition: none
Execute function: tcp-request-inspect-delay
TCP inspection delay: 5s
(https://i.postimg.cc/gX6yxX6v/rule-delay.jpg) (https://postimg.cc/gX6yxX6v)
4. Place the Rule to 0_SNI_frontend in following order
tcp_request_inspect_delay
tcp_request_content_accept_ssl
map
(https://i.postimg.cc/sBx4R0jH/rule-order.jpg) (https://postimg.cc/sBx4R0jH)
(hmdir_ru is my map rule)
Update according to findings in #183 (https://forum.opnsense.org/index.php?topic=23339.msg131582#msg131582)
5. Change the no_SSL condition to Traffic is SSL (locally deciphered)
(https://i.postimg.cc/Cng6Mdtn/nossl.jpg) (https://postimg.cc/Cng6Mdtn)
*Remark
It is advised to use another map file for 1_HTTPS_frontend if necessary
If you really don't want to create another map file, use "SNI TLS extension matches (locally deciphered)" instead
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
option log-separate-errors
option tcplog
# ACL: OPENVPN_condition
acl acl_6143a3ff7e6bf2.30491250 req_ssl_hello_type 1
# ACTION: OPENVPN_rule
use_backend OPENVPN_backend if !acl_6143a3ff7e6bf2.30491250
# WARNING: pass through options below this line
tcp-request inspect-delay 5s
tcp-request content accept if !{ req_ssl_hello_type 1 }
# Frontend: 1_HTTP_frontend (Listening on 0.0.0.0:80)
frontend 1_HTTP_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
option httplog
# ACL: NoSSL_condition
acl acl_6138b110159553.96461818 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6138b110159553.96461818
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6138b32401a006.77997133.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
option httplog
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6141ef8f0a8841.88130105 src 192.168.0.0/16
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6141ef3275d630.55285385.txt)] if acl_6141ef8f0a8841.88130105
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6138b15d48a964.28077676.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: OPENVPN_backend ()
backend OPENVPN_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server OPENVPN_server 127.0.0.1:1194
Lovely , Thanks for hard work !
Question: is it possbile to cover somehow multi domain wildcard (for www.firewall.network.com ) -
I got problem with this settings it covers the subdomains but not www.
Common Name: *.network.com
Multidomain name: network.com
Any idea how to issue one cert for all services with subdomains and 1st level domain and www.
Or what is the right way to do this , or maybe to redirect www -> *.network.com without it?
** So far i issued new cert and added in HaProxy and its working so i guess this is the way
www.dev.network.com
Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can access it at the external network and local network. Do I have it understand correctly?
However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.
Thanks for this guide saved me after 2 days, the next bit is passing remote desktop through, i saw this Reddit post but I am not sure how i add to your setup or do I need to create new?
https://www.reddit.com/r/OPNsenseFirewall/comments/l2usx5/opnsense_haproxy_remote_desktop_gateway/
Currently there is no service running on the domain name. However, when I now try to access my web server via both lan and wan I kept getting error 503 service not available.
# Backend: cloud_backend ()
backend cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server cloud_server 192.168.7.5:80 ssl verify required ca-file /etc/ssl/cert.pem
server cloud_server 192.168.7.5:80 ssl verify required ca-file /etc/ssl/cert.pem
Are you really uploading the self-signed cert of the service to the OPNsense and checking it with HAProxy?A second question I have, single post above you talk about "You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service." I am confused about this piece, is it possible to explain a little more about this.
Thank you much for this amazing tutorial. I have referred a few people from reddit to this.
Questions I hope someone can help me with: If I have xdomain.com, xczxdomain.com and ltsdomain.com;
- does this support multi domain usage?
can I use this tutorial to assign a particular domain for a given service?
do I need to recreate the whole entries for each or at which point do I make the adjustment?
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
hard-stop-after 60s
no strict-limits
maxconn 10
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 10
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listens on 80, 443, 853, 5000)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:853 name 0.0.0.0:853
bind 0.0.0.0:5000 name 0.0.0.0:5000
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (listening on 192.168.5.100:80 i.e. http only)
frontend 1_HTTP_frontend
bind 192.168.5.100:80 name 192.168.5.100:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_Condition
acl acl_619439805021f2.97978352 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_619439805021f2.97978352
# Frontend: 1_HTTPS_frontend (Listening on 192.168.5.100:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.5.100:443 name 192.168.5.100:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61952b9d47d700.25962675.certlist
bind 192.168.5.100:5000 name 192.168.5.100:5000 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61952b9d47d700.25962675.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)]
# Frontend: 1_TCP_frontend (Listening on 192.168.5.100:853)
frontend 1_TCP_frontend
bind 192.168.5.100:853 name 192.168.5.100:853 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61dc51606078d9.11258474.certlist
mode tcp
default_backend nginx_backend-tcp
# tuning options
timeout client 15m
# logging options
option tcplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.5.100 send-proxy-v2 check-send-proxy
# Backend: nginx_backend-tcp ()
backend nginx_backend-tcp
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server nginx_2 192.168.5.1:8054 resolve-prefer ipv4 send-proxy check-send-proxy
# Backend: bastion_backend (bastion_backend)
backend bastion_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server bastion-1 192.168.5.157:5000
root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root lighttpd 28364 6 tcp4 192.168.1.65:443 *:*
root lighttpd 28364 8 tcp4 192.168.1.1:443 *:*
root lighttpd 28364 10 tcp4 192.168.1.65:80 *:*
root lighttpd 28364 12 tcp4 192.168.1.1:80 *:*
root sshd 84263 5 tcp4 192.168.1.1:22 *:*
root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT] (2036) : Starting frontend 1_HTTP_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:80]
[ALERT] (2036) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:443]
[ALERT] (2036) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy
root@OPNsense:~ # /usr/local/etc/rc.restart_webgui
Starting web GUI...done.
Generating RRD graphs...done.
root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root lighttpd 64654 6 tcp4 192.168.10.65:443 *:*
root lighttpd 64654 8 tcp4 192.168.1.1:443 *:*
root lighttpd 64654 10 tcp4 192.168.10.65:80 *:*
root lighttpd 64654 12 tcp4 192.168.1.1:80 *:*
root sshd 84263 5 tcp4 192.168.1.1:22 *:*
root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT] (18033) : Starting frontend 1_HTTP_frontend: cannot bind socket (Address already in use) [192.168.10.65:80]
[ALERT] (18033) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Address already in use) [192.168.10.65:443]
[ALERT] (18033) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
I am trying to follow the instructions to enable HAProxy for internal domains. However, I can't seem to get the frontend listener for the virtual ip to work. Service binding is disabled for the virtual ip.
When the frontend listener for the virtual ip is enabled:
1. haproxy cannot start (when webgui is running).
2. webgui cannot start (when haproxy is running).
Then tried the rule on the SNI frontend, the http frontend and https frontends. Essentially all frontends trying to make the exception there but in all cases after the sni, the http to https rule gets evaluated first, defeating any exception I've tried.
If it's not too much a deviation, could I have a suggestion on how to approach it? In sum, I'm looking for a way to route my http custom port to a back end as an exception in this Tutorial setup.
However, there is an instance where it would be very nice to be able to white-list one (or a couple) of specific IPs, so that I could access my services at home from my office. I am not able to install software at the office, and there are other restrictions preventing me from using a VPN.
Thank you. Unfortunately I haven't been able to do this. The exact warning is:Then tried the rule on the SNI frontend, the http frontend and https frontends. Essentially all frontends trying to make the exception there but in all cases after the sni, the http to https rule gets evaluated first, defeating any exception I've tried.
If it's not too much a deviation, could I have a suggestion on how to approach it? In sum, I'm looking for a way to route my http custom port to a back end as an exception in this Tutorial setup.
The order of the rules is important! Make sure that all "http-redirect-to-backend" rules are placed BEFORE the HTTPtoHTTPS rule on the HTTP_frontend.
[WARNING] (96704) : parsing [/usr/local/etc/haproxy.conf.staging:74] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
Warnings were found.
Configuration file is valid
Any other ideas are welcome :)
I've found what I think is a workaround with the service in question, leaving the haproxy setup still as per this tutorial's. Thanks for the earlier suggestion.Thank you. Unfortunately I haven't been able to do this. The exact warning is:Then tried the rule on the SNI frontend, the http frontend and https frontends. Essentially all frontends trying to make the exception there but in all cases after the sni, the http to https rule gets evaluated first, defeating any exception I've tried.
If it's not too much a deviation, could I have a suggestion on how to approach it? In sum, I'm looking for a way to route my http custom port to a back end as an exception in this Tutorial setup.
The order of the rules is important! Make sure that all "http-redirect-to-backend" rules are placed BEFORE the HTTPtoHTTPS rule on the HTTP_frontend.Code: [Select][WARNING] (96704) : parsing [/usr/local/etc/haproxy.conf.staging:74] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
Any other ideas are welcome :)
Warnings were found.
Configuration file is valid
I've been following this wonderfully crafted tutorial, so "THANK YOU" to the op for this.
Question (I know this might outside the scope of this tutorial):Is that something this setting can help to implement?
- If I want HAProxy to handle *.my1stdomain.xyz which would be for specific services (already have this working flawlessly),
but I would like to forward *.my2nddomain.xyz to nginx proxy manager running on docker so that nginx proxy manager will be used to manage that.
I've been following this wonderfully crafted tutorial, so "THANK YOU" to the op for this.
Question (I know this might outside the scope of this tutorial):Is that something this setting can help to implement?
- If I want HAProxy to handle *.my1stdomain.xyz which would be for specific services (already have this working flawlessly),
but I would like to forward *.my2nddomain.xyz to nginx proxy manager running on docker so that nginx proxy manager will be used to manage that.
Great tutorial!
I'm running into a problem accessing the sites within the network after following this tutorial and enabling Cloudflare proxy. Without the Cloudflare proxy I can access the sites both externally and internally but when I enable the Cloudflare proxy I'm unable to access the sites from the internal network.
This post, https://vitobotta.com/2019/12/23/real-ip-haproxy-ingress-behind-cloudflare/ (https://vitobotta.com/2019/12/23/real-ip-haproxy-ingress-behind-cloudflare/), explains how to get the correct IP but I'm not clear on how to implement that in the OPNsense HAProxy implementation. I found a similar question on the forums, https://forum.opnsense.org/index.php?topic=26419.msg127542#msg127542 (https://forum.opnsense.org/index.php?topic=26419.msg127542#msg127542), but there wasn't any answer.
I created a condition with the Cloudflare IPs but I don't know where to go from there, any suggestions?
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# ACL: SSL_hello
acl acl_632625326b34a3.00256787 req_ssl_hello_type 1
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: tcp_request_content_accept_ssl
tcp-request content accept if acl_632625326b34a3.00256787
# ACTION: Openvpn_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6329deb37cfb97.45093681.txt)] if acl_632625326b34a3.00256787
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_632463bc8a4e03.38927091 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_632463bc8a4e03.38927091
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/632498ac5e6503.54058036.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6324642dba2f56.47189800.txt)]
# Backend: wiki ()
backend wiki
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server apache03 192.168.254.4:80
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Zoneminder_backend ()
backend Zoneminder_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ZoneMinder 192.168.254.22:80 source 192.168.254.2
# Backend: Nextcloud_Backend ()
backend Nextcloud_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server owncloud 192.168.254.23:443 ssl verify none
# Backend: KH_backend ()
backend KH_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server kh 192.168.10.50:80
# Backend: HA_backend ()
backend HA_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ha 192.168.0.51:80
# Backend: HASS_backend ()
backend HASS_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server hass 192.168.254.13:8123
# Backend: BITWARDEN_backend ()
backend BITWARDEN_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server bitwarden 192.168.254.4:81
# Backend: Webmin_Backend ()
backend Webmin_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server sshgateway 192.168.254.34:10000 ssl verify none
# Backend: OPENVPN_backend ()
backend OPENVPN_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server OPENVPN_server 127.4.4.3:10194
2022-09-23T13:16:23 Informational haproxy 1.2.3.4:43265 [23/Sep/2022:13:16:23.981] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2022-09-23T13:16:23 Informational haproxy Connect from 1.2.3.4:43265 to 4.3.2.1:443 (0_SNI_frontend/TCP)
2022-09-23T13:16:19 Informational haproxy 1.2.3.4:43264 [23/Sep/2022:13:16:19.866] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2022-09-23T13:16:19 Informational haproxy Connect from 1.2.3.4:43264 to 4.3.2.1:443 (0_SNI_frontend/TCP)
I followed the tutorial and added the necessary config to enable OpenVPN on port 443 but somehow it always keeps sending everything to the SSL_Backend.
Any ideas?
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
option log-separate-errors
option tcplog
# ACL: OPENVPN_condition
acl acl_6143a3ff7e6bf2.30491250 req_ssl_hello_type 1
# ACTION: OPENVPN_rule
use_backend OPENVPN_backend if !acl_6143a3ff7e6bf2.30491250
# WARNING: pass through options below this line
tcp-request inspect-delay 5s
tcp-request content accept if !{ req_ssl_hello_type 1 }
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# ACL: SSL_hello
acl acl_632625326b34a3.00256787 req_ssl_hello_type 1
# ACTION: Openvpn_map-rule
use_backend OPENVPN_backend if acl_632625326b34a3.00256787
# ACTION: tcp_request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: tcp_request_content_accept_ssl
# NOTE: actions with no ACLs/conditions will always match
tcp-request content accept if !{ req_ssl_hello_type 1 }
2022-09-23T14:52:32 Informational haproxy 1.2.3.4:42250 [23/Sep/2022:14:52:32.904] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2022-09-23T14:52:32 Informational haproxy Connect from 1.2.3.4:42250 to 4.3.2.1:443 (0_SNI_frontend/TCP)
2022-09-23T14:52:31 Informational haproxy Connect from 192.168.254.13:52460 to 192.168.254.1:443 (0_SNI_frontend/TCP)
2022-09-24 13:40:25,284 ERROR [org.keycloak.services] (executor-thread-39) KC-SERVICES0055: Error when connecting to LDAP: ldap.mydomain.com:389: javax.naming.CommunicationException: ldap.mydomain.com:389 [Root exception is java.net.SocketTimeoutException: connect timed out]
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 100000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_62bbec3b1189e7.31090598 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_62bbec3b1189e7.31090598
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62bbef8e4ab6b5.77631912.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62bbecc24b7a71.66647551.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: PRISM_backend ()
backend PRISM_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server PRISM_server 192.168.1.103:2342
# Backend: REQUEST_backend ()
backend REQUEST_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server REQUEST_server 192.168.1.104:5055
# Backend: LDAP_backend ()
backend LDAP_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server LDAP_server 192.168.1.104:1636 ssl verify none
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 1000s
timeout connect 1000s
timeout server 1000s
retries 3
default-server init-addr libc,last
default-server maxconn 5000
# autogenerated entries for ACLs
# userlists generated from groups
userlist Allowedusers
user joel insecure-password XXX
user mopidy insecure-password XXX
# NOTE: UserlistAddUsers called with empty group data
# autogenerated entries for config in backends/frontends
userlist list_6245eeb66d3ab2.08976803
# Origin: MOPIDY_backend
user mopidy insecure-password XXX
user joel insecure-password XXX
# WARNING: skipping duplicate username (mopidy)
# autogenerated entries for stats
# Frontend: SNI_frontend (Listening on http&https)
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
bind :::80 name :::80
bind :::443 name :::443
mode tcp
default_backend SSL_backend
# tuning options
timeout client 1000s
# logging options
# Frontend: HTTP_frontend (Listening 127.0.0.1:80)
frontend HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
bind [::1]:80 name [::1]:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 1000s
# logging options
# ACL: NoSSL_condition
acl acl_621d0b77c74989.24704837 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_621d0b77c74989.24704837
# Frontend: HTTPS_frontend (Listinging on 127.0.0.1:443)
frontend HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621d11c7cad951.61400293.certlist
bind [::1]:443 name [::1]:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621d11c7cad951.61400293.certlist
mode http
option http-keep-alive
default_backend WEBSERVER_backend
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/621d0c7054ddb7.46420139.txt)]
# WARNING: pass through options below this line
# Matrix client traffic
acl matrix-host hdr(host) -i chat.XXX.ch chat.XXX.ch:443
acl matrix-path path_beg /_matrix
acl matrix-path path_beg /_synapse/client
use_backend MATRIX_backend if matrix-host matrix-path
# Frontend: MATRIX_frontend (Listining * Port 8448)
frontend MATRIX_frontend
bind *:8448 name *:8448 alpn h2,http/1.1 ssl crt-list /tmp/haproxy/ssl/6256daae2378c2.17892750.certlist
bind [::]:8448 name [::]:8448 alpn h2,http/1.1 ssl crt-list /tmp/haproxy/ssl/6256daae2378c2.17892750.certlist
mode http
option http-keep-alive
default_backend MATRIX_backend
# tuning options
timeout client 1000s
# logging options
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-For %[src]
# Frontend: SSH_frontend (Listining * Port 22)
frontend SSH_frontend
bind *:22 name *:22 alpn h2,http/1.1
bind [::]:22 name [::]:22 alpn h2,http/1.1
mode tcp
# tuning options
timeout client 1000s
# logging options
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: WEBSERVER_backend ()
backend WEBSERVER_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl restricted_page path_beg /wp-admin
acl auth_ok http_auth(Allowedusers)
http-request auth if restricted_page !auth_ok
http-reuse safe
server WEBSERVER_server 192.168.1.100:80 send-proxy-v2 check-send-proxy
server WEBSERVER_server_ipv6 XXX:168:a774::2000:80 send-proxy-v2 check-send-proxy
# Backend: NAS_backend ()
backend NAS_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server NAS_server 192.168.1.118:80
server NAS_server_ipv6 XXX:168:a774::1000:80
# Backend: WEBSERVER_SSL_backend ()
backend WEBSERVER_SSL_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server WEBSERVER_server_ssl 192.168.1.100:443
server WEBSERVER_server_ssl_ipv6 XXX:168:a774::2000:443
# Backend: MOPIDY_backend ()
backend MOPIDY_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
acl auth_ok http_auth(list_6245eeb66d3ab2.08976803)
http-request auth if !auth_ok
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is_root path -i /
redirect code 301 location /iris if is_root
http-reuse safe
server MOPIDY_server 192.168.1.100:6680
# Backend: MATRIX_backend ()
backend MATRIX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-For %[src]
http-reuse safe
server MATRIX_server 192.168.1.100:8008
server MATRIX_server_ipv6 XXX:168:a774::2000:8008
# Backend: KVM_backend ()
backend KVM_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-reuse safe
server KVM_server 192.168.1.105:80
# Backend: SYNC_backend ()
backend SYNC_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
# WARNING: pass through options below this line
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-For %[src]
http-reuse safe
server SYNC_server 192.168.1.100:5050
# Backend: ROUTER_SSH_backend ()
backend ROUTER_SSH_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
server ROUTER_SSH_Server 192.168.1.1:22
server ROUTER_SSH_Server_ipv6 XXX:168:a774::1000:22
# Backend: NAS_SSH_backend ()
backend NAS_SSH_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
server NAS_server_ipv6 XXX:168:a774::1000:80
server NAS_SSH_server 192.168.1.118:22
# Backend: KVM_SSH_backend ()
backend KVM_SSH_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
server KVM_SSH_server 192.168.1.105:22
# Backend: SERVER_SSH_backend ()
backend SERVER_SSH_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 1000s
timeout server 1000s
server SERVER_SSH_server 192.168.1.100:22
server SERVER_SSH_server_ipv6 XXX:168:a774::2000:22
#public access subdomains
flood WEBSERVER_backend
kvm KVM_backend
nas WEBSERVER_backend
grafana WEBSERVER_backend
phpmyadmin WEBSERVER_backend
speedtestserver WEBERSERVER_backend
cloud NAS_backend
dav NAS_backend
stefan NAS_backend
mopidy MOPIDY_backend
git WEBSERVER_backend
chat MATRIX_backend
admin WEBSERVER_backend
sync SYNC_backend
ssh.nas NAS_SSH_backend
ssh.server SERVER_SSH_backend
ssh ROUTER_SSH_backend
ssh.kvm KVM_SSH_backend
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_636976fd9d4d71.97561865 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_636976fd9d4d71.97561865
# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/636aad8d3cbe18.58884679.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: nc_carddav
acl acl_636ba4e5b6aa82.28881573 path_end -i /.well-known/carddav
# ACL: nc_caldav
acl acl_636ba2d9f14933.27250118 path_end -i /.well-known/caldav
# ACL: vw_ws_acl01_condition
acl acl_636c2f2b5accd9.55827620 path_beg -i /notifications/hub
# ACL: vw_ws_acl02_condition
acl acl_636cc909734817.72974823 path_beg -i /notifications/hub/negotiate
# ACL: vw_ws_acl03_condition
acl acl_636ccac64fcd74.27409543 path_beg -i /notifications/hub
# ACL: vw_ws_acl04_condition
acl acl_636ccae443ca48.73072029 path_beg -i /notifications/hub/negotiate
# ACTION: nc_carddav_rule
http-request redirect code 301 location /remote.php/dav if acl_636ba4e5b6aa82.28881573
# ACTION: nc_caldav_rule
http-request redirect code 301 location /remote.php/dav if acl_636ba2d9f14933.27250118
# ACTION: PUBLIC_SUBDOMAINS-map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63653d33935cd3.47503593.txt)]
# ACTION: vw_ws_acl01_rule
use_backend vw_backend if !acl_636c2f2b5accd9.55827620
# ACTION: vw_ws_acl02_rule
use_backend vw_backend if acl_636cc909734817.72974823
# ACTION: vw_ws_acl03_rule
use_backend vw_ws_backend if acl_636ccac64fcd74.27409543
# ACTION: vw_ws_acl04_rule
use_backend vw_ws_backend if !acl_636ccae443ca48.73072029
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: office_backend (Onlyoffice)
backend office_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server office_server 10.10.20.8:80
# Backend: vw_backend (Vaultwarden)
backend vw_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vw_server 10.10.20.7:80
# Backend: mc_backend (Minecraft Server)
backend mc_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server mc_server 10.10.40.4:80
# Backend: cloud_backend (Nextcloud01)
backend cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server cloud_server 10.10.20.5:80
# Backend: demo_backend (Nextcloud02)
backend demo_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server demo_server 10.10.20.6:80
# Backend: kunden_backend (Nextcloud03)
backend kunden_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server kunden_server 10.10.20.11:80
# Backend: vw_ws_backend (Vaultwarden Websocket)
backend vw_ws_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vw_ws_server 10.10.20.7:3012
# statistics are DISABLED
2022-11-10T13:33:48 Informational haproxy Connect from 10.10.10.239:54010 to PUBLICIP:443 (1_HTTPS_frontend/HTTP)
2022-11-10T13:33:48 Informational haproxy Connect from 10.10.10.239:54010 to PUBLICIP:443 (1_HTTPS_frontend/HTTP)
2022-11-10T13:33:48 Informational haproxy Connect from 10.10.10.239:54010 to PUBLICIP:443 (1_HTTPS_frontend/HTTP)
2022-11-10T13:33:48 Informational haproxy Connect from 10.10.10.239:54010 to PUBLICIP:443 (0_SNI_frontend/TCP)
Hello Guys!
Today its my first post here at this forum. At first @TheHellSite THANK YOU for your tutorial it helps my a lot! Before i used nginx proxy manager which was a lot easier than haproxy :)
I had one for my big problem and need the help from you all, please. I want to configure vaultwarden with websocket support in haproxy. The normal redirect to vaultwarden is no problem, but to add websocket support is still driven my crazy!
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: HTTPS_Frontend (Listening on 127.4.4.3:443)
frontend HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63687fb14df779.98297035.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: Local_Only_Subnet
acl acl_63687bc7cf9331.77802781 src 192.168.5.0/24
# ACTION: Local_subdomain_map
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63687b6d92a544.19528694.txt)] if acl_63687bc7cf9331.77802781
# Frontend: SNI_Frontend (Listening to 0.0.0.0:80; 0.0.0.0:443)
frontend SNI_Frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_Backend
# tuning options
timeout client 30s
# logging options
# Frontend: HTTP_Frontend (Listening on 127.4.4.3:80)
frontend HTTP_Frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_Condition
acl acl_63687974def2f4.69235454 ssl_fc
# ACTION: HTTPtoHTTPS
http-request redirect scheme https code 301 if !acl_63687974def2f4.69235454
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Jellyfin 192.168.5.88:8096 ssl verify none
# Backend: TPLink_Backend ()
backend TPLink_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server TPLinkSwitch 192.168.5.5:80
# Backend: Opnsense_Backend ()
backend Opnsense_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Opnsense 192.168.5.1:8100 ssl verify none
# Backend: Proxmox_Backend ()
backend Proxmox_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Proxmox 192.168.5.201:8006 ssl verify none
# statistics are DISABLED
jellyfin Jellyfin_Backend
tplink TPLink_Backend
opnsense Opnsense_Backend
proxmox Proxmox_Backend
Alright! Im back with a clean baseline. Lets try this again... And apologies if anything below sounds dumb, im still faily new to understanding Certs, and how wildcard domains work. (although i had it working in NGINX with another domain of mine, i want to upgrade from a B score to A+ Score, and part of that was moving to HAProxy) - also i have no interest in utilizing 2nd-level-subdomains. I will only be using 1st-level-subdomains for all my services.
Heres where im getting stuck (Part 3, Step 6): Cert Validation - fails
Since i use Cloudflare, I tried my best to adapt your DynDNS setup to Cloudflare (DynDNS confirmed working)
Good Evening,
Thank you for the excellent tutorial! I have setup HAProxy + Wildcard Certificates following this tutorial, but am experiencing a 503 error when trying to access jellyfin.example.com using the setup here. I do not have any of these services accessible from outside my network (I.E. no WAN 443/80 ports open) and am only interested in being able to access "jellyfin.example.com" --> 192.168.5.88:8096 with a valid Let's Encrypt cert from inside my network. Right now when I access jellyfin.example.com, my browser shows a valid cert but throws a 503 error. Double and triple checking the tutorial has left me without any further options to explore.
Does anyone have any suggestions where I can look? Thank you very much in advance!
Unbound Host Override: *.example.com --> 192.168.5.1 (OpnSense LAN IP)
Map File:Code: [Select]jellyfin Jellyfin_Backend
tplink TPLink_Backend
opnsense Opnsense_Backend
proxmox Proxmox_Backend
If you are running all of your services on your 1st level subdomain "your_subdomain.dedyn.io" than you will just need to override this one.
You statedQuoteIf you are running all of your services on your 1st level subdomain "your_subdomain.dedyn.io" than you will just need to override this one.
Since im utilizing a wildcard, i figured it should work this way, so that any subdomain i enter, will be redirected to HAProxy's SNI_Frontend. And since its listening on 0.0.0.0, i figured the virtual IP should work - i also tried the Firewalls IP address with no luck.
(https://i.imgur.com/tU7X9xH.png)
Hello Guys!
Today its my first post here at this forum. At first @TheHellSite THANK YOU for your tutorial it helps my a lot! Before i used nginx proxy manager which was a lot easier than haproxy :)
I had one for my big problem and need the help from you all, please. I want to configure vaultwarden with websocket support in haproxy. The normal redirect to vaultwarden is no problem, but to add websocket support is still driven my crazy!
Sorry, but out of scope of this tutorial. Please ask in the official HAProxy forum.
Hello Guys!
Unfortunally nobody in the other forums can help me with this situation. Anybody in vaultwarden or haproxy forum. Is here nobody who had vaultwarden getting worked? :(
With best regards;
techsolo12
- But if you would like to do it my way then you will need to create a virtual IP that is in a different subnet than any of your other networks. Preferably you would chose an IP that belongs to the localhost subnet in order to avoid IP conflicts in your local network.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
#
# NOTE: HAProxy is currently DISABLED
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch 1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend ()
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode tcp
default_backend SSL_backend
# tuning options
timeout client 15m
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_63859d8c6a7b81.10799804 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_63859d8c6a7b81.10799804
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6385a4c7e68d06.81674833.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63859df5259306.89264162.txt)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: homeassistant_backend ()
backend homeassistant_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server HomeAssistant 192.168.0.3:8123 check inter 30s port 8123
# Backend: web_backend ()
backend web_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server web 192.168.0.4:80
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: factorio_backend ()
backend factorio_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server factorio 192.168.0.17:80
# Backend: jira_backend ()
backend jira_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server jira 192.168.0.20:80
# Backend: meshcentral_backend ()
backend meshcentral_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server meshcentral 192.168.0.41:443
# Backend: nextcloud_backend ()
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nextcloud 192.168.0.38:443 ssl alpn h2,http/1.1 verify none
# statistics are DISABLED
# public access subdomains
hass. homeassistant_backend
factorio. factorio_backend
jira. jira_backend
mesh. meshcentral_backend
nextcloud. nextcloud_backend
web_backend
Okay, I've been through the instructions at least 3 times and cannot find why it's not working. Can someone please take a look? Other than it being currently disabled, obviously.
Firewall rule is:
IPv4 TCP Src* Port* Dest WAN address Port AliasforHTTP/HTTPS Gateway* Schedule*Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
#
# NOTE: HAProxy is currently DISABLED
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch 1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend ()
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode tcp
default_backend SSL_backend
# tuning options
timeout client 15m
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_63859d8c6a7b81.10799804 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_63859d8c6a7b81.10799804
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6385a4c7e68d06.81674833.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63859df5259306.89264162.txt)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: homeassistant_backend ()
backend homeassistant_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server HomeAssistant 192.168.0.3:8123 check inter 30s port 8123
# Backend: web_backend ()
backend web_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server web 192.168.0.4:80
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: factorio_backend ()
backend factorio_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server factorio 192.168.0.17:80
# Backend: jira_backend ()
backend jira_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server jira 192.168.0.20:80
# Backend: meshcentral_backend ()
backend meshcentral_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server meshcentral 192.168.0.41:443
# Backend: nextcloud_backend ()
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nextcloud 192.168.0.38:443 ssl alpn h2,http/1.1 verify none
# statistics are DISABLED
And the mapping file, which I have tried with the full FQDN and without the periods as well.Code: [Select]# public access subdomains
hass. homeassistant_backend
factorio. factorio_backend
jira. jira_backend
mesh. meshcentral_backend
nextcloud. nextcloud_backend
web_backend
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch 1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend ()
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
mode tcp
default_backend SSL_backend
# tuning options
timeout client 15m
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_63859d8c6a7b81.10799804 ssl_fc
# ACTION: HTTP_to_HTTPS
http-request redirect scheme https code 301 if !acl_63859d8c6a7b81.10799804
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6385a4c7e68d06.81674833.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63859df5259306.89264162.txt,web_backend)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: homeassistant_backend ()
backend homeassistant_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server HomeAssistant 192.168.0.3:8123
# Backend: web_backend ()
backend web_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server web 192.168.0.4:80
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: factorio_backend ()
backend factorio_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server factorio 192.168.0.17:80
# Backend: jira_backend ()
backend jira_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server jira 192.168.0.20:80
# Backend: meshcentral_backend ()
backend meshcentral_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server meshcentral 192.168.0.41:443
# Backend: nextcloud_backend ()
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server nextcloud 192.168.0.38:443 ssl alpn h2,http/1.1 verify none
# Backend: gallery_backend ()
backend gallery_backend
# health checking is DISABLED
mode http
balance source
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server gallery 192.168.0.12:80
# statistics are DISABLED
# public access subdomains
hass homeassistant_backend
factorio factorio_backend
jira jira_backend
mesh meshcentral_backend
nextcloud nextcloud_backend
gallery gallery_backend
If I attempt to browse to my IP from outside my network, http shows ERR_EMPTY_RESPONSE in Chrome, https shows ERR_CONNECTION_CLOSED.
If you don't even get any 503s with a blank white Page and the HAProxy Log is not indicating any traffic, then your firewall rule is configured wrong.
Also if you are not willing to share the HAProxy log then I am unable to help. You have to set it to "Informational" in the top right corner!
root@OPNsense:~ # sockstat -l | grep '443\|80'
www haproxy 3539 4 tcp4 *:443 *:*
www haproxy 3539 5 tcp4 *:80 *:*
www haproxy 3539 6 tcp4 127.4.4.3:80 *:*
www haproxy 3539 7 tcp4 127.4.4.3:443 *:*
10:15:09.123024 IP PHONE.25700 > ROUTER.443: Flags [SEW], seq 642215500, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2478600365 ecr 0], length 0
10:15:09.123057 IP ROUTER.443 > PHONE.25700: Flags [S.E], seq 639098840, ack 642215501, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3059434307 ecr 2478600365], length 0
10:15:09.141384 IP PHONE.25700 > ROUTER.443: Flags [.], ack 1, win 256, options [nop,nop,TS val 2478600384 ecr 3059434307], length 0
10:15:09.142758 IP PHONE.25700 > ROUTER.443: Flags [P.], seq 1:518, ack 1, win 256, options [nop,nop,TS val 2478600384 ecr 3059434307], length 517
10:15:09.142790 IP ROUTER.443 > PHONE.25700: Flags [.], ack 518, win 510, options [nop,nop,TS val 3059434328 ecr 2478600384], length 0
10:15:09.142818 IP ROUTER.443 > PHONE.25700: Flags [F.], seq 1, ack 518, win 514, options [nop,nop,TS val 3059434328 ecr 2478600384], length 0
10:15:09.161122 IP PHONE.25700 > ROUTER.443: Flags [.], ack 2, win 256, options [nop,nop,TS val 2478600404 ecr 3059434328], length 0
10:15:09.161149 IP PHONE.25700 > ROUTER.443: Flags [F.], seq 518, ack 2, win 256, options [nop,nop,TS val 2478600404 ecr 3059434328], length 0
10:15:09.161163 IP ROUTER.443 > PHONE.25700: Flags [.], ack 519, win 513, options [nop,nop,TS val 3059434346 ecr 2478600404], length 0
10:15:15.141831 IP PHONE.26438 > ROUTER.443: Flags [SEW], seq 3285634286, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 4185299120 ecr 0], length 0
10:15:15.141883 IP ROUTER.443 > PHONE.26438: Flags [S.E], seq 4283526657, ack 3285634287, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 95186048 ecr 4185299120], length 0
10:15:15.160570 IP PHONE.26438 > ROUTER.443: Flags [.], ack 1, win 256, options [nop,nop,TS val 4185299139 ecr 95186048], length 0
10:15:15.161943 IP PHONE.26438 > ROUTER.443: Flags [P.], seq 1:518, ack 1, win 256, options [nop,nop,TS val 4185299139 ecr 95186048], length 517
10:15:15.161977 IP ROUTER.443 > PHONE.26438: Flags [.], ack 518, win 510, options [nop,nop,TS val 95186067 ecr 4185299139], length 0
10:15:15.162008 IP ROUTER.443 > PHONE.26438: Flags [F.], seq 1, ack 518, win 514, options [nop,nop,TS val 95186067 ecr 4185299139], length 0
10:15:15.181057 IP PHONE.26438 > ROUTER.443: Flags [.], ack 2, win 256, options [nop,nop,TS val 4185299159 ecr 95186067], length 0
10:15:15.181181 IP PHONE.26438 > ROUTER.443: Flags [F.], seq 518, ack 2, win 256, options [nop,nop,TS val 4185299159 ecr 95186067], length 0
10:15:15.181199 IP ROUTER.443 > PHONE.26438: Flags [.], ack 519, win 513, options [nop,nop,TS val 95186086 ecr 4185299159], length 0
Shouldn't the HAProxy log show startups as well? This is fresh after a reboot (empty log), restarting the HAProxy service from System, Diagnostics, Services (still empty), then unchecking Enable HAProxy and applying (Stop messages appear), then rechecking Enable HAProxy and applying (nothing new added).
2022-12-06T00:23:39 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:34677 to OPNSENSE_WAN_IP:443 (1_HTTPS_frontend/HTTP)
2022-12-06T00:23:39 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:34677 to OPNSENSE_WAN_IP:443 (0_SNI_frontend/TCP)
2022-12-06T00:23:39 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:9659 to OPNSENSE_WAN_IP:443 (1_HTTPS_frontend/HTTP)
2022-12-06T00:23:39 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:9659 to OPNSENSE_WAN_IP:443 (0_SNI_frontend/TCP)
2022-12-06T00:23:03 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:62798 to OPNSENSE_WAN_IP:443 (1_HTTPS_frontend/HTTP)
2022-12-06T00:23:03 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:62798 to OPNSENSE_WAN_IP:443 (0_SNI_frontend/TCP)
2022-12-06T00:23:01 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:62797 to OPNSENSE_WAN_IP:443 (1_HTTPS_frontend/HTTP)
2022-12-06T00:23:01 Informational haproxy Connect from REMOTE_CLIENT_PUBLIC_IP:62797 to OPNSENSE_WAN_IP:443 (0_SNI_frontend/TCP)
I have tried adding a user and password to 'User management' & ticking the box for Basic auth in the backend and selecting my user, no luck sadly. I'm pretty sure I just have to add an option somewhere to pass the auth header, however, I can't figure it out. Googling for the problem just leads to info on how to setup HAproxy to do basic auth, which I don't need... The logs also don't seem to show anything useful.
Anyone has any ideas? Thanks in advance.
The user management in HAProxy has nothing to do at all with any login forms of services that are behind HAProxy! You can use this to add a login form that pops up before the client can even connect to the service that is behind HAProxy. So unrelated to your issue.
Apart from that please ask in the official HAProxy forums about your issue since it is not related to my tutorial.
I assume the HAProxy is also listening on the LAN interface?
thank you for your help!
In the DSM control panel, go to security, at the bottom is "trusted proxies". Add the------------------dsm ip addressHAProxy IP address, and boom! The correct external IP address is logged at a connection attempt and you will get notified about new login behavior if you have that turned on, and ip address blocking should now work if you have that turned on.
user@OPNsense:~ $ wget --save-headers http://nas.mydomain.com:8080
--2023-01-08 12:47:22-- http://nas.mydomain.com:8080/
Resolving nas.mydomain.com (nas.mydomain.com)... 192.168.5.60
Connecting to nas.mydomain.com (nas.mydomain.com)|192.168.5.60|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 580 [text/html]
Saving to: 'index.html'
index.html 100%[=====================================================================================>] 580 --.-KB/s in 0s
2023-01-08 12:47:22 (139 MB/s) - 'index.html' saved [580/580]
user@OPNsense:~ $ wget --save-headers https://nas.mydomain.com
--2023-01-08 13:01:21-- https://nas.mydomain.com/
Resolving nas.mydomain.com (nas.mydomain.com)... 192.168.5.60
Connecting to nas.mydomain.com (nas.mydomain.com)|192.168.5.60|:443... connected.
ERROR: cannot verify nas.mydomain.com's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
Unable to locally verify the issuer's authority.
To connect to nas.mydomain.com insecurely, use `--no-check-certificate'.
user@OPNsense:~ $ wget --save-headers https://mydomain.com
--2023-01-08 13:13:59-- https://mydomain.com/
Resolving mydomain.com (mydomain.com)... 185.176.xxx.xxx [WAN IP]
Connecting to mydomain.com (mydomain.com)|185.176.xxx.xxx [WAN IP]|:443... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2023-01-08 13:13:59 ERROR 503: Service Unavailable.
My default LAN interface has "192.168.10.1/24" so i created a host override f.e. "mynas.mydomain.com" pointing to 192.168.10.1.Yes, your OPNsense LAN IP is the correct DNS Override target, as explained in the tutorial.
I assume the HAProxy is also listening on the LAN interface?
Hi, attached you can find my haproxy.conf and map file.
I replicated your tutorial 1:1
The OPNsense firewall LAN IP is 192.168.10.1
for the 2 items in the map file i created a DNS override for those FQDN's pointing to 192.168.10.1
access from the internet works fine. The wildcard ssl cert is being used and the port redirection works and is not visible. (ex :55443 for the firewall interface and :5000 for the NAS)
internally the browser says "ERR_CONNECTION_TIMED_OUT" and nothing is displayed.
If you need more info or details i'll be happy to provide them to you.
thank you for your help!
TheHellSite, thanks a lot for all the work that you've put into this tutorial. I have followed every step of it and almost everything is working well.
One issue I am facing is that when I ping a local domain (e.g. opnsense.mydomain.com (router/fw box), nas.mydomain.com (qnap nas)) the IP gets resolved as my external WAN IP address.
@TheHellSide
First thank you for this wonderful guide. I learned a lot of and it helps to understand everything a little bit better.
At the moment I play around with these features to understand it even better.
My setup is a bit different so I need to play around with it and see what happens.
At the moment lets encrypt is working and HAProxy is configured. And here I have some questions in general:
1. Why do I have to open port 80 and 443 when using DNS-01 challenge ? I thought that is NOT needed and that was the reason why I choose DNS01
2. I DIDNT make the internal procedure BUT I can access the configured backend internally without any problems via the name !!! BUT
a. in Safari i get an ssl certificate (it is a self signed ssl certificate from my router)
b. in firefox it is still unsecured
Why is that ? If I have to send to you some information please let me know but I think that are general questions and no files / screenshots are needed or ?
host: feniks.domain.net
server: 192.168.10.1
response: A feniks.domain.net. 3600 IN A 192.168.10.200 192.168.10.1 0 msec
# /usr/sbin/traceroute -w 2 -n -m '18' 'feniks.domain.net'
traceroute to feniks.domain.net (192.168.10.200), 18 hops max, 40 byte packets
1 192.168.10.200 0.787 ms 0.462 ms 0.475 ms
Pinging feniks.domain.net [192.168.10.200] with 32 bytes of data:
Reply from 192.168.10.200: bytes=32 time<1ms TTL=64
Tracing route to feniks.domain.net [192.168.10.200]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms FENIKS.domain.net [192.168.10.200]
Trace complete.
Some extra troubleshooting.
Interfaces: Diagnostics: DNS Lookup
host: feniks.domain.net
server: 192.168.10.1
response: A feniks.domain.net. 3600 IN A 192.168.10.200 192.168.10.1 0 msec
so now i'm lost ???
i'll try to find/set-up another internal website to test with.
I am unable to help here. Please ask the people that already did the things you mentioned.
How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 1_HTTP_Frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_Frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_63de5470175f22.54470191 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_63de5470175f22.54470191
# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_Backend
# logging options
# Frontend: 1_HTTPS_Frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63de597c094f01.72503480.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63de5520a92049.75714996.txt)]
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: BITWARDEN_backend ()
backend BITWARDEN_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server BITWARDEN 192.168.2.55:80 ssl verify none
# Backend: CALIBRE_backend ()
backend CALIBRE_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server CALIBRE 192.168.2.40:8083 ssl verify none
# statistics are DISABLED
Thx you @TheHellSite for this tutorial. Unfortunately I cannot get it to work. I always get a "503 service unavaible status"
If I use the internal addresses of the websites (192.168.2.40:8083 for example) I can login. But using the website.domain.com I get a 503 error. In the logs I see that the client is accessing the public Ip on port 443.
Thx you @TheHellSite for this tutorial. Unfortunately I cannot get it to work. I always get a "503 service unavaible status"
If I use the internal addresses of the websites (192.168.2.40:8083 for example) I can login. But using the website.domain.com I get a 503 error. In the logs I see that the client is accessing the public Ip on port 443.
Please give further details on what is and whet it is not working.
Are you able to access your services via their domain name from a device outside of your local network?
Did you configure the DNS overrides for the local clients?
Also your Bitwarden server seems to be misconfigured are you sure it is serving SSL on the HTTP port? Also verify this for your other service.
I do not understand what you mean by serving SSL on the HTTP port. I think I followed your tutorial to the letter (except for using a Let's encrypt certificate by using cloudflare API from my domain)
I do not understand what you mean by serving SSL on the HTTP port. I think I followed your tutorial to the letter (except for using a Let's encrypt certificate by using cloudflare API from my domain)
It is dangerous to do things like exposing services to the internet when you don't even understand this simple question from me! :-\
Read step 9 of my FAQ. You should also really read the explanation of the "SSL checkbox" in the server setup page!
I bet you are not accessing your services by their local ip using HTTPS you are likely accessing them using HTTP.
OPNsense 23.1_6-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
HAProxy version 2.6.7-c55bfdb 2022/12/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.7.html
Running on: FreeBSD 13.1-RELEASE-p5 FreeBSD 13.1-RELEASE-p5 stable/23.1-n250372-c4ad069e50a SMP amd64
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 and 0.0.0.0:80)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option log-separate-errors
option tcplog
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option log-separate-errors
option httplog
# ACL: NoSSL_condition
acl acl_63dea06740dee5.93056632 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_63dea06740dee5.93056632
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63dea303583a84.37941891.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63dea0bbafdf17.31648976.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: XKP_backend ()
backend XKP_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server XKP_server 192.168.1.104:80 ssl verify none
# statistics are DISABLED
2023-02-05T10:45:38 Error haproxy ********:31073 [05/Feb/2023:10:45:38.668] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 2/1/0/0/0 0/0 "GET https://[********:/favicon.ico HTTP/2.0"
root@firewall:~ # haproxy -f /usr/local/etc/haproxy.conf -d
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Using kqueue() as the polling mechanism.
00000000:0_SNI_frontend.accept(0004)=0014 from [********:31207] ALPN=<none>
00000001:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000001:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/ HTTP/2.0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: cache-control: max-age=0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: upgrade-insecure-requests: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: cross-site
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: navigate
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-user: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: document
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000001:1_HTTPS_frontend.clicls[0017:ffff]
00000001:1_HTTPS_frontend.closed[0017:ffff]
00000002:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000002:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/favicon.ico HTTP/2.0
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: same-origin
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: no-cors
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: image
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: referer: https://********/
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000002:1_HTTPS_frontend.clicls[0017:ffff]
00000002:1_HTTPS_frontend.closed[0017:ffff]
00000000:SSL_backend.srvcls[0014:ffff]
00000000:SSL_backend.clicls[ffff:ffff]
00000000:SSL_backend.closed[ffff:ffff]
Interesting is that from opnsense ssh via wget i managed to download from server, and from windows too..
wget --save-headers http://ccc.network.ccc
This was with DNS override , but still not accessible by browser
image - https://i.ibb.co/bL8Wgbj/34.png
Strange but 503 error appear to me as well.
I tested with apache,nodejs,wamp nothing worked. They i try to redirect to my switch to see if my windows is not the problem... but nope.
DynamicDNS is configured and working fine,
All gui redirections disabled and opnsense gui port changed.
Added firewall rule to WAN , and no additional LAN rules added ( it's almost fresh install )
Acme - generated fine cert via dns. ( 2/4/2023, 7:23:39 PM OK 2/4/2023, 7:23:40 PM )
Tested from external network via smartphone on cellular data.
One thing is that i am using proxmox to virtualize opnsense as "routerOnStick/Forbidden Router" and i pass two ports from quad NIC on promox-server as LAN/WAN for opnsense , and lan is going to dumb switch that transfer vlans/lan to rest of my house , so far not a single problem with that but maybe just maybe..Code: [Select]OPNsense 23.1_6-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022Code: [Select]HAProxy version 2.6.7-c55bfdb 2022/12/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.7.html
Running on: FreeBSD 13.1-RELEASE-p5 FreeBSD 13.1-RELEASE-p5 stable/23.1-n250372-c4ad069e50a SMP amd64Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 and 0.0.0.0:80)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option log-separate-errors
option tcplog
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option log-separate-errors
option httplog
# ACL: NoSSL_condition
acl acl_63dea06740dee5.93056632 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_63dea06740dee5.93056632
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63dea303583a84.37941891.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63dea0bbafdf17.31648976.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: XKP_backend ()
backend XKP_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server XKP_server 192.168.1.104:80 ssl verify none
# statistics are DISABLEDCode: [Select]2023-02-05T10:45:38 Error haproxy ********:31073 [05/Feb/2023:10:45:38.668] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 2/1/0/0/0 0/0 "GET https://[********:/favicon.ico HTTP/2.0"
Code: [Select]root@firewall:~ # haproxy -f /usr/local/etc/haproxy.conf -d
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.
Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Using kqueue() as the polling mechanism.
00000000:0_SNI_frontend.accept(0004)=0014 from [********:31207] ALPN=<none>
00000001:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000001:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/ HTTP/2.0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: cache-control: max-age=0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: upgrade-insecure-requests: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: cross-site
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: navigate
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-user: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: document
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000001:1_HTTPS_frontend.clicls[0017:ffff]
00000001:1_HTTPS_frontend.closed[0017:ffff]
00000002:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000002:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/favicon.ico HTTP/2.0
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: same-origin
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: no-cors
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: image
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: referer: https://********/
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000002:1_HTTPS_frontend.clicls[0017:ffff]
00000002:1_HTTPS_frontend.closed[0017:ffff]
00000000:SSL_backend.srvcls[0014:ffff]
00000000:SSL_backend.clicls[ffff:ffff]
00000000:SSL_backend.closed[ffff:ffff]
Please refer to this post about it. Be warned I can not provide help for this since I am not using such a setup.
https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
maxconn 128
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 100
timeout client 30s
timeout connect 4s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 100
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_Backend
# logging options
option tcplog
# Frontend: 1_HTTP_Frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_Frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: NoSSL_Condition
acl acl_6241c8286b2146.46286925 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6241c8286b2146.46286925
# Frontend: 1_HTTPS_Frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6241cc05878570.68121182.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: LOCAL_SUBDOMAINS_map_conditions
acl acl_63f758e46145e5.66171870 src 192.168.1.0/26
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63f7583a8314e2.36363887.txt)] if acl_63f758e46145e5.66171870
# ACTION: PUBLIC_SUBDOMAINS_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6241c892a54f84.31767078.txt)]
# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Unifi_backend (Unifi_Backend)
backend Unifi_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Unifi 172.1.1.2:8443 ssl alpn h2,http/1.1 verify none source 192.168.1.1
# Backend: Homeassistant_backend (Homeassistant_Backend)
backend Homeassistant_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Homeassistant 192.168.1.3:8123
# Backend: Docker_OCI_backend (Docker_OCI_Backend)
backend Docker_OCI_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server docker 172.1.1.2:9443 ssl alpn h2,http/1.1 verify none source 192.168.1.1
# statistics are DISABLED
Hello,
Decided to post the issue I'm having here, since for the love of god can’t find what’s wrong 😊
I implemented the guide to the letter using virtual IP. I setup 1 public service accessible from internet and few local accessible only ( I separate this on my DNS settings for domain. I only pointed xyz.mydomain.net to my public IP ( static ). Everything is working as expected.
Now I want to open full domain to my public IP, and implement step 7 of this guide to make only public services available over the internet, and limit the local services to LAN access only.
I added the local subdomains rule and map file as described in the guide, but for some reason it doesn’t work...services are always available even if accessed from internet...like the LOCAL_SUBDOMAINS_map_conditions would not apply...but if I remove the PUBLIC_SUBDOMAINS-map-rule form HTTPS_frontend its is working, but only from local lan, as it should since, its limiting access to LAN only....when I put both rules in my HTTPS_frontend the rule for local lan access only is not sticking, but websites are accessible from lan and internet.
Did I missed something obvious ?, or as it looks to me, like 2 rules are not handled in parallel, since with only one rule (either) its working.
Hello,
Decided to post the issue I'm having here, since for the love of god can’t find what’s wrong 😊
I implemented the guide to the letter using virtual IP. I setup 1 public service accessible from internet and few local accessible only ( I separate this on my DNS settings for domain. I only pointed xyz.mydomain.net to my public IP ( static ). Everything is working as expected.
Now I want to open full domain to my public IP, and implement step 7 of this guide to make only public services available over the internet, and limit the local services to LAN access only.
I added the local subdomains rule and map file as described in the guide, but for some reason it doesn’t work...services are always available even if accessed from internet...like the LOCAL_SUBDOMAINS_map_conditions would not apply...but if I remove the PUBLIC_SUBDOMAINS-map-rule form HTTPS_frontend its is working, but only from local lan, as it should since, its limiting access to LAN only....when I put both rules in my HTTPS_frontend the rule for local lan access only is not sticking, but websites are accessible from lan and internet.
Did I missed something obvious ?, or as it looks to me, like 2 rules are not handled in parallel, since with only one rule (either) its working.
call me stupid but i dont see the error in cofig :), my map files, public and local have all backends (subdomains defined internet accessible and local accessible), also the https frontend has the LOCAL_SUBDOMAINS_map-rule in first place and PUBLIC in second place.
will read it a few more times :)
I get that 21116 is UDP and maybe will be not possible to reverse proxy this but i need to ask is there a way to get it working ?
Another question is there a way to make range of port like 21115-21117 because adding some services may make the UI little overcrowded in time
I wonder if this has been asked before: is it possible to have HAProxy not expose a certificate in case no correct Host: header has been supplied?
Currently, if somebody scans my IP with just "openssl s_client <myip>:443", the default certificate(s) will be exposed. Going from there, one could enumerate every (sub-)domain that is presented with that certificate in order to find vulnerabilities.
If the certificate was instead withheld, one had to know at least one valid name in order to do that.
I imagine that e.g. with Cloudflare tunnels, a small range of IPs are being used to terminate all tunnel connections, but only after the Host: header has been presented will a specific customer certificate be chosen and presented, so that there is no possibilty for a "scan". I would like to do something similar with HAProxy on my OpnSense.
Hi,
I followed this tutorial and my services now work as intended by typing https://[service].[hostname] for each web service I have (in Docker containers). Now I have a Docker called Organizr installed which I want to act as a 'homepage' that displays links to those services, and I want this to be accessible by just typing https://[hostname] and still use the same Let's Encrypt certificate to secure it.
How can I do this within the framework of this setup?
Yes sure this is possible. In fact I am doing this for a long time already. Just didn't bother adding it to the guide.
I will add it as part 8 to the guide. Just give me a little time!
EDIT: Added this as Part 8.
2023-03-07T20:39:05 Error haproxy 192.168.1.102:47192 [07/Mar/2023:20:39:05.886] 1_HTTPS_frontend~ ADGUARD_backend/ADGUARD_server 0/-1/-1/-1/0 -1 0 - - CR-- 2/1/0/0/0 0/0 "GET https://adguard.xxx.yyy/assets/favicon.png HTTP/2.0"
2023-03-07T20:35:04 Error haproxy 3.252.130.46:37184 [07/Mar/2023:20:35:04.759] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 4/2/0/0/0 0/0 "GET / HTTP/1.0"
2023-03-07T20:31:32 Error haproxy 192.168.1.102:47192 [07/Mar/2023:20:31:32.228] 1_HTTPS_frontend~ PROXMOX_backend/PROXMOX_server 0/0/0/-1/2 -1 0 - - CD-- 2/1/0/0/0 0/0 "GET https://proxmox.xxx.yyy/pve2/ext6/theme-crisp/resources/images/grid/hd-pop.png HTTP/2.0"
2023-03-07T20:31:03 Error haproxy 192.168.1.102:47192 [07/Mar/2023:20:31:03.640] 1_HTTPS_frontend~ PROXMOX_backend/PROXMOX_server 0/0/0/3/3 501 197 - - ---- 2/1/0/0/0 0/0 "GET https://proxmox.xxx.yyy/images/logo-ceph.png HTTP/2.0"
2023-03-07T20:31:00 Error haproxy 192.168.1.102:47212 [07/Mar/2023:20:31:00.634] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2023-03-07T20:31:00 Error haproxy 192.168.1.102:47217 [07/Mar/2023:20:31:00.659] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2023-03-07T20:31:00 Error haproxy 192.168.1.102:47214 [07/Mar/2023:20:31:00.649] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
Everything works for me but i tried to check some logs and saw something, Is this normal output when enable Detailed logging in 1_HTTPS_frontend, also if this is expected is there a way to keep the logging and disable this output somehow ?Code: [Select]2023-03-07T20:39:05 Error haproxy 192.168.1.102:47192 [07/Mar/2023:20:39:05.886] 1_HTTPS_frontend~ ADGUARD_backend/ADGUARD_server 0/-1/-1/-1/0 -1 0 - - CR-- 2/1/0/0/0 0/0 "GET https://adguard.xxx.yyy/assets/favicon.png HTTP/2.0"
2023-03-07T20:35:04 Error haproxy 3.252.130.46:37184 [07/Mar/2023:20:35:04.759] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 4/2/0/0/0 0/0 "GET / HTTP/1.0"
2023-03-07T20:31:32 Error haproxy 192.168.1.102:47192 [07/Mar/2023:20:31:32.228] 1_HTTPS_frontend~ PROXMOX_backend/PROXMOX_server 0/0/0/-1/2 -1 0 - - CD-- 2/1/0/0/0 0/0 "GET https://proxmox.xxx.yyy/pve2/ext6/theme-crisp/resources/images/grid/hd-pop.png HTTP/2.0"
2023-03-07T20:31:03 Error haproxy 192.168.1.102:47192 [07/Mar/2023:20:31:03.640] 1_HTTPS_frontend~ PROXMOX_backend/PROXMOX_server 0/0/0/3/3 501 197 - - ---- 2/1/0/0/0 0/0 "GET https://proxmox.xxx.yyy/images/logo-ceph.png HTTP/2.0"
2023-03-07T20:31:00 Error haproxy 192.168.1.102:47212 [07/Mar/2023:20:31:00.634] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2023-03-07T20:31:00 Error haproxy 192.168.1.102:47217 [07/Mar/2023:20:31:00.659] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2023-03-07T20:31:00 Error haproxy 192.168.1.102:47214 [07/Mar/2023:20:31:00.649] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
And can someone post some implementation screenshots of NOSSLservice_rule
First of all, thanks for a awesome guide!
In 5.8 you refer to a "FAQ about Map Files". Could you please link me to this FAQ? Perhaps it could be added as a link in the post so ppl easier can find it.
Second comes my question.
Ive finished the setup. I sorted out a *.-certificate for mydomain.com and added a A-record in the DNS for the domain with a homeassistant.mydomain.com that points to my public IP.
In HAProxy ive added a real server HA_server which points to the IP of my HA-server with port 8123. SSL checked.
I've added a backend pool HA_backend that points to my HA_server
Ive added a host override for host homeassistant domain mydomain.com with the internal IP of my HA-server.
My Local MAP-filehttps://ibb.co/D8xwgH5 (https://ibb.co/D8xwgH5)
My Public MAP-filehttps://ibb.co/D8xwgH5 (https://ibb.co/D8xwgH5)
When browsing to homeassistant.mydomain.com i get a "Unable to connect" message.
What did i do wrong, any tips where i should start looking?
You didn't read the tutorial properly. Read it again from the very top to the very bottom. Everything you just asked is answered there. Also if you would have followed the tutorial correctly you wouldn't see any errors now.
You didn't read the tutorial properly. Read it again from the very top to the very bottom. Everything you just asked is answered there. Also if you would have followed the tutorial correctly you wouldn't see any errors now.
Ah, missunderstood the text regarding the map FAQ. Now i understand what you refered to.
Regarding my setup. Before i asked for help ive already gone through it twice. Ive now been through it twice again and i cant find anything wrong. I havent used virtual IP and instead using 127.0.0.1 as IP in the cases where you use your virtual IP.
Perhaps its working and Homeassistant is the problem? I found some threads regarding adding trusted proxies there. Anyone had the same problem and know what to configure in HA?
If you really did the guide four times now then I am suprised that you still don't know how to ask for help. ???
Hint: I describe it in the first post.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening to localhost)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64025b0cc7a716.63164065 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64025b0cc7a716.63164065
# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64025f85730fc6.50514236.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64025bea0b8443.12301363.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: BITWARDEN_backend ()
backend BITWARDEN_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server BITWARDEN_server 192.168.100.161:443 ssl verify none
# Backend: HA_backend ()
backend HA_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server HA_server 192.168.1.106:8123
# statistics are DISABLED
2023-03-08T09:49:15 Informational haproxy Connect from -external ip-:8335 to -public ip:443 (1_HTTPS_frontend/HTTP)
2023-03-08T09:49:13 Informational haproxy Connect from -external ip-:8335 to -public ip-:443 (1_HTTPS_frontend/HTTP)
2023-03-08T09:49:11 Informational haproxy Connect from -external ip-8335 to -public ip-:443 (1_HTTPS_frontend/HTTP)
2023-03-08T09:49:10 Informational haproxy Connect from -external ip-:8335 to -public ip-:443 (1_HTTPS_frontend/HTTP)
2023-03-08T09:49:10 Informational haproxy Connect from -external ip-:8335 to -public ip-:443 (0_SNI_frontend/TCP)
2023-03-08T09:49:10 Informational haproxy Connect from -external ip-:8438 to -public ip-:443 (1_HTTPS_frontend/HTTP)
2023-03-08T09:49:09 Informational haproxy Connect from -external ip-:8438 to -public ip8:443 (0_SNI_frontend/TCP)
2023-03-08T09:49:09 Informational haproxy Connect from -external ip-:8430 to -public ip:443 (1_HTTPS_frontend/HTTP)
2023-03-08T09:49:09 Informational haproxy Connect from -external ip-:8430 to -public ip:443 (0_SNI_frontend/TCP)
Did you read and understand what I wrote in part 6 - option a - step 3 of my tutorial? Or did you also not bother reading? Please explain to me what I am saying there and then explain what you did there... Maybe you will spot your error.
Also post the content (in a code box) of your public and local subdomains map file.
# public access subdomains
bit BITWARDEN_backend
home HA_backend
No, it has to be the the interface IP of your OPNsense that is reachable by the clients that want to use haproxy... The guide is VERY clear about that. You can't just use any IP!? Stick to the guide!! :-\
Please post your interface overview...
And as I already told you before and in the guide!!!
The gateway of the service does not matter at all!? Why is that so hard to understand?
The client dns request needs to be overwritten, not the dns requests of any service!!! So guess what, if the client is in subnet A and wants to access ANY service in ANY subnet then what IP will the client use to connect to the service? It obviously has to be subnet A gateway address since the client is in subnet A.
If the client is in subnet B you will have to create the same override but with subnet B gateway as target.
And so on.
All of the above is however only relevant for local access from within your network.
Now answer this
Is bitwarden working from external networks (mobile data,...)?
Is bitwarden now working from internal network?
Which URL do you use to access them from inside?
How do you access them directly (ip:port) full URL?
use_x_forwarded_for boolean (optional, default: false)
Enable parsing of the X-Forwarded-For header, passing on the client’s correct IP address in proxied setups. You must also whitelist trusted proxies using the trusted_proxies setting for this to work. Non-whitelisted requests with this header will be considered IP spoofing attacks, and the header will, therefore, be ignored.
trusted_proxies string | list (optional)
List of trusted proxies, consisting of IP addresses or networks, that are allowed to set the X-Forwarded-For header. This is required when using use_x_forwarded_for because all requests to Home Assistant, regardless of source, will arrive from the reverse proxy IP address. Therefore in a reverse proxy scenario, this option should be set with extreme care. If the immediate upstream proxy is not in the list, the request will be rejected. If any other intermediate proxy is not in the list, the first untrusted proxy will be considered the client.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_Condition
acl acl_6293a5ef2e36e8.09400894 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6293a5ef2e36e8.09400894
# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets prefer-client-ciphers ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6293aa32edc294.46241266.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option httplog
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6293a65a1027d4.72742608.txt)]
# WARNING: pass through options below this line
# add X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: nextcloud-mf_backend ()
backend nextcloud-mf_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nextcloud-mf nextcloud-mf.fuchsbau.local:443 ssl verify none
# Backend: survey_backend ()
backend survey_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server adv-survey 10.0.110.5:80
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
Which URL do you use to access them from inside?
How do you access them directly (ip:port) full URL?
Bitwarden is accesses via Bitwarden.mydomain.com for internal(it works) and external (can’t reach server)Quote
HA is accessed internally from 192.168.1.106:8123 (works) and external via homeassistant.mydomain.com (can’t reach server).
There are some settings for HA to configure proxy that I think I need to set up, but since Bitwarden doesn’t work it’s not the complete solution to my problem.
From https://www.home-assistant.io/integrations/http/Quoteuse_x_forwarded_for boolean (optional, default: false)
Enable parsing of the X-Forwarded-For header, passing on the client’s correct IP address in proxied setups. You must also whitelist trusted proxies using the trusted_proxies setting for this to work. Non-whitelisted requests with this header will be considered IP spoofing attacks, and the header will, therefore, be ignored.
trusted_proxies string | list (optional)
List of trusted proxies, consisting of IP addresses or networks, that are allowed to set the X-Forwarded-For header. This is required when using use_x_forwarded_for because all requests to Home Assistant, regardless of source, will arrive from the reverse proxy IP address. Therefore in a reverse proxy scenario, this option should be set with extreme care. If the immediate upstream proxy is not in the list, the request will be rejected. If any other intermediate proxy is not in the list, the first untrusted proxy will be considered the client.
I’m using suricata IPS/IDS and tried disabling these, but no change. Using blocklists in Unbound DNS but that should not interfere.
I’m out of ideas. I will review everything again when I get home later today.
# public access subdomainsFrom the map file you provided, you should be accessing your Bitwarden with bit.mydomain.com in local network
bit BITWARDEN_backend
home HA_backend
Hey everyone! Hey TheHellSite!
First of all, I'm really thankful for your effort to write this really good guide and give support to date! That's awesome and should be honoured.
A bit of a backstory before I dive into the problem.
I'm a system engineer working with Sophos Products for years at enterprises. Because of that, I was using Sophos UTM Home Editions for years for my own private servers as well - but wanted to make the switch to OPNsense long ago. Some months ago, I finally decided to work on the switch. Your guide supported me so hard to make this switch from Sophos UTM to OPNsense.
Fast forward
I was thinking, my haproxy on my OPNsense was working completely. I had some issues before, where I could render websites from my local network (altough not using Split DNS or similar - just public IPs), but not from the internet (tested this with my 5G connection from my phone). After some tinkering, I got it even working on my phone with 5G and thought, everything should be okay now.
My Setup
I'm using 2 OPNsense, one at home and one in a datacenter on a VPS. I have these 2 connected to eachother via a Wireguard Tunnel (OPNsense plugin) using this guide (sorry, it's German: https://www.busche.org/index.php/2021/03/21/ipv4-ueber-wireguard-von-opnsense-zu-opnsense-routen-cgnat-umgehen/). And I'm using exactly your guide with the only difference using my wireguard interface instead of WAN for firewallrules.
Wireguard is working awesome, leads all traffic via Proxy ARP virtual IP (2nd public IP on VPS) on the VPS OPNsense to my home OPNsense.
Now the problem
More often then not, it seems that my websites aren't reachable from the internet. It's working from my 5G Internet Connection, it's working for a webdeveloper, who was assisting me with a web-project from hungary. But when friends test it or when I test it from my AWS Windows Machine, it's running into a timeout. Same for multiple status checking sites like https://isitdownorjust.me/. https://www.ssllabs.com/ssltest/ on the other hand is able to reach and check my websites.
I checked the haproxy logs and in those cases where it doesn't work, I get [09/Mar/2023:09:50:14.471] 1_HTTPS_frontend/127.0.0.1:443: SSL handshake failure
I checked your tutorial like 100 times. Checked my config side by side. It doesn't make any sense in my mind, that it works in some cases, and in some other cases it doesn't. And it drives me crazy. I was trying to fix this issue myself for weeks before I decided to write a comment and ask for help here.
With a "wrong" MTU, shouldn't the VPN connection be shaky with every device from every "outside" network? It's working 100% all the time on my mobile internet (and my girlfriend's as well), and it's working 100% all the time for ssllabs but only some "Is it down or just me"-kinda sites. But for at least 2 friends (one using the newest Opera Browser on Windows), there are timeouts while trying to connect to my websites. Same for a Windows VPS hosted on AWS - can't get a handshake there either (using newest Chrome browser).
I got no problems with my mailserver/proxmox mail gateway at home. I got no hickups with SSH via NAT. I got no issues with gaming servers at home (friends can connect to it). So I think, something isn't working correctly with my haproxy, sadly :(
First off, thank you TheHellSite for this amazing tutorial. I highly appreciate your level of attention to detail and the after post support.
The purpose of my design is to expose my Jellyfin Server for remote access from a 2nd home, but hopefully in a secure fashion. As far as I can tell, I'm trying to match your network diagram from the first post aside from JF vs Plex.
I almost feel bad asking for help today because I sense it's something stone deaf obvious I've missed. I even slept on it and went back through each step from the very start and I can't see any fat finger errors.
So with apologies in advance, I'm hoping you can offer some troubleshooting for instances where the SSL Server Test comes back as T / Certificate name mismatch. I've made it to the end of Step 5.
Protocol Support, Key Exchange, and Cipher Strength are all top marks, but SSL Test is marking me T because of the invalid cert.
Here's a link to my HAProxy Config - https://pastebin.com/P5QtYPUt (https://pastebin.com/P5QtYPUt)
My ACME Client log looks identical to your screenshot in the tutorial. I have redone the issue/renew procedure and the log comes back looking happy again.
I'm happy to post screenshots that would help diagnose. Appreciate any redirect on where to start looking.
So with apologies in advance, I'm hoping you can offer some troubleshooting for instances where the SSL Server Test comes back as T / Certificate name mismatch. I've made it to the end of Step 5.
The error pretty much says it all. I really don't know why you have to ask for help. I wonder if people nowadays are just too lazy to simply google such easy errors themselves?
Actually you shouldn't even need to google it. I might start taking money for giving lazy support...
https://www.globalsign.com/en/blog/what-is-common-name-mismatch-error
<VirtualHost *:80>
DocumentRoot "/usr/local/www/nextcloud"
ServerName nextcloud.mysite.com
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
DirectoryIndex /index.php index.php
</VirtualHost>
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.0.0.48",
"nextcloud.mysite.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "25.0.4.1",
"overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nextcloud.mysite.com",
"overwriteprotocol": "https",
"overwritecondaddr": "^10\\.0\\.0\\.1$",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"maintenance": false,
"theme": "",
"loglevel": 2,
"updater.release.channel": "stable",
"default_phone_region": "IT",
"app_install_overwrite": [],
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
}
}
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64188d5dce2390.01132494 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494
# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud_server 10.0.0.48:80 ssl verify none
With a "wrong" MTU, shouldn't the VPN connection be shaky with every device from every "outside" network? It's working 100% all the time on my mobile internet (and my girlfriend's as well), and it's working 100% all the time for ssllabs but only some "Is it down or just me"-kinda sites. But for at least 2 friends (one using the newest Opera Browser on Windows), there are timeouts while trying to connect to my websites. Same for a Windows VPS hosted on AWS - can't get a handshake there either (using newest Chrome browser).
I got no problems with my mailserver/proxmox mail gateway at home. I got no hickups with SSH via NAT. I got no issues with gaming servers at home (friends can connect to it). So I think, something isn't working correctly with my haproxy, sadly :(
That depends on PMTU discovery, so not every connection has to fail. Try reducing MTU/MSS just for the wireguard interface group like so:
(https://gcdnb.pbrd.co/images/E2FzctSpuJlY.png)
OMG, this fixed it! Now I can reach my addresses even with before problematic peers. Thank you so much @thehellsite and @meyergru!
Root Domains
Now I got another question. Did I understand it right, that the tutorial is only working with subdomains, not with root domains? I think, I would have to setup rules to achieve redirects from example.com to www.example.com right?
Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configurationCode: [Select]<VirtualHost *:80>
DocumentRoot "/usr/local/www/nextcloud"
ServerName nextcloud.mysite.com
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
DirectoryIndex /index.php index.php
</VirtualHost>
config.phpCode: [Select]
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.0.0.48",
"nextcloud.mysite.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "25.0.4.1",
"overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nextcloud.mysite.com",
"overwriteprotocol": "https",
"overwritecondaddr": "^10\\.0\\.0\\.1$",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"maintenance": false,
"theme": "",
"loglevel": 2,
"updater.release.channel": "stable",
"default_phone_region": "IT",
"app_install_overwrite": [],
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
}
}
haproxy.confCode: [Select]
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64188d5dce2390.01132494 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494
# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud_server 10.0.0.48:80 ssl verify none
Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configurationCode: [Select]<VirtualHost *:80>
DocumentRoot "/usr/local/www/nextcloud"
ServerName nextcloud.mysite.com
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
DirectoryIndex /index.php index.php
</VirtualHost>
config.phpCode: [Select]
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.0.0.48",
"nextcloud.mysite.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "25.0.4.1",
"overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nextcloud.mysite.com",
"overwriteprotocol": "https",
"overwritecondaddr": "^10\\.0\\.0\\.1$",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"maintenance": false,
"theme": "",
"loglevel": 2,
"updater.release.channel": "stable",
"default_phone_region": "IT",
"app_install_overwrite": [],
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
}
}
haproxy.confCode: [Select]
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64188d5dce2390.01132494 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494
# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud_server 10.0.0.48:80 ssl verify none
Some reverse proxy configuration settings can interfere with communication from SmartThings. For example, TLSv1.3 is not supported. Setting the supported cipher suite too restrictly will prevent handshaking. The following NGINX SSL configuration is known to work:Code: [Select]# cert.crt also contains intermediate certificates
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
I need some help with ciphers and understanding the part in HTTPS_frontend and what i can change.
Im trying to setup a webhook to integrate SmartThings to my Homeassistant, and get a error when trying to validate it.
According to the troubleshooting-guide at https://www.home-assistant.io/integrations/smartthings/#troubleshooting (https://www.home-assistant.io/integrations/smartthings/#troubleshooting) there are some problems doing this with a reverse proxy, and suggest that the cipher suite is too restricted.QuoteSome reverse proxy configuration settings can interfere with communication from SmartThings. For example, TLSv1.3 is not supported. Setting the supported cipher suite too restrictly will prevent handshaking. The following NGINX SSL configuration is known to work:Code: [Select]# cert.crt also contains intermediate certificates
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
Could someone help me with the current string and how i can edit it with the suggestion the troubleshooting-guide above. Is it enought to add EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH to the current, or do i need to edit something out as well?
Current:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384
Thanks in advance,
My provided ciphers are fine! Also TLS_v1.2 is available with my config. If TLS_v1.3 is not available on the client side it will (try) to use TLS_v1.2 instead.
Don't weaken the ciphers there is likely another configuration problem on your side.
If there are no errors in the haproxy log upon connection of the SmartThings client then there is nothing wrong with the haproxy cipher settings.
52.213.77.15:56225 [24/Mar/2023:07:34:18.143] 1_HTTPS_frontend/127.0.0.1:443: SSL handshake failure
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.850] 0_SNI_frontend SSL_backend/SSL_server 1/0/11 506 -- 1/1/4/0/0 0/0
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.856] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/5/0/0 0/0 "GET / HTTP/1.1"
2023-03-24T16:59:29 Informational haproxy 10.0.1.100:65272 [24/Mar/2023:16:59:29.608] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/10/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"
2023-03-24T16:59:29 Informational haproxy 10.0.1.100:65272 [24/Mar/2023:16:59:29.604] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/9/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"
2023-03-24T16:59:29 Informational haproxy 10.0.1.100:65272 [24/Mar/2023:16:59:29.602] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/8/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
total-max-size 4
max-age 60
process-vary off
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_frontend (Listening on 10.0.1.15:80)
frontend 1_HTTP_frontend
bind 10.0.1.15:80 name 10.0.1.15:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_6418a05ee27409.36162049 ssl_fc
# ACTION: HTTP_to_HTTPS_rule
http-request redirect scheme https code 301 if !acl_6418a05ee27409.36162049
# Frontend: 1_HTTPS_frontend (Listening on 10.0.1.15:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 10.0.1.15:443 name 10.0.1.15:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6418a3dac5bd67.76211333.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: LOCAL_SUBDOMAINS_SUBNET_conditions
acl acl_6418cb7541c572.65233357 src 10.0.1.0/24 10.0.3.0/24 10.0.4.0/24
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418cadaadbdd1.17042036.txt,SSL_backend)] if acl_6418cb7541c572.65233357
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418a10a9104c5.33815067.txt,SSL_backend)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 10.0.1.15 send-proxy-v2 check-send-proxy
# Backend: Dashboard_backend ()
backend Dashboard_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Dashboard_server 10.0.3.4:3000
# Backend: Radarr_backend ()
backend Radarr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Radarr_server 10.0.3.6:7878
# Backend: Router_backend ()
backend Router_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Router_server 10.0.1.1:8443
# Backend: Nzbget_backend ()
backend Nzbget_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nzbget_server 10.0.3.7:6789
# Backend: Nas_backend ()
backend Nas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nas_server 10.0.1.10:5000
# Backend: Jackett_backend ()
backend Jackett_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Jackett_server 10.0.3.8:9117
# Backend: Sonarr_backend ()
backend Sonarr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Sonarr_server 10.0.3.5:8989
# Backend: Portainer_backend ()
backend Portainer_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Portainer_server 10.0.3.3:9000 send-proxy-v2 check-send-proxy
# Backend: Plex_backend ()
backend Plex_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Plex_server 10.0.1.10:32400
# Backend: Overseerr_backend ()
backend Overseerr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Overseerr_server 10.0.3.10:5055
# Backend: Tautulli_backend ()
backend Tautulli_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Tautulli_server 10.0.3.9:8181
# Backend: Download_backend ()
backend Download_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Download_server 10.0.1.10:8000
# Backend: Nzb_backend ()
backend Nzb_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nzb_server 10.0.3.11:8080
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
#
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_Backend
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.1.0.1:80 name 127.1.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
maxconn 10
# logging options
# ACL: NoSSL_condition
acl acl_641d7e3e6bda64.61444458 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_641d7e3e6bda64.61444458
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
bind 127.1.0.1:443 name 127.1.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/641d813861abd5.14037775.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option log-separate-errors
option httplog
option socket-stats
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/641d81c0801b87.43530099.txt)]
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.1.0.1 send-proxy-v2 check-send-proxy
# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Jellyfin_Server 10.0.0.2:8096
# statistics are DISABLED
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.814] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69396 -1 0 - - CC-- 2/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Book HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/3/3/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=c5b5a7b14778a8f0c4eb996823229f65 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69380 -1 0 - - CC-- 2/1/4/4/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=0c41907140d802bb58430fed7e2cd79e HTTP/2.0"
2023-03-28T07:32:35 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:32:05.583] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 245 - - ---- 2/1/5/5/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/System/Endpoint HTTP/2.0"
2023-03-28T07:32:29 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/5/60069 101 392 - - sD-- 2/1/6/6/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30000/8/30008 200 1154 - - ---- 2/1/7/7/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=3a6e3078ba2b0ad4408f206c9abe65a4 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.811] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/9/30020 200 256 - - ---- 2/1/8/8/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Audio HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.528] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/2/30005 200 1095 - - ---- 2/1/9/9/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.493] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/2/30013 200 1095 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:31:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 1097 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/0/4/8566 101 392 - - CD-- 2/1/0/0/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/1/1/0 0/0 "POST https://jellyfin.MYDOMAIN.dedyn.io/Sessions/Capabilities/Full HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/2/2/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8558 -1 0 - - CC-- 2/1/3/3/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/DisplayPreferences/usersettings?userId=0d64d22975ba4cd6a57253d0e138c432&client=emby HTTP/2.0"
2023-03-28T07:30:35 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:05.079] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/3/30014 302 121 - - ---- 2/1/0/0/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/ HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60030 -1 0 - - CC-- 1/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:30.979] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60361 -1 0 - - CC-- 1/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/60021/-1/60030 -1 1220 - - CD-- 1/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configurationCode: [Select]<VirtualHost *:80>
DocumentRoot "/usr/local/www/nextcloud"
ServerName nextcloud.mysite.com
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
DirectoryIndex /index.php index.php
</VirtualHost>
config.phpCode: [Select]
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.0.0.48",
"nextcloud.mysite.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "25.0.4.1",
"overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nextcloud.mysite.com",
"overwriteprotocol": "https",
"overwritecondaddr": "^10\\.0\\.0\\.1$",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"maintenance": false,
"theme": "",
"loglevel": 2,
"updater.release.channel": "stable",
"default_phone_region": "IT",
"app_install_overwrite": [],
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
}
}
haproxy.confCode: [Select]
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64188d5dce2390.01132494 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494
# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud_server 10.0.0.48:80 ssl verify none
Your nextcloud server is misconfigured in haproxy, I highly doubt your nextcloud needs SSL ticked. But this might not be the only issue and I won't give support for services I am not using.
I have followed the guide, and I think to the letter. Everything works on absolutely all services I added, except Portainer. I see on other forums Portainer is a bit choosy when it comes to proxy, but no real solution out there to fix it.
The target of this is to proxy portainer.domain.tld to ip-of-portainer:9000 (portainer docs say to route proxy to 9000, the non ssl port, not 9443, the ssl port), but I have tried both. Same result.
The error is: ERR_HTTP2_SERVER_REFUSED_STREAM - I was thinking it could e the HTTP2 option in 1_HTTPS_frontend, so I tried to uncheck it to try. It then give the error: ERR_EMPTY_RESPONSE
This is the corresponding log in debug mode:
With HTTP2 unchecked:Code: [Select]2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.850] 0_SNI_frontend SSL_backend/SSL_server 1/0/11 506 -- 1/1/4/0/0 0/0
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.856] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/5/0/0 0/0 "GET / HTTP/1.1"
With HTTP2 checked:Quote2023-03-24T16:59:29 Informational haproxy 10.0.1.100:65272 [24/Mar/2023:16:59:29.608] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/10/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"
2023-03-24T16:59:29 Informational haproxy 10.0.1.100:65272 [24/Mar/2023:16:59:29.604] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/9/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"
2023-03-24T16:59:29 Informational haproxy 10.0.1.100:65272 [24/Mar/2023:16:59:29.602] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/8/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"
Here is the full config export:Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
total-max-size 4
max-age 60
process-vary off
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_frontend (Listening on 10.0.1.15:80)
frontend 1_HTTP_frontend
bind 10.0.1.15:80 name 10.0.1.15:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_6418a05ee27409.36162049 ssl_fc
# ACTION: HTTP_to_HTTPS_rule
http-request redirect scheme https code 301 if !acl_6418a05ee27409.36162049
# Frontend: 1_HTTPS_frontend (Listening on 10.0.1.15:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 10.0.1.15:443 name 10.0.1.15:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6418a3dac5bd67.76211333.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: LOCAL_SUBDOMAINS_SUBNET_conditions
acl acl_6418cb7541c572.65233357 src 10.0.1.0/24 10.0.3.0/24 10.0.4.0/24
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418cadaadbdd1.17042036.txt,SSL_backend)] if acl_6418cb7541c572.65233357
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418a10a9104c5.33815067.txt,SSL_backend)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 10.0.1.15 send-proxy-v2 check-send-proxy
# Backend: Dashboard_backend ()
backend Dashboard_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Dashboard_server 10.0.3.4:3000
# Backend: Radarr_backend ()
backend Radarr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Radarr_server 10.0.3.6:7878
# Backend: Router_backend ()
backend Router_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Router_server 10.0.1.1:8443
# Backend: Nzbget_backend ()
backend Nzbget_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nzbget_server 10.0.3.7:6789
# Backend: Nas_backend ()
backend Nas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nas_server 10.0.1.10:5000
# Backend: Jackett_backend ()
backend Jackett_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Jackett_server 10.0.3.8:9117
# Backend: Sonarr_backend ()
backend Sonarr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Sonarr_server 10.0.3.5:8989
# Backend: Portainer_backend ()
backend Portainer_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Portainer_server 10.0.3.3:9000 send-proxy-v2 check-send-proxy
# Backend: Plex_backend ()
backend Plex_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Plex_server 10.0.1.10:32400
# Backend: Overseerr_backend ()
backend Overseerr_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Overseerr_server 10.0.3.10:5055
# Backend: Tautulli_backend ()
backend Tautulli_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Tautulli_server 10.0.3.9:8181
# Backend: Download_backend ()
backend Download_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Download_server 10.0.1.10:8000
# Backend: Nzb_backend ()
backend Nzb_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nzb_server 10.0.3.11:8080
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
Hello,
thanks for this great guide. I am trying to get a connection to a Jellyfin server working and at first glance the proxy works but for whatever reason it loads extremely slow or does not load at all (probably due to timeout). In the firewall logs I can see that the ports are not being blocked and Jellyfin is being accessed by the correct port coming from the interface gateway. Is this correct behaviour or should it come from the proxyserver IP?
Here is my full HAProxy config. I have checked it multiple times and I think it is set up correctly. The only difference is that I haven't checked the SSL mark for the real server Jellyfin since I have not set up a certificate on it yet but maybe I have just overlooked something.
The server is on it's own vlan maybe this causes issues too.Code: [Select]#
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_Backend
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.1.0.1:80 name 127.1.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
maxconn 10
# logging options
# ACL: NoSSL_condition
acl acl_641d7e3e6bda64.61444458 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_641d7e3e6bda64.61444458
# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
bind 127.1.0.1:443 name 127.1.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/641d813861abd5.14037775.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option log-separate-errors
option httplog
option socket-stats
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/641d81c0801b87.43530099.txt)]
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.1.0.1 send-proxy-v2 check-send-proxy
# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Jellyfin_Server 10.0.0.2:8096
# statistics are DISABLED
In the logs I see some errors when trying to access Jellyfin:Code: [Select]2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.814] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69396 -1 0 - - CC-- 2/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Book HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/3/3/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=c5b5a7b14778a8f0c4eb996823229f65 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69380 -1 0 - - CC-- 2/1/4/4/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=0c41907140d802bb58430fed7e2cd79e HTTP/2.0"
2023-03-28T07:32:35 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:32:05.583] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 245 - - ---- 2/1/5/5/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/System/Endpoint HTTP/2.0"
2023-03-28T07:32:29 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/5/60069 101 392 - - sD-- 2/1/6/6/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30000/8/30008 200 1154 - - ---- 2/1/7/7/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=3a6e3078ba2b0ad4408f206c9abe65a4 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.811] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/9/30020 200 256 - - ---- 2/1/8/8/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Audio HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.528] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/2/30005 200 1095 - - ---- 2/1/9/9/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.493] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/2/30013 200 1095 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:31:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 1097 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/0/4/8566 101 392 - - CD-- 2/1/0/0/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/1/1/0 0/0 "POST https://jellyfin.MYDOMAIN.dedyn.io/Sessions/Capabilities/Full HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/2/2/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8558 -1 0 - - CC-- 2/1/3/3/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/DisplayPreferences/usersettings?userId=0d64d22975ba4cd6a57253d0e138c432&client=emby HTTP/2.0"
2023-03-28T07:30:35 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:05.079] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/3/30014 302 121 - - ---- 2/1/0/0/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/ HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60030 -1 0 - - CC-- 1/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:30.979] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60361 -1 0 - - CC-- 1/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/60021/-1/60030 -1 1220 - - CD-- 1/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on port 80, 443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTPS_frontend (Listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64401520bca808.51986799.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/644012fb3e50a8.19725727.txt)]
# Frontend: 1_HTTP_frontend (Listening on localhost:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL
acl acl_64401278359449.48644659 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64401278359449.48644659
# Backend: PLEX_backend (For Plex Remote Play)
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PLEX_server 192.168.0.197:32400 ssl verify none
# Backend: VTT_backend (Foundry VTT)
backend VTT_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Foundry_VTT 192.168.0.197:30000 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy
# statistics are DISABLED
OMG, this fixed it! Now I can reach my addresses even with before problematic peers. Thank you so much @thehellsite and @meyergru!
Root Domains
Now I got another question. Did I understand it right, that the tutorial is only working with subdomains, not with root domains? I think, I would have to setup rules to achieve redirects from example.com to www.example.com right?
You are welcome. Like I (we) said most of the times when there are intermidiate issues with VPN tunnels it is because of MTU/MSS beeing to high resulting in packet fragmentation.
You can also make it work for root domains. Either set the backend you want to be served on the root domain as default backend in the HTTPS_frontend or change your mapfile and write the full FQDN before the backend (so not just the subdomain). The first method works for sure the later I am not entirely sure. But you can also create a redirect condition and rule set and place it before the map file rule.
Very detailed guide, but I've gone sideways somewhere.
I have two different wildcard certs, and that may be the cause of issues, but here's how I'm setup :
Attempting to browse to vtt.domain.tld just times out. The odd thing is I'm not getting anything in the haproxy logs.
However, now I need another server to have open access to port 80,443 just like the swag server. However, this seems easier said than done. So I am trying HAproxy to accomplish this.
[...]
I hope I am not overcomplicating my setup here. If I could simply forward the ports to multiple places without HAproxy, i would do that instead. This is a lot of configuring for what I am trying to do. But if this is the proper way, i will go through with it. Thanks.
I hope I am not overcomplicating my setup here.
[...]
But if this is the proper way, i will go through with it.
But if this is the proper way, i will go through with it.
The guide below lists only those options that need to be changed, all other options need to be left untouched in their default state.
1. Create the real servers
1.1 TCP_SERVICE1_server: IP, Port, SSL unticked
1.2 TCP_SERVICE2_server: IP, Port, SSL unticked
2. Create the backends
2.1 TCP_SERVICE1_backend
Mode: TCP
Servers: TCP_SERVICE1_server
2.2 TCP_SERVICE2_backend
Mode: TCP
Servers: TCP_SERVICE2_server
3. Create the conditions
3.1 TCP_SSL_condition
Condition type: SSL Hello Type
SSL Hello Type: 1 - client hello
3.2 TCP_SERVICE1_condition
Condition type: SNI TLS extension matches (TCP request content inspection)
SNI Matches: service1.domain.tld
3.3 TCP_SERVICE2_condition
Condition type: SNI TLS extension matches (TCP request content inspection)
SNI Matches: service2.domain.tld
4. Create the rules
4.1 TCP_RequestInspectDelay_rule
Select conditions: Nothing selected
Execute function: tcp-request inspect delay
TCP inspection delay: 5s
4.2 TCP_RequestContentAccept_rule
Select conditions: TCP_SSL_condition
Logical operator for conditions: none
Execute function: tcp-request content accept
4.3 TCP_SERVICE1_rule
Select conditions: TCP_SERVICE1_condition
Logical operator for conditions: none
Execute function: Use specified Backend Pool
Use backend pool: TCP_SERVICE1_backend
4.4 TCP_SERVICE2_rule
Select conditions: TCP_SERVICE2_condition
Logical operator for conditions: none
Execute function: Use specified Backend Pool
Use backend pool: TCP_SERVICE2_backend
5. Edit the SNI_frontend
Note: This step assumes that you are not following my whole tutorial.
However you have to at least finish the following steps of my tutorial:
- Part 4: everything
- Part 5: step 1-3 and step 10 (only create the SNI_frontend but without a Default Backend Pool)
The exact order of the rules below is very important here!
The "TCP_RequestInspectDelay_rule" always has to be the first rule.
The "TCP_RequestContentAccept_rule" always has to be the second rule.
5.1 Add the rules to the SNI_frontend in the following order:
Select Rules: 1. TCP_RequestInspectDelay_rule
2. TCP_RequestContentAccept_rule
3. TCP_SERVICE1_rule
4. TCP_SERVICE2_rule
Oh man, thank you for this. Thanks for confirming I am on the right track, that is comforting loll.
My reason for doing this is mainly because I tinker around with a lot of selfhosted type services. And I spend way too much time getting all the network particulars work. And it's always for the same reason, for one reason or another, I just need a server that has free and open access to port 80 and 443. Every time. Now, I usually work around it. But now I just want to be able to do it once and for all. it's been bugging me for like 10 years my inability to accomplish this.
So that's why lol.
Ok, I will post more later after I study your tips. One thing I noticed, I did much of this already but I notice you created more rules than I would have ever thought of like those nothing selected rules. Anyway, i think the rest made sense but I'll be back.
If you want to set and forget it, then go with one reverse proxy handling port 80+443.
My choice would be HAProxy (or NGINX) on OPNsense directly.
Quick Update, I am following everything and it makes sense. Except for this part where you say I only have to do steps 1-3 and 10 of part 5. In the picture of the global preferences, you show using a rule to redirect HTTP to HTTPS. That was created in earlier steps. I'm guessing I need to create that rule, is that correct?
Another thing, I am actually trying to do your other steps because I like your idea of the A+ rating. It seems everything goes well, but when I check the ACME log it is empty. But if I go next to it for the system log, it says the cert was issued/renewed successfully and all the other things were successfull.
Does it necessarily have to show up in the ACME log? I double checked my configuration and see no differences from yours.
- Part 5: step 1-3 and step 10 (only create the SNI_frontend but without a Default Backend Pool)
only create the SNI_frontend
Another thing, I am actually trying to do your other steps because I like your idea of the A+ rating. It seems everything goes well, but when I check the ACME log it is empty. But if I go next to it for the system log, it says the cert was issued/renewed successfully and all the other things were successfull.
Does it necessarily have to show up in the ACME log? I double checked my configuration and see no differences from yours.
If you want the A+ rating you will have to use HAProxy for SSL offloading. But you told me twice now that you don't want to do this but rather keep using your other proxies.No! You are absolutely right, I meant what I said initially. I just got sidetracked. Forget all that, I am still trying to do it the original way with the instructions you posted yesterday.
Therefore you will have to configure this in them. --> No help from me here!
If you changed your opinion about that... Then please do me a favour and just follow my tutorial one-by-one.
You will save yourself a lot of trouble.
Here are the requirements for the app with that install script. Again, I tried on several servers and the only one it worked smoothly was the oracle cloud with ports 80 443 open and free.
If I am not mistaken, this is the reason for needing port 80 open:
To install the service, you first download some files. Then you need to build it out. Once it is built, then you go to the website on port 80. Here there is a button to run an installation script. Once that is finished, now the website is secured on an nginx reverse proxy. So port 80 is initially needed to install. You can do without, but then you can't use the handy script.
If you now need to install another app using some install script (that for whatever reason needs port 80 during install)....
You just configure the app/service in haproxy on port 80, so you can access the install script.
After the installation is complete you simply change the port of the service in the haproxy server settings to the port the app has after installation.
Dead simple.
Isn't this what I've been trying to do? What do you mean by configure the app in haproxy on port 80? In order for it to work, the domain needs to already be pointing to this app and accessible already from the outside on port 80. I can't do it internally. It's a web install script.
Warning
If you configure a port that is already in use, the configuration test will be successful but the start of HAProxy will fail silently. Please ensure that the used port is free - especially if the number conflicts with the web configuration of OPNsense.
No matter what I do, I can't seem to get activity into HAproxy. I think I might be having this issue:Quote
Warning
If you configure a port that is already in use, the configuration test will be successful but the start of HAProxy will fail silently. Please ensure that the used port is free - especially if the number conflicts with the web configuration of OPNsense.
But I disconnected the camera that was intercepting port 80, and it still wont work. I must have 10-20 servers on the LAN that use port 80 443. What am I supposed to do? Shut them all down, and then enable haproxy?
A reverse proxy is a type of server that sits between a client and one or more servers, forwarding client requests to those servers. When a client makes a request to a website, for example, the request is first sent to the reverse proxy server, which then forwards the request on to the appropriate web server.... from chatgpt.
The main difference between a reverse proxy and a basic port forward is that a basic port forward simply forwards traffic from one IP address and port number to another IP address and port number. A reverse proxy, on the other hand, can act as an intermediary, providing additional services such as load balancing, caching, SSL termination, and more.
A reverse proxy can serve as a single point of contact for several different servers, distributing client requests across those servers and allowing them to work together to handle the load. In contrast, a basic port forward simply redirects traffic from one destination to another, without providing any additional functionality or benefits.
Overall, a reverse proxy is a more advanced and flexible solution for managing connections between clients and servers, particularly in situations where a large number of servers need to be balanced and coordinated to handle incoming traffic efficiently.
I made the change I was suggesting above for the service1 condition. I changed it from SNI matches to "contains" and used "domain1.com" rather than *.domain1.com.
Now the counter shows activity in both servers as requested, and it is routing correctly from the right place.
However, it still doesn't totally work, and for the server1 subdomains, I am getting a 526 error for invalid SSL certificate. So I believe the traffic is going to the right place, but something is missing.
Should I have two SNI frontends? One for port 80 and another for 443?
I made a diagram first to help. Following your instructions, wouldn't I also have to create additional backends, rules, and servers since I am processing 80and 443 separately? I included my attempt in the picture.
Not necessary, just leave the port in the server settings blank.Holy moly! I just blanked the port on the real servers of the previous configuration you helped me with and now things work quite well!!
Thank you. yes it is confusing due to my lack of knowledge. I'm going to redo the diagram and post it again based on these latest comments.
Yes, i do not intend to load balance. You already understand that better than I do.
I didn't realize I could keep using my previous setup you helped me with. I will continue with that. I was about to go through your whole tutorial from scratch, and just remove that redirect rule.
The guide below lists only those options that need to be changed, all other options need to be left untouched in their default state.
1. Create the real servers
1.1 TCP_SERVICE1_server: IP, Port, SSL unticked
1.2 TCP_SERVICE2_server: IP, Port, SSL unticked
2. Create the backends
2.1 TCP_SERVICE1_backend
Mode: TCP
Servers: TCP_SERVICE1_server
2.2 TCP_SERVICE2_backend
Mode: TCP
Servers: TCP_SERVICE2_server
3. Create the conditions
3.1 TCP_SSL_condition
Condition type: SSL Hello Type
SSL Hello Type: 1 - client hello
3.2 TCP_SERVICE1_condition
Condition type: SNI TLS extension matches (TCP request content inspection)
SNI Matches: service1.domain.tld
3.3 TCP_SERVICE2_condition
Condition type: SNI TLS extension matches (TCP request content inspection)
SNI Matches: service2.domain.tld
4. Create the rules
4.1 TCP_RequestInspectDelay_rule
Select conditions: Nothing selected
Execute function: tcp-request inspect delay
TCP inspection delay: 5s
4.2 TCP_RequestContentAccept_rule
Select conditions: TCP_SSL_condition
Logical operator for conditions: none
Execute function: tcp-request content accept
4.3 TCP_SERVICE1_rule
Select conditions: TCP_SERVICE1_condition
Logical operator for conditions: none
Execute function: Use specified Backend Pool
Use backend pool: TCP_SERVICE1_backend
4.4 TCP_SERVICE2_rule
Select conditions: TCP_SERVICE2_condition
Logical operator for conditions: none
Execute function: Use specified Backend Pool
Use backend pool: TCP_SERVICE2_backend
5. Edit the SNI_frontend
Note: This step assumes that you are not following my whole tutorial.
However you have to at least finish the following steps of my tutorial:
- Part 4: everything
- Part 5: step 1-3 and step 10 (only create the SNI_frontend but without a Default Backend Pool)
The exact order of the rules below is very important here!
The "TCP_RequestInspectDelay_rule" always has to be the first rule.
The "TCP_RequestContentAccept_rule" always has to be the second rule.
5.1 Add the rules to the SNI_frontend in the following order:
Select Rules: 1. TCP_RequestInspectDelay_rule
2. TCP_RequestContentAccept_rule
3. TCP_SERVICE1_rule
4. TCP_SERVICE2_rule
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 0.0.0.0 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend ()
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# logging options
option tcplog
# ACL: TCP_SSL_condition
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACL: NoSSL_condition
acl acl_644d62959d73a1.59974462 ssl_fc
# ACL: server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
# ACL: server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# ACTION: server1_rule
use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
# ACTION: server2_rule
use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950
# Frontend: HTTP_frontend ()
frontend HTTP_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
# logging options
option tcplog
# ACL: NoSSL_condition
acl acl_644d62959d73a1.59974462 ssl_fc
# ACL: server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
# ACL: server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACTION: server2_rule
use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950
# ACTION: server1_rule
use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# Backend: server1_backend ()
backend server1_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server server1_server 192.168.1.234
# Backend: server2_backend ()
backend server2_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server server2_server 192.168.1.231
# statistics are DISABLED
I was reading this link:
https://blog.entrostat.com/routing-multiple-domains-using-haproxy-http-and-https-ssl/
And it says:QuoteWhat you'll notice here is that I bind to port 80 using mode http but I bind to port 443 using mode tcp. This is to avoid the need for certificates on the 443 bind. Basically, what I'm doing here is routing 443 to a host and I expect that host to have the certificate set up.
Which makes me wonder do I need separate servers per port? So 4 total...so that I can use different modes for each port?
When you are done post the haproxy config export.
But please in a codebox, no need to upload the file.
And don't forget to remove sensitive info.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 0.0.0.0 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend ()
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# logging options
option tcplog
# ACL: TCP_SSL_condition
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACL: TCP_server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
# ACL: TCP_server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# ACTION: TCP_SERVICE1_rule
use_backend TCP_SERVICE1_backend if acl_644c5700ee7657.09485748
# ACTION: TCP_SERVICE2_rule
use_backend TCP_SERVICE2_backend if acl_644c5719768e71.87060950
# Frontend: HTTP_frontend ()
frontend HTTP_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
# logging options
option tcplog
# ACL: http_server1_condition
acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1.com
# ACL: NoSSL_condition
acl acl_644d62959d73a1.59974462 ssl_fc
# ACL: http_server2_condition
acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2.com
# ACTION: http_server1_rule
use_backend TCP_SERVICE1_backend if acl_6457247ca14984.71641345 !acl_644d62959d73a1.59974462
# ACTION: http_server2_rule
use_backend TCP_SERVICE2_backend if acl_64572496aeac32.73416688 !acl_644d62959d73a1.59974462
# Backend: TCP_SERVICE1_backend ()
backend TCP_SERVICE1_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server TCP_SERVICE1_server 192.168.1.234
# Backend: TCP_SERVICE2_backend ()
backend TCP_SERVICE2_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server TCP_SERVICE2_server 192.168.1.231
# statistics are DISABLED
Hello sir,
I followed your guide and everything worked for the past year. However, today for some reason, my server doesn't respond to my domain anymore. I have adguard and truenas setup so when I run those command ad.xxxx.xxxx, it resolved. However, if I just run mydomain.xxx then it doesn't resolve to my public IP address anymore.
May I ask what maybe the problem?
Thank you so much for your time sir.
logo
root@localdomain
Lobby
Reporting
System
Interfaces
Firewall
VPN
Services
ACME Client
Adguardhome
Captive Portal
DHCPv4
DHCPv6
Dnsmasq DNS
Dynamic DNS
FreeRADIUS
HAProxy
Settings
Statistics
Maintenance
Log File
Config Export
Intrusion Detection
Monit
Network Time
OpenDNS
Unbound DNS
Wake on LAN
Web Proxy
Zenarmor
Power
Help
Services: HAProxy: Config Export
Config Export
Config Diff
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 6
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_630c2xxx9944 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_630c25xxx249944
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/630c280xxx7137226.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_630c2982907624.21524463 src 20.xxx.0/24 20xxx0/24 20xxx.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c2909dfxxx.10265915.txt)] if acl_630c2xxx7624.21524463
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c262xxx9c50.82551607.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: opnsense_backend ()
backend opnsense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server opnsense_server 20.14.0.1:55443 ssl verify none
# Backend: truenas_backend ()
backend truenas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server truenas_server 20.xxx.4 ssl verify none
# Backend: proxmox_backend ()
backend proxmox_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server proxmox_server 20.xxx47:8xxx6 ssl verify none
# Backend: ad_backend ()
backend ad_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server ad_server 20.xxx.1:56xxx43 ssl verify none
# Backend (DISABLED): proxmox_backend_1 ()
# Backend (DISABLED): truenas_backend_1 ()
# statistics are DISABLED
OPNsense (c) 2014-2023 Deciso B.V.
As for my domain for the certificate I followed your guide and have it at Hello sir,
Thank you for getting back to me.
Attached is my HAProxy configCode: [Select]logo
As for my domain for the certificate I followed your guide and have it at
root@localdomain
Lobby
Reporting
System
Interfaces
Firewall
VPN
Services
ACME Client
Adguardhome
Captive Portal
DHCPv4
DHCPv6
Dnsmasq DNS
Dynamic DNS
FreeRADIUS
HAProxy
Settings
Statistics
Maintenance
Log File
Config Export
Intrusion Detection
Monit
Network Time
OpenDNS
Unbound DNS
Wake on LAN
Web Proxy
Zenarmor
Power
Help
Services: HAProxy: Config Export
Config Export
Config Diff
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 6
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_630c2xxx9944 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_630c25xxx249944
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/630c280xxx7137226.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_630c2982907624.21524463 src 20.xxx.0/24 20xxx0/24 20xxx.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c2909dfxxx.10265915.txt)] if acl_630c2xxx7624.21524463
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c262xxx9c50.82551607.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: opnsense_backend ()
backend opnsense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server opnsense_server 20.14.0.1:55443 ssl verify none
# Backend: truenas_backend ()
backend truenas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server truenas_server 20.xxx.4 ssl verify none
# Backend: proxmox_backend ()
backend proxmox_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server proxmox_server 20.xxx47:8xxx6 ssl verify none
# Backend: ad_backend ()
backend ad_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server ad_server 20.xxx.1:56xxx43 ssl verify none
# Backend (DISABLED): proxmox_backend_1 ()
# Backend (DISABLED): truenas_backend_1 ()
# statistics are DISABLED
OPNsense (c) 2014-2023 Deciso B.V.
Common name *.xxxan.to
As for the DNS Zone I'm using your guide https://desec.io
CNAME is *.mydomainname.to
I don't have A record (I didn't see it in your guide)
I checked and my dyanmic DNS server still update my IP address to desec. Also when I tried to restart my authentication service, I see my token on desec being rewnewed. So I think that aspect it work.
I can access my domain if i have that server running i.e. adguard, plex. However, if I just type in my domain name it doesn't resolve my public ip anymore. I think it at desec end but I've tried to add and delete my domain but nothing seemed to work.
OK, I gave it a shot. Not sure if my http config is correct. Servers seem to be working except for the one that needs http, I am currently checking it out.
But here is my config.Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 0.0.0.0 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend ()
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# logging options
option tcplog
# ACL: TCP_SSL_condition
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACL: NoSSL_condition
acl acl_644d62959d73a1.59974462 ssl_fc
# ACL: server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
# ACL: server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# ACTION: server1_rule
use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
# ACTION: server2_rule
use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950
# Frontend: HTTP_frontend ()
frontend HTTP_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
# logging options
option tcplog
# ACL: NoSSL_condition
acl acl_644d62959d73a1.59974462 ssl_fc
# ACL: server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
# ACL: server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACTION: server2_rule
use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950
# ACTION: server1_rule
use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# Backend: server1_backend ()
backend server1_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server server1_server 192.168.1.234
# Backend: server2_backend ()
backend server2_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server server2_server 192.168.1.231
# statistics are DISABLED
Hello,
I read your suggestion and just blindly tried to add the A Record in my desec, with my public IP address and voila, I were able to access my public IP. May I ask what happened or changed? I apologize if my question is not very smart. If I add my A record like this, will I be able to have my IP address automatically update? I know with your guide, through the token management, It receive IP update from my Opnsense dynamicDNS. However, if my record is using A Record, I have to manually enter the IP in myself.
THank you so much for your time.
Yes, this shows me your haproxy export, but it doesn't tell me wether this is working for you like intended or not.Thank you. I removed the NoSSL condition.
Also why do you have a "NoSSL_condition" and why did you link it to the serviceX_rules of the HTTP_frontend?
Remove it, this is totally unecessary and I never said that you need this.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 0.0.0.0 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend ()
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# logging options
option tcplog
# ACL: TCP_SSL_condition
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACL: TCP_server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
# ACL: TCP_server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# ACTION: TCP_SERVICE1_rule
use_backend TCP_SERVICE1_backend if acl_644c5700ee7657.09485748
# ACTION: TCP_SERVICE2_rule
use_backend TCP_SERVICE2_backend if acl_644c5719768e71.87060950
# Frontend: HTTP_frontend ()
frontend HTTP_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
# logging options
option tcplog
# ACL: http_server1_condition
acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1.com
# ACL: http_server2_condition
acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2.com
# ACTION: http_server1_rule
use_backend TCP_SERVICE1_backend if acl_6457247ca14984.71641345
# ACTION: http_server2_rule
use_backend TCP_SERVICE2_backend if acl_64572496aeac32.73416688
# Backend: TCP_SERVICE1_backend ()
backend TCP_SERVICE1_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server TCP_SERVICE1_server 192.168.1.234
# Backend: TCP_SERVICE2_backend ()
backend TCP_SERVICE2_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server TCP_SERVICE2_server 192.168.1.231
# statistics are DISABLED
Hello sir,
Attached is my DDNS configuration.
I think I understand what you are saying a little bit. So what I configured is right but you afraid my DDNS doesn't push the right update to my desec domain correct? I think i did it right since I have username is my domain name i.e. "example.com" password is my token. then hostname is just my domain name which is "example.com" correct? or do you want me to have it at *.example.com?
The weird thing is everything were working well. It just suddenly doesn't resolve if i just type in example.com. I have to use mysubdomain.example.com to get it working.
Is Http frontend working? I believe so, hard for me to confirm. Nothing is really using the http traffic (don't get mad, yes I requested it, hear me out). So I used it very briefly to set up that website that uses the install script on port 80 initially. And during the setup, I saw in the Counters area of HAproxy that traffic went through the http frontend. So that confirms that port 80 is working I think, and the site got successfully set up.
I still stand by my opinion that port 80 is not necessary at all. But since you never posted/linked that super duper script that would require port 80 this will forever be a myth to me.
I did link it!I stand corrected in terms of not providing the script.
here it is:
https://v4-docs.chevereto.com/guides/docker/#create-https-proxy
That's the page with the installation instructions. The port 80 is used for the place where i linked or the next command after. I think it is used where I linked which sets up nginx.
but for another domain2.com, I'd like to use traefik as the reverse proxy. So then, again, I'd need port 80 443 for both servers. Some reverse proxy software work better with certain apps.This is a pretty strong statement without any proof!
503 Service Unavailable
No server is available to handle this request
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 100
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# Frontend: test_http (Test http)
frontend test_http
bind 192.168.1.1:80 name 192.168.1.1:80
mode http
option http-keep-alive
default_backend example_backend
# logging options
# ACL: kanboard_c
acl acl_6452ce5a700492.11355253 hdr(host) -i test.example.com
# ACTION: kanboard_r
use_backend test_backend if acl_6452ce5a700492.11355253
# Backend: test_backend (example pool)
backend example_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server s1_server 192.168.2.1:80 proto h2
# statistics are DISABLED
503 Service Unavailable
Dear all,
at the moment I have my webserver onine with portforwarding and before move on with HAProxy I'm thinking to test it setting it up locally. To keep also setting simple and possibly easier I'm considering reverse proxy of port 80 only for test.example.com
In other terms (IP as reference):
LAN (192.168.1.0/24, LAN Address 192.168.1.1)--> |HAProxy| --> DMZ (webserver 192.168.2.0/24, server, 192.168.2.2)
The only achievement I reached so far when I try to browse test.example.com isQuote503 Service Unavailable
No server is available to handle this request
this is haproxy setup:Quote#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 100
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# Frontend: test_http (Test http)
frontend test_http
bind 192.168.1.1:80 name 192.168.1.1:80
mode http
option http-keep-alive
default_backend example_backend
# logging options
# ACL: kanboard_c
acl acl_6452ce5a700492.11355253 hdr(host) -i test.example.com
# ACTION: kanboard_r
use_backend test_backend if acl_6452ce5a700492.11355253
# Backend: test_backend (example pool)
backend example_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server s1_server 192.168.2.1:80 proto h2
# statistics are DISABLED
Any hint?
Next step will be using SSL. the webapplication have individual SSL certificae which I think I can import in opnsense to set up HTTPS redirection. This will be next gig :)
I've flattened HAProxy few times and reset but I always end up with error 503 :(
I checked the firewall LAN -> DMZ and I don't see anything blocking the connection..
Thanks and please let me know if I can provide more information
cheers
I hope you don't take any offense from my writing, I don't mean to judge how you do your things.No problem at all, I take it as you are trying to give helpful advice.
I just think your current setup is... a bit clumsy.
Nonetheless I am glad that everything is working now how you wanted it to.
2023-05-08T23:00:55-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:52.860] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3032/-1/-1/3035 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/favicon.ico HTTP/2.0"
2023-05-08T23:00:52-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:49.702] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3045/-1/-1/3048 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/ HTTP/2.0"
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on port 80, 443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_frontend (Listening on :80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: NoSSL_condition
acl acl_645996ff1a8d85.67011734 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_645996ff1a8d85.67011734
# Frontend: 1_HTTPS_frontend (Listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64599b1898e146.09447169.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option httplog
# ACTION: PUBLIC_DOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645997471e1f42.25745091.txt)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PLEX_server 192.168.0.197:32400 ssl verify none
# Backend: VTT_backend ()
backend VTT_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server FoundryVTT_server 192.168.0.197:30000 ssl verify none
# Backend: Homeassistant_backend ()
backend Homeassistant_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Homeassistant_server 192.168.0.196:8123 ssl verify none
I had this working before, but I accidentialy hosed the install and didn't have my config back up. (Lesson learned).
Now the issue I'm having is getting a 503 no matter what I've tried so far. Not sure where the issue is.
For example, trying to hit my domain vtt.*.com I get the correct cert to the browser, but still a 503, and here's all I see in the haproxy log.Code: [Select]2023-05-08T23:00:55-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:52.860] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3032/-1/-1/3035 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/favicon.ico HTTP/2.0"
2023-05-08T23:00:52-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:49.702] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3045/-1/-1/3048 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/ HTTP/2.0"
Here's the haproxy config. I hope you can help me see what I'm not seeing.Code: [Select]global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on port 80, 443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_frontend (Listening on :80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: NoSSL_condition
acl acl_645996ff1a8d85.67011734 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_645996ff1a8d85.67011734
# Frontend: 1_HTTPS_frontend (Listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64599b1898e146.09447169.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option httplog
# ACTION: PUBLIC_DOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645997471e1f42.25745091.txt)]
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PLEX_server 192.168.0.197:32400 ssl verify none
# Backend: VTT_backend ()
backend VTT_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server FoundryVTT_server 192.168.0.197:30000 ssl verify none
# Backend: Homeassistant_backend ()
backend Homeassistant_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Homeassistant_server 192.168.0.196:8123 ssl verify none
Honestly please just follow my tutorial. I will not provide support for something else here.
If you want to do it your way then just ask in the appropriate forum.
But I will say if you keep on testing your way you will need much more time.
If it is not working with my way you can simply disable the WAN firewall rule and re-enable the NAT portforward.
This way you can also test this.
Informational haproxy public_IP:9911 [09/May/2023:17:25:07.299] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failurewhich I think I solved removing the SSL tick on the real server set up. I have the apache virtual server only listening on port 80
Honestly please just follow my tutorial. I will not provide support for something else here.
If you want to do it your way then just ask in the appropriate forum.
But I will say if you keep on testing your way you will need much more time.
If it is not working with my way you can simply disable the WAN firewall rule and re-enable the NAT portforward.
This way you can also test this.
I there, I followed the suggestion and at the end of the process i have this 2 issues which I can't figure out:
1) Certificate is not valid. I also run the ssllab test and I received the same answer (rating T) showing certificate not trusted
2) again error 503 Service unavailable
Checking the HAProxy log, it shows:QuoteInformational haproxy public_IP:9911 [09/May/2023:17:25:07.299] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failurewhich I think I solved removing the SSL tick on the real server set up. I have the apache virtual server only listening on port 80
#1: is it possible it is because at the moment I'm using a staging cert?
#2: this is the issue I'm investigating now for few days without any luck. I'll go over your tutorial but hints are welcome
cheers
Your HAProxy config looks good.
And since you get the 503 error this means connections are getting to HAProxy.
Your issue is mostlikely the SSL (yes or no) checkbox in the Real Server settings. Verify which service needs SSL and which doesn't for the local access between HAProxy and the local service.
Also unless you get your certificates using the HTTP-01 method, which I doubt, since there is no rule for it on the HTTP_frontend remove do the following:
in the HAProxy plugin: delete the acme_challenge_backend and acme_challenge_host and all other haproxy entries auto generated by the ACME plugin.
in the ACME plugin: Go the the settings and disable the "HAProxy Integration", hit Apply.
That got it, thanks! So the SSL check on the real server setting would only be if that server was serving its own cert?
503 Service Unavailable
No server is available to handle this request.
@mauroRoger, @TheHellSite
HAProxy config export and a basic network diagram. That is what you will have to provide now, not just error codes.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 warning
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (listening on LAN address port 80/443)
frontend 0_SNI_Frontend
bind lan_ip:80 name lan_ip:80
bind lan_ip:443 name lan_ip:443
mode tcp
default_backend SSL_Backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on lo_ip:80)
frontend 1_HTTP_frontend
bind lo_ip:80 name lo_ip:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option dontlognull
option log-separate-errors
option httplog
# ACL: NoSSL_condition
acl acl_6462b25dd3fc08.98092716 ssl_fc
# ACTION: HTTP2HTTPS_r
http-request redirect scheme https code 301 if !acl_6462b25dd3fc08.98092716
# Frontend: 2_HTTPS_frontend (Listening on lo_ip:443)
frontend 2_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind lo_ip:443 name lo_ip:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6463bbbf543239.59805119.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option dontlognull
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_r
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645151c9cb3ae5.07476878.txt)]
# Backend: s1_backend (s1 server backend)
backend s1_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server s1_server server_ip
# Backend: SSL_Backend (SNI backend)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server lo_ip send-proxy-v2 check-send-proxy
# statistics are DISABLED
To keep the webapp available from the outside world I have the SNI Frontend based on the LAN address, port 80,443. I'm doing this way because I already tried following your tutorial using the WAN address on the SNI frontend with same result plus server unreachable.
I created a Firewall rule for LAN to acceppt incoming requests on port 80,443Shouldn't even be necessary on a fresh install since it allows anything from LAN to anything by default.
1. Your apache is listening on port 80 (no ssl) and 443 (probably with ssl).correct, 443 with SSL
2. My tutorial assumes that the user wants all connections to be upgraded from port 80 to 443, what you also configured by using the HTTP_frontend on port 80 with the HTTPtoHTTPS_rule.this is also apache does for my application, redirect any call on port 80 to port 443 and use encrypted communication therefore so far your set up fit the requirements
3. The HTTPS_frontend has SSL offloading enabled, so it decrypts any connection and then forwards it to the real server based on the real server connection configuration.Reading your tutorial #9 about SSL connection with the back end I thought ur set ups should work because u use an SSL connection to the plex server.
4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.I set up the webserver as u did for the SSL_backend. both listening to port 80,443 and both will use SSL on port 443. If the webserver backend should be different, can you please guide me how to adjust?
4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 80 and 443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_frontend (listening on localhost:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option httplog
# ACL: NoSSL_condition
acl acl_6451d6d41f14e3.72189927 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6451d6d41f14e3.72189927
# Frontend: 1_HTTPS_frontend (listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6451dd0fe21db7.63563341.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option httplog
# ACL: cardav-endpoint
acl acl_6461de0380c7b3.75062629 path_end -i /.well-known/carddav
# ACL: caldav-endpoint
acl acl_6461dde5d15634.54704624 path_end -i /.well-known/caldav
# ACL: nc_nodeinfo
acl acl_6466fe1b2e8ff2.47035478 path /.well-known/nodeinfo
# ACL: nc_webfinger
acl acl_6466fe303acb97.89104263 path /.well-known/webfinger
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6451d1c3d510f5.88841915 src 10.1.1.0/24 192.168.0.0/24
# ACTION: cardav-endpoint
http-request redirect code 301 location /remote.php/dav if acl_6461de0380c7b3.75062629
# ACTION: caldav-endpoint
http-request redirect code 301 location /remote.php/dav if acl_6461dde5d15634.54704624
# ACTION: nc_nodeinfo
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe1b2e8ff2.47035478
# ACTION: nc_webfinger
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe303acb97.89104263
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d0414cb7f2.59080919.txt)] if acl_6451d1c3d510f5.88841915
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d7a6418a58.11785496.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: portainer_backend (portainer backend)
backend portainer_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server portainer 10.1.1.59:9443
# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nextcloud 10.1.1.59:11000
# statistics are DISABLED
2023-05-19T16:35:18 | Informational | haproxy | 10.1.1.59:58792 [19/May/2023:16:35:18.215] 0_SNI_frontend SSL_backend/SSL_server 1/-1/0 0 CC 2/2/1/1/0 0/0 |
-- | -- | -- | -- | --
2023-05-19T16:35:07 | Informational | haproxy | 10.1.1.103:46386 [19/May/2023:16:34:37.775] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/30003 0 0 - - PR-- 2/2/0/0/0 0/0 "<BADREQ>" |
2023-05-19T16:35:07 | Informational | haproxy | 10.1.1.103:46386 [19/May/2023:16:34:37.761] 0_SNI_frontend SSL_backend/SSL_server 1/0/30017 5134 cD 2/2/1/1/0 0/0 |
2023-05-19T16:34:48 | Informational | haproxy | 10.1.1.59:45564 [19/May/2023:16:34:48.055] 0_SNI_frontend SSL_backend/SSL_server 1/0/1 0 -- 3/3/2/2/0 0/0 |
2023-05-19T16:34:48 | Informational | haproxy | 10.1.1.59:45564 [19/May/2023:16:34:48.055] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
smoked-proposal would you mind posting in your HAproxy config? To my knowledge everything i've set is as per the tutorial but i'd like to see your config for Nextcloud if you have it working (I don't have SSL verify either). I've asked over in the Nextcloud forums and they do believe HAproxy is dropping something in the redirect considering hitting nextcloud directly works correctly.
... they do believe HAproxy is dropping something in the redirect considering hitting nextcloud directly works correctly.
Thank you, i did manage to resolve part of the issue from your help with clearing my browser cache. I had been testing via incognito mode often but had forgotten last few changes. Locally I can now access nextcloud via domain name as expected.
Externally however, no joy.
# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend
#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend
#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"
Config:
Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 1000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 1000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6468020a093145.77501579 src 192.168.1.0/24
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PLEX_server 192.168.1.62:32400 ssl verify none
# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server remote_dc02_server 192.168.1.6:443 ssl verify none
# Backend: BMC_backend (bmc test)
backend BMC_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server BMC_server 192.168.1.35 ssl verify none
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
Good morning,
I am having some challenge with getting HAproxy to handle internal requests. I am not using unbound for DNS since I have active directory deployed. I did try using unbound with overrides. Externally, HAproxy is working, can access plex from the office and able to access a web page.
I've gone through the tutorial a few times and am assuming that something is missed.
The goal is to use HAProxy internally and externally to encrypt traffic with a real cert. I'd appreciate any help or shove back to what was missed in the tutorial.Code: [Select]
Config:
Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 1000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 1000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6468020a093145.77501579 src 192.168.1.0/24
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PLEX_server 192.168.1.62:32400 ssl verify none
# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server remote_dc02_server 192.168.1.6:443 ssl verify none
# Backend: BMC_backend (bmc test)
backend BMC_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server BMC_server 192.168.1.35 ssl verify none
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:Code: [Select]# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend
#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backendCode: [Select]#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend
logs from HAproxy when trying an external connection for nextcloud:Code: [Select]2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
logs from HAproxy when trying an external connection for truenas:Code: [Select]2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"
Interesting that the Truenas call seems to be going to nextcloud?
Unbound DNS: Overides
truenas.mydomain dedyn.io A (IPv4 address) 10.1.1.1
nextcloud.mydomain dedyn.io A (IPv4 address) 10.1.1.1
Firewall rules:
HAProxy_ports (80, 443) allowed to WAN address
I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you
Good morning,
I am having some challenge with getting HAproxy to handle internal requests. I am not using unbound for DNS since I have active directory deployed. I did try using unbound with overrides. Externally, HAproxy is working, can access plex from the office and able to access a web page.
I've gone through the tutorial a few times and am assuming that something is missed.
The goal is to use HAProxy internally and externally to encrypt traffic with a real cert. I'd appreciate any help or shove back to what was missed in the tutorial.Code: [Select]
Config:
Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 1000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 1000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6468020a093145.77501579 src 192.168.1.0/24
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: PLEX_backend ()
backend PLEX_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PLEX_server 192.168.1.62:32400 ssl verify none
# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server remote_dc02_server 192.168.1.6:443 ssl verify none
# Backend: BMC_backend (bmc test)
backend BMC_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server BMC_server 192.168.1.35 ssl verify none
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
First off, you did not provide any sort of error code or error description. Just some "it is not working, help help"...
Sorry, but this is also out of scope of this tutorial.
The DNS override is most likely your issue! Since you are not using Unbound, you are on your own here.
Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:Code: [Select]# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend
#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backendCode: [Select]#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend
logs from HAproxy when trying an external connection for nextcloud:Code: [Select]2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
logs from HAproxy when trying an external connection for truenas:Code: [Select]2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"
Interesting that the Truenas call seems to be going to nextcloud?
Unbound DNS: Overides
truenas.mydomain dedyn.io A (IPv4 address) 10.1.1.1
nextcloud.mydomain dedyn.io A (IPv4 address) 10.1.1.1
Firewall rules:
HAProxy_ports (80, 443) allowed to WAN address
I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you
Please also provide the complete current haproxy config.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 80 and 443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend testssl
# logging options
# Frontend: 1_HTTP_frontend (listening on localhost:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_6451d6d41f14e3.72189927 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6451d6d41f14e3.72189927
# Frontend: 1_HTTPS_frontend (listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6451dd0fe21db7.63563341.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option httplog
# ACL: cardav-endpoint
acl acl_6461de0380c7b3.75062629 path /.well-known/carddav
# ACL: caldav-endpoint
acl acl_6461dde5d15634.54704624 path /.well-known/caldav
# ACL: nc_nodeinfo
acl acl_6466fe1b2e8ff2.47035478 path /.well-known/nodeinfo
# ACL: nc_webfinger
acl acl_6466fe303acb97.89104263 path /.well-known/webfinger
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6451d1c3d510f5.88841915 src 10.1.1.0/24 192.168.0.0/24
# ACTION: cardav-endpoint
http-request redirect code 301 location /remote.php/dav if acl_6461de0380c7b3.75062629
# ACTION: caldav-endpoint
http-request redirect code 301 location /remote.php/dav if acl_6461dde5d15634.54704624
# ACTION: nc_nodeinfo
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe1b2e8ff2.47035478
# ACTION: nc_webfinger
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe303acb97.89104263
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d0414cb7f2.59080919.txt)] if acl_6451d1c3d510f5.88841915
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d7a6418a58.11785496.txt)]
# Backend: truenas_backend (NAS backend)
backend truenas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server truenas 10.1.1.73 ssl verify none
# Backend: iprox_backend ()
backend iprox_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server iprox 10.1.1.101:8006 ssl verify none
# Backend: mbfirewall_backend ()
backend mbfirewall_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server mbfirewall 127.0.0.1:55443 ssl verify none
# Backend: autgtp_backend ()
backend autgtp_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server autgtp 10.1.1.113:7070
# Backend: portainer_backend (portainer backend)
backend portainer_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server portainer 10.1.1.59:9443 ssl alpn h2,http/1.1 verify none
# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nextcloud 10.1.1.59:11000
# Backend: idrac_backend ()
backend idrac_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server idrac 192.168.0.120 ssl verify none
# Backend: testssl (test1)
backend testssl
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server testSSL 127.4.4.3 send-proxy-v2 check-send-proxy
# statistics are DISABLE
Shoot. I thought I put a note in there about logs... :-[
Outside of the informational log, there is nothing logged. In the informational, I see connections originating from the outside. Nothing for hitting this particular internal IP/host, no error. Logs accessed from Services/HAProxy/Logs, enabled all. Nothing here is pertinent near as I can tell. When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.
When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads. This works from inside/outside. My other external service also works inside/outside. An override with plex
I created a backend, server, and map file for internal services.
I've tried with and without unbound. With and without overrides. Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert. This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.
What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.
So, AD DNS is not in the picture, in this context, I am in the same spot.
I'll take another stroll through the tutorial.
Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:Code: [Select]# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend
#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backendCode: [Select]#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend
logs from HAproxy when trying an external connection for nextcloud:Code: [Select]2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
logs from HAproxy when trying an external connection for truenas:Code: [Select]2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"
Interesting that the Truenas call seems to be going to nextcloud?
Unbound DNS: Overides
truenas.mydomain dedyn.io A (IPv4 address) 10.1.1.1
nextcloud.mydomain dedyn.io A (IPv4 address) 10.1.1.1
Firewall rules:
HAProxy_ports (80, 443) allowed to WAN address
I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you
Please also provide the complete current haproxy config.Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 80 and 443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend testssl
# logging options
# Frontend: 1_HTTP_frontend (listening on localhost:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_6451d6d41f14e3.72189927 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6451d6d41f14e3.72189927
# Frontend: 1_HTTPS_frontend (listening on localhost:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6451dd0fe21db7.63563341.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option httplog
# ACL: cardav-endpoint
acl acl_6461de0380c7b3.75062629 path /.well-known/carddav
# ACL: caldav-endpoint
acl acl_6461dde5d15634.54704624 path /.well-known/caldav
# ACL: nc_nodeinfo
acl acl_6466fe1b2e8ff2.47035478 path /.well-known/nodeinfo
# ACL: nc_webfinger
acl acl_6466fe303acb97.89104263 path /.well-known/webfinger
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_6451d1c3d510f5.88841915 src 10.1.1.0/24 192.168.0.0/24
# ACTION: cardav-endpoint
http-request redirect code 301 location /remote.php/dav if acl_6461de0380c7b3.75062629
# ACTION: caldav-endpoint
http-request redirect code 301 location /remote.php/dav if acl_6461dde5d15634.54704624
# ACTION: nc_nodeinfo
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe1b2e8ff2.47035478
# ACTION: nc_webfinger
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe303acb97.89104263
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d0414cb7f2.59080919.txt)] if acl_6451d1c3d510f5.88841915
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d7a6418a58.11785496.txt)]
# Backend: truenas_backend (NAS backend)
backend truenas_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server truenas 10.1.1.73 ssl verify none
# Backend: iprox_backend ()
backend iprox_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server iprox 10.1.1.101:8006 ssl verify none
# Backend: mbfirewall_backend ()
backend mbfirewall_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server mbfirewall 127.0.0.1:55443 ssl verify none
# Backend: autgtp_backend ()
backend autgtp_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server autgtp 10.1.1.113:7070
# Backend: portainer_backend (portainer backend)
backend portainer_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server portainer 10.1.1.59:9443 ssl alpn h2,http/1.1 verify none
# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nextcloud 10.1.1.59:11000
# Backend: idrac_backend ()
backend idrac_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# WARNING: pass through options below this line
timeout tunnel 3600s
http-reuse safe
server idrac 192.168.0.120 ssl verify none
# Backend: testssl (test1)
backend testssl
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server testSSL 127.4.4.3 send-proxy-v2 check-send-proxy
# statistics are DISABLE
Shoot. I thought I put a note in there about logs... :-[
Outside of the informational log, there is nothing logged. In the informational, I see connections originating from the outside. Nothing for hitting this particular internal IP/host, no error. Logs accessed from Services/HAProxy/Logs, enabled all. Nothing here is pertinent near as I can tell. When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.
When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads. This works from inside/outside. My other external service also works inside/outside. An override with plex
I created a backend, server, and map file for internal services.
I've tried with and without unbound. With and without overrides. Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert. This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.
What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.
So, AD DNS is not in the picture, in this context, I am in the same spot.
I'll take another stroll through the tutorial.
Sorry I still don't know what your issue is exactly now?
Your text is very confusing to read.
What I took from it is that the internal and external accesses are working but it is not presenting a trusted cert?
Shoot. I thought I put a note in there about logs... :-[
Outside of the informational log, there is nothing logged. In the informational, I see connections originating from the outside. Nothing for hitting this particular internal IP/host, no error. Logs accessed from Services/HAProxy/Logs, enabled all. Nothing here is pertinent near as I can tell. When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.
When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads. This works from inside/outside. My other external service also works inside/outside. An override with plex
I created a backend, server, and map file for internal services.
I've tried with and without unbound. With and without overrides. Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert. This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.
What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.
So, AD DNS is not in the picture, in this context, I am in the same spot.
I'll take another stroll through the tutorial.
Sorry I still don't know what your issue is exactly now?
Your text is very confusing to read.
What I took from it is that the internal and external accesses are working but it is not presenting a trusted cert?
External works perfect inside and outside. Get a lets encrypt cert. We're happy, nothing to do.
Internally? I get a self signed cert, nothing is logged in HAProxy.
I went through the tutorial again last night. Step 7.2 for the FQDN rule...I see you have a domain value, but I am unable to save this condition because my domain is not a valid ipv4 address?
I can plug in 'my.test.com', it will accept and tests out OK. If I use 'lan.scobar.pw', it will not accept the value, gives error below. Outside of informational log, nothing is recorded.
[NOTICE] (67194) : haproxy version is 2.6.13-234aa6d
[NOTICE] (67194) : path to executable is /usr/local/sbin/haproxy
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:73] : error detected while parsing ACL 'acl_64685bef85c4e2.08714329' : 'lan.scobar.pw' is not a valid IPv4 or IPv6 address.
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:78] : error detected while parsing switching rule : no such ACL : 'acl_64685bef85c4e2.08714329'.
[ALERT] (67194) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (67194) : config : Fatal errors found in configuration.
This is the solution.Quote4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 0.0.0.0 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: SNI_frontend ()
frontend SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# logging options
option tcplog
# ACL: TCP_SSL_condition
acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
# ACL: TCP_server1_condition
acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1
# ACL: TCP_server2_condition
acl acl_644c5719768e71.87060950 req.ssl_sni -m sub -i domain2
# ACTION: TCP_RequestInspectDelay_rule
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: TCP_RequestContentAccept_rule
tcp-request content accept if acl_644c56b6785678.47181279
# ACTION: TCP_SERVER1_rule
use_backend TCP_SERVER1_backend if acl_644c5700ee7657.09485748
# ACTION: TCP_SERVER2_rule
use_backend TCP_SERVER2_backend if acl_644c5719768e71.87060950
# Frontend: HTTP_frontend ()
frontend HTTP_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
# logging options
option tcplog
# ACL: http_server1_condition
acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1
# ACL: http_server2_condition
acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2
# ACTION: http_server1_rule
use_backend TCP_SERVER1_backend if acl_6457247ca14984.71641345
# ACTION: http_server2_rule
use_backend TCP_SERVER2_backend if acl_64572496aeac32.73416688
# Backend: TCP_SERVER1_backend ()
backend TCP_SERVER1_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server server1_server 192.168.1.234
# Backend: TCP_SERVER2_backend ()
backend TCP_SERVER2_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server server2_server 192.168.1.217
# Backend (DISABLED): TCP_SERVER3_backend ()
# statistics are DISABLED
No More Free Support
Due to the increasing number of support requests I've been receiving, both directly in the topic and via DM, I regret to inform that I can no longer provide free assistance. Balancing my real job and personal life has become extremely challenging. While I genuinely want to help everyone resolve their issues to get things up and running smoothly, I find it difficult to allocate the necessary time without sacrificing my personal commitments.
In addition, it has come to my attention that some individuals seeking help are not thoroughly reading the provided tutorial or lack the fundamental knowledge of networking. This has been a recurring issue and has made the support process increasingly frustrating.
I sincerely appreciate your interest in my expertise and if you would like to receive my assistance, I am more than happy to provide you with the details via DM.
Thank you for your understanding in this matter,
TheHellSite
I'm having problems with my certificate not renewing, automatically and manually. I get the error 'domain validation failed (dns01)' in the 'System log' tab under ACME. I haven't changed my DNS hostname and it can still be accessed from the web (albeit with the 'NET::ERR_CERT_DATE_INVALID' error), including from the SSL Labs server certificate test website. I haven't made any recent changes to my HAProxy config either.
I thought maybe my internal DNS was a problem since I have query forwarding enabled in Unbound that redirects to the DNSCrypt-Proxy app in OPNsense, so I tried disabling it so that my ISP's DNS is used instead and the same thing happened. I also tried resetting the ACME client under Settings and again the same thing happened when I tried to manually renew.
What else should I try, or what other info do I need to give for troubleshooting?
TheHellSite has provided a great, extremely handy tutorial here, so thank you for that. Very much appreciated.
He does get annoyed when people don't know what they are talking about. But at the same time, if someone knows all these things they wouldn't be here for help. So I don't get that. But it does suck up your time, so either way I get it.
Not trying to speak for the man but my humble view is different. That is that he doesn't get annoyed when people don't know what they're talking about or ask for assistance except when they think they can just do their own setup, different to his tutorial and asking why is not working. As if it was generic haproxy help thread.
He has made the point several times that he'd help to get it working _as per tutorial_, and people have continued deviating from it and coming to this thread for help.
I'd call it fair. According to the header, the thread has been read 171056 times as of now. 37 pages of assistance.Totally fair, and above and beyond. Helped me solve a long standing goal of mine. I was thinking of starting a similar thread, but maybe not a good idea if i do not even know the basics.
Thank you.
is it possible to use 1 Public IP for the Public Service that will be use by different sub domains with port 80 as its port.
sub1.domain.com Real Server 172.16.100.20 Port 80
sub2.domain.com Real Server 172.16.100.21 Port 80
sub3.domain.com Real Server 172.16.100.22 Port 80
with the condition prefix base on the subdomain
Public Service has the public IP 443 and 80
I was actually trying this setup but it end up loading the same content on all subs.
Just a headsup for everyone posting here. The author updated the post with the following:QuoteNo More Free Support
Due to the increasing number of support requests I've been receiving, both directly in the topic and via DM, I regret to inform that I can no longer provide free assistance. Balancing my real job and personal life has become extremely challenging. While I genuinely want to help everyone resolve their issues to get things up and running smoothly, I find it difficult to allocate the necessary time without sacrificing my personal commitments.
In addition, it has come to my attention that some individuals seeking help are not thoroughly reading the provided tutorial or lack the fundamental knowledge of networking. This has been a recurring issue and has made the support process increasingly frustrating.
I sincerely appreciate your interest in my expertise and if you would like to receive my assistance, I am more than happy to provide you with the details via DM.
Thank you for your understanding in this matter,
TheHellSite
But perhaps someone else have a solution to my problem. I have HAProxy up and running for a few months, was working fine. In may i added local domains map file for a site. Now i deleted the map file and removed all the local domain map file rules etc. But now my public domains aren't available from my internal network anymore (they work from external access).
Ive gone through the setup and everything seems fine, and i havent changed anything in the domain override in Unbound.
https://ibb.co/vkGLPGF (https://ibb.co/vkGLPGF)
Any suggestions where the confligt might be located? What else block internal access to my public domains?
is it possible to use 1 Public IP for the Public Service that will be use by different sub domains with port 80 as its port.
sub1.domain.com Real Server 172.16.100.20 Port 80
sub2.domain.com Real Server 172.16.100.21 Port 80
sub3.domain.com Real Server 172.16.100.22 Port 80
with the condition prefix base on the subdomain
Public Service has the public IP 443 and 80
I was actually trying this setup but it end up loading the same content on all subs.
Yes it is possible.
I would love to learn how to do it. cause I've been stuck with the content of my other vm that should be on another subdomain and showing up on the other subdomain.
You can of course also use the predefined "Source IP is local" condition.
Part 7 - Advanced Configuration: local-access-only subdomains
Imagine you have a service that you would like to access / protect using your brand new reverse proxy without making it available on the internet?
Well, HAProxy has got you covered!
- In your OPNsense go to: Services --> HAProxy --> Settings --> Advanced --> Map Files
Here you need to clone the "PUBLIC_SUBDOMAINS_mapfile", rename it to f.e. "LOCAL_SUBDOMAINS_mapfile" and add all your local-access-only subdomains along with their corresponding backends.
Keep in mind that the content of your "PUBLIC_SUBDOMAINS_mapfile" also has to be put in the "LOCAL_SUBDOMAINS_mapfile"! I will explain why later.
(https://i.postimg.cc/hJvmymwR/P007-001-HAProxy-Map-Files-Local-Subdomains.png) (https://postimg.cc/hJvmymwR)- Next go to: Services --> HAProxy --> Settings --> Rules & Checks --> Conditions
Now you need a condition that detects if the source of the request is a local IP or a FQDN.
You can of course also use the predefined "Source IP is local" condition.
I am however using only specific subnets since the predefined condition is using the entire RFC1918 IP range, which I don't need!
(https://i.postimg.cc/PPMcSxX5/P007-002-HAProxy-Conditions-Local-Subdomains-Subnets.png) (https://postimg.cc/PPMcSxX5)
As I just said you can also check for a FQDN.
But please keep in mind that HAProxy resolves those hostnames to their IPs and then checks them. But the resolving is only done once during the start / restart of HAProxy.
So if the IP of your FQDN is changing regularly this won't work very well, except if you restart your HAProxy using a cron job like every 24 hours or so.
(https://i.postimg.cc/3dhVjpHq/P007-003-HAProxy-Conditions-Local-Subdomains-FQDN.png) (https://postimg.cc/3dhVjpHq)- Next go to: Services --> HAProxy --> Settings --> Rules & Checks --> Rules
Here you need to clone the "PUBLIC_SUBDOMAINS_rule", rename it to f.e. "LOCAL_SUBDOMAINS_rule", select your "LOCAL_SUBDOMAINS_SUBNETS_condition" and select your "LOCAL_SUBDOMAINS_mapfile".
If you are also using a FQDN condition, like I do, you will need to select both your FQDN and your subnet condition together with the logical "or" operator!
(https://i.postimg.cc/64JGpmQB/P007-004-HAProxy-Rules-Local-Subdomains.png) (https://postimg.cc/64JGpmQB)- Next go to: Services --> HAProxy --> Settings --> Virtual Services --> Public Services
The last thing left to do is to place the "LOCAL_SUBDOMAINS_rule" before your in your "HTTPS_frontend".
Attention!
Remember that I told you to also put the content of your "PUBLIC_SUBDOMAINS_mapfile" in the "LOCAL_SUBDOMAINS_mapfile"?
This is because HAProxy is processing the rules in the frontends based on the order they appear!
So if you place your "PUBLIC_SUBDOMAINS_rule" before your "LOCAL_SUBDOMAINS_rule" in the frontend configuration, you won't get access to your local-access-only subdomains.
Vice versa this will also happen and you will no longer have access to your public subdomains.
To avoid this you have to also put the content of your "PUBLIC_SUBDOMAINS_mapfile" in the "LOCAL_SUBDOMAINS_mapfile" and place their rules in the correct order.
The correct way of placing both rules is like this.
(https://i.postimg.cc/4KMmdS3m/P007-005-HAProxy-Frontends-HTTPS-Rule-Order.png) (https://postimg.cc/4KMmdS3m)- Done!
You should now still have access to your public subdomains from any network and also have access to your local-access-only subdomains from the locations you defined.
First of all...thank you so so much for this extensive guide! It was awesome and extremely helpful. I got everything working first time without a hitch! I sent ya *some* beer just now! Whatever you can buy with what I sent :)
I am writing because I saw a typo in section 4 of Part 7 I quoted above.
You wrote:
The last thing left to do is to place the "LOCAL_SUBDOMAINS_rule" before your in your "HTTPS_frontend"
And I think you meant to write:
The last thing left to do is to place the "LOCAL_SUBDOMAINS_rule" before your "PUBLIC_SUBDOMAINS_rule" in your "HTTPS_frontend"
Thanks again for everything!
Error configd.py [85b23125-6c10-4561-81f5-f28b4ca64c4e] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64b0212a904331.12997942 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64b0212a904331.12997942
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Cloud_backend ()
backend Cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Cloud 10.7.0.206:80
# Backend: Webserver_backend ()
backend Webserver_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server webserver 10.7.0.204:80
# statistics are DISABLED
@TheHellSite
Maybe you would also like on how to enable Websockets on your frontend(s) if your incoming clients are looking for such one(s). Websockets are basically used for example for streaming services over web. I was looking for so long on how to resolve my problem for making HAProxy work with Synology's DS Cam Android app which tries to connect from remote to the Synology Surveillance Station NAS behind HAProxy and I finally found out. You have to insert the following on your frontend (where you have to replace <myBackend(Pool)> with your according backend, of course):Code: [Select]acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend <myBackend(Pool)> if is_websocket
Here's the link to my original and solved issue:
https://www.synoforum.com/threads/connecting-synology-ds-cam-android-app-to-synology-surveillance-station-through-opnsense-haproxy-plugin.7969/ (https://www.synoforum.com/threads/connecting-synology-ds-cam-android-app-to-synology-surveillance-station-through-opnsense-haproxy-plugin.7969/)
Hi all,
I'm curious if I can use this method for internal running services (jails on freenas) without exposing them outside.
I can force the DNS override so I resolve them with fqdn from LAN but I can't make HAproxy work and serve the Certificate for them. I already got certificates for all instances in acme (jail1.domain.x, jail2.domain.x)
thank you in advance
1. You dont need to use virtual IP's.
2. Use map files {Advanced --> Map files}
1. You dont need to use virtual IP's.
I totally get your point! This makes indeed sense but I think only if you have a static WAN IP.
As it would break the access from internal networks to the external URLs "service.subdomain.mydomain.tld" if one enabled that access using DNS rewrite rules. I am not aware of a way to rewrite DNS entries in Unbound to the WAN interface address.
With NAT reflection your way of setting this up can of course work.
2. Use map files {Advanced --> Map files}
I haven't used those yet but looks very promising!
This really makes sense in a big environment with lots of subdomains.
Thank you for pointing this out! I will add it to the FAQ. :)
Hey there and thank you so, so much for this great tutorial! It gave me exactly what I needed!
Yet there is a reason why I'm quoting this particular post.
Configuration made basing on your tutorial was working flawlessly on version 23.7.1 (os-haproxy 4.0, haproxy26 2.6.14), but after update to 23.7.2 and haproxy26 2.6.15 HAProxy service was failing to start.
I followed sorano's suggestion to not use virtual ip and bingo! That was it (it took me hours to find out where the issue is, as there were no message in logs - just a startup failure of HAProxy).
Maybe it would be good to add adnotation or a second way to configure HTTPS_frontend?
I can confirm that it works flawlessly with dynamic WAN ip.
Once again thank you very much and @sorano too :)
Cheers
Paweł
Could you tell us how to enable websocket on HAProxy?
Emby and Home Assistant don't work completely without them.
Since last week i been getting this: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING when trying to log into my opnsense server, any quick fix for this? Thanks
Since last week i been getting this: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING when trying to log into my opnsense server, any quick fix for this? Thanks
User specific issue.
Working fine here on more than 6 different instances of OPNsense + HAProxy configured as per tutorial.
And, as always, not even a HAProxy config export included, must be hard to read the first post...
Since last week i been getting this: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING when trying to log into my opnsense server, any quick fix for this? Thanks
My guess is this is somehow related to Firefox. Could be a coincidence, but I did a fresh configuration of HAProxy following the guide today and had the same error on Firefox initially when loading the pages. When using Chromium, everything works as expected (except random 503 errors, but this is another topic ...). Nothing in the error / log files.
Maybe this helps for troubleshooting. For completeness, I have attached my config file.
BTW, @TheHellSite: Do you have another way of giving beers other than buymeacoffee? It uses stripe which some of us (including me) might not have. I would like to sponsor the effort! :)
Hello TheHellSite,
I have recently switched back to using OPNsense and HAProxy and again used your tutorial.
As I mainly use IPv6 today, I had to slightly modify two steps to make it work with my setup:
Part 4 - System preparation
Step 4: To allow IPv4 and IPv6 with the same firewall rule, all I had to do was change "TCP/IP Version" from "IPv4" to "IPv4+IPv6":
(https://i.postimg.cc/gn71c4T2/OPNsense-Firewall-rule.png) (https://postimg.cc/gn71c4T2)
Part 5 - HAProxy configuration
Step 10: To make HAProxy listen on ports 80 and 443 on its IPv6 as well as IPv4 addresses, all I had to add here was "[::]:80" and "[::]:443":
(https://i.postimg.cc/hX0NBgTV/HAPRoxy-SNI-Frontend.png) (https://postimg.cc/hX0NBgTV)
After applying these changes, I can now securely access my services behind HAproxy from IPv4 and IPv6 networks.
Do you think you could add these changes to your tutorial? Anyway, thanks for all your work :)
was wondering if anyone can lend a hand.
I am trying to get the Collabora CODE server running behind the HAProxy. I followed the guide and got nextcloud up. But i am unsure how to translate the apache proxy pass rules from the below link into the gui form of HA Proxy
https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#id1
thanks all
[/quote
Please read the first post. This isn't a thread for HAProxy support.
curl -vvvv http://test.thisismydomain.com
* Trying 10.0.1.1:80...
* Connected to test.thisismydomain.com (10.0.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: test.thisismydomain.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< content-length: 0
< location: https://test.thisismydomain.com/
<
* Connection #0 to host test.thisismydomain.com left intact
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62742 to 10.0.1.1:80 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62740 to 10.0.1.1:80 (0_SNI_frontend/TCP)
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64f0ce32710c92.22370601 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64f0ce32710c92.22370601
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64f0da0792f405.45981915.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBNETS_condition
acl acl_64f0df6633f1c3.71515106 src_is_local
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64f0ded2f1b488.73578425.txt)] if acl_64f0df6633f1c3.71515106
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_SERVER 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: test_backend ()
backend test_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server test 10.0.1.110:49005
# statistics are DISABLED
Not really asking for help so much that I'm curious if anyone else has had to recently turn off OCSP stapling in order to get their services not to error in Firefox? This was working fine for a year and I've not changed a single setting in HAProxy or ACME, but all of a sudden now it doesn't work properly and I've since had to disable it to get my services accessible in Firefox again. I've dug around and cannot find a clear answer as to why.
Am I the only one ?
ssl_redirect/[::]:80: Received something which does not look like a PROXY protocol header
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https ()
frontend https
bind 0.0.0.0:443 name 0.0.0.0:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6554226ca7c6c4.56456894.certlist
bind [::]:443 name [::]:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6554226ca7c6c4.56456894.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACTION: sni_translation
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65542596a04585.83628685.txt)]
# Frontend: ssl_redirect ()
frontend ssl_redirect
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
bind [::]:80 name [::]:80 accept-proxy
mode http
option http-keep-alive
# logging options
# ACTION: ssl_redirect
# NOTE: actions with no ACLs/conditions will always match
http-request redirect scheme https code 301
# Backend: x_openvpn_as ()
backend x_openvpn_as
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x_openvpn_as 10.11.23.2:443 ssl verify none
# Backend: webui ()
backend webui
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server webui 127.0.0.1:1443 ssl verify none
# statistics are DISABLED
Thank you so much for this tutorial.
I do have (hopfully) a quick question and went through 20 some pages to see if its been asked.
I have all my subdomains working perfectly, however how do I set my example.com domain?
I have all my services under service.example.com and want a website at example.com
Im sure its something I am overlooking. Like do I put something in my Map file?
Thank you again
Hello... another pfsense refugee here.
Still working on getting everything working how I want and tonight's project was wrangling haproxy. I am having a problem with https redirect so I followed the tutorial in this thread with no success.
When an https client hits haproxy, it works as expected.
When an http client hits haproxy, I get the following error in the haproxy log:Code: [Select]ssl_redirect/[::]:80: Received something which does not look like a PROXY protocol header
This is my present config export:Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https ()
frontend https
bind 0.0.0.0:443 name 0.0.0.0:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6554226ca7c6c4.56456894.certlist
bind [::]:443 name [::]:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6554226ca7c6c4.56456894.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACTION: sni_translation
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65542596a04585.83628685.txt)]
# Frontend: ssl_redirect ()
frontend ssl_redirect
bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
bind [::]:80 name [::]:80 accept-proxy
mode http
option http-keep-alive
# logging options
# ACTION: ssl_redirect
# NOTE: actions with no ACLs/conditions will always match
http-request redirect scheme https code 301
# Backend: x_openvpn_as ()
backend x_openvpn_as
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x_openvpn_as 10.11.23.2:443 ssl verify none
# Backend: webui ()
backend webui
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server webui 127.0.0.1:1443 ssl verify none
# statistics are DISABLED
Any ideas or guidance are welcome and appreciated. Thank you.
2_HTTPS_Frontend/192.168.1.43:443: Received something which does not look like a PROXY protocol header
PR_END_OF_FILE_ERROR
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:443 and 0.0.0.0:80)
frontend 0_SNI_Frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
option tcplog
# Frontend: 1_HTTP_Frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_Frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_655d4c7f77c559.77912446 ssl_fc
# ACTION: HTTPtoHTTPS
http-request redirect scheme https code 301 if !acl_655d4c7f77c559.77912446
# Frontend: 2_HTTPS_Frontend (Listening on WAN IP:443)
frontend 2_HTTPS_Frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 192.168.1.43:443 name 192.168.1.43:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/655d518eb205a6.14872799.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/655d4cef9a0796.78380664.txt)]
# Backend: SSL_backend (SSL Backend)
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: Proxmox_backend (Proxmox Backend)
backend Proxmox_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Proxmox_server 172.16.1.1:8006
# statistics are DISABLED
http
and https
2023-11-22T16:33:22 Informational haproxy 134.xx.xx.xx:41647 [22/Nov/2023:16:33:22.341] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:21 Informational haproxy 134.xx.xx.xx:41645 [22/Nov/2023:16:33:21.262] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:18 Informational haproxy 134.xx.xx.xx:41642 [22/Nov/2023:16:33:18.847] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:18 Informational haproxy 134.xx.xx.xx:41641 [22/Nov/2023:16:33:18.795] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header
Name HAProxy
Version 2.6.15-446b02c
Release_date 2023/08/09
Versions OPNsense 23.7.8_1-amd64
FreeBSD 13.2-RELEASE-p5
OpenSSL 1.1.1w 11 Sep 2023
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 8192
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local1 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Resolver: opnsense
resolvers 64fcd546611ba3.78740961
nameserver 127.0.0.1:53 127.0.0.1:53
nameserver 192.168.178.1:53 192.168.178.1:53
nameserver 9.9.9.9:53 9.9.9.9:53
nameserver 192.168.80.2:53 192.168.80.2:53
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
# NOTE: Mailer alert bofh ignored: not configured in any backend
# Mailer: alert CB
mailers 64fcc379c27b34.94392037
timeout mail 30s
mailer blah.blubb.25
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443, )
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL-backend
# logging options
# Frontend: 1_HTTP_frontend (listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
http-request use-service prometheus-exporter if { path /metrics }
# logging options
# ACL: NoSSL_condition
acl acl_6314a0aad6d518.84034638 ssl_fc
# ACL: find_acme_challenge
acl acl_6339cb3bd963e1.30823960 path_beg -i /.well-known/acme-challenge/
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6314a0aad6d518.84034638
# ACTION: redirect_acme_challenges
use_backend acme_challenge_backend if acl_6339cb3bd963e1.30823960
# Frontend: 1_HTTPS_frontend (listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6314a6a33cce38.68245567.certlist
mode http
option http-keep-alive
option forwardfor
http-request use-service prometheus-exporter if { path /metrics }
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6314a164535f16.33310179.txt)]
# Backend (DISABLED): SSL-backend-old ()
# Backend: HomeAssistant_Backend (Homeassistant)
backend HomeAssistant_Backend
# health checking is DISABLED
email-alert mailers 64fcc379c27b34.94392037
email-alert from a@b.c
email-alert to a@b.c
email-alert level alert
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server HomeAssistant 192.168.80.21:8123 resolve-prefer ipv4
# Backend: PhotoPrism (PhotoPrism App on TrueNAS)
backend PhotoPrism
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PhotoPrism 192.168.80.30:2342
# Backend: Syncthing (Syncthing on TRueNAS)
backend Syncthing
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Syncthing 192.168.80.17:20910
# Backend: Paperless (paperless-ngx DMS)
backend Paperless
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PaperLess 192.168.80.30:8000
# Backend: FileBrowser (filebrowser on TrueNAS)
backend FileBrowser
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server FileBrowser 192.168.80.17:10187
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL-backend (SSL backend pool)
backend SSL-backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Libre_photos_backend (LibrePhotos in VM)
backend Libre_photos_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server LibrePhotos 192.168.80.30:3000
# Backend: Nextcloud_Backend (Nextcloud Backend)
backend Nextcloud_Backend
# health checking is DISABLED
email-alert mailers 64fcc379c27b34.94392037
email-alert from a@b.c
email-alert to a@b.c
email-alert level alert
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud 192.168.80.30:80 resolve-prefer ipv4
# Backend: Jellyfin_backend (Jellyfin in VM)
backend Jellyfin_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Jellyfin 192.168.80.30:8096
# Backend: PaperMerge (papermerge DMS)
backend PaperMerge
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PaperMerge 192.168.80.17:10141
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
frontend prometheus_exporter
bind *:8404
mode http
http-request use-service prometheus-exporter if { path /metrics }
nano /usr/local/AdGuardHome/AdGuardHome.yaml
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:81
session_ttl: 720h
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening to 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_65612d875c4e55.24914702 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_65612d875c4e55.24914702
# Frontend: 1_HTTPS_frontend (listening to 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6561dfa723cb35.23136075.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_FQDN_condition
acl acl_6563927a593ba4.09519486 src domain.tld
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_65627ea0efa5d5.95729048 src 10.10.5.0/28 10.10.10.0/24 10.10.11.0/24
# ACL: nextcloud_caldav
acl acl_65626936202592.20944712 path_beg -i /.well-known/caldav
# ACL: nextcloud_carddav
acl acl_656269439b5220.54434789 path_beg -i /.well-known/carddav
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/656277f5815fc5.43737480.txt)] if acl_6563927a593ba4.09519486 || acl_65627ea0efa5d5.95729048
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65612e0d931f69.06203948.txt)]
# ACTION: nextcloud_dav
http-request set-path /remote.php/dav if acl_65626936202592.20944712 || acl_656269439b5220.54434789
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: cloud_backend ()
backend cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server cloud_server 10.10.20.5:80
# Backend: vw_backend ()
backend vw_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server vw_server 10.10.20.7:80
# Backend: office_backend ()
backend office_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server office_server 10.10.20.8:80
# Backend: rezepte_backend ()
backend rezepte_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server rezepte_server 10.10.20.9:3000
# Backend: cash_backend ()
backend cash_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server cash_server 10.10.20.10:5006
# Backend: node2-ipmi_backend ()
backend node2-ipmi_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server node2-ipmi_server 10.10.5.6:443 ssl verify none
# statistics are DISABLED
I've been using this for months and really like it... but has anyone tried adding another domain? What steps would I need to take?
For now the PUBLIC_SUBDOMAINS_rule is used to "Map domains to backends using a map file" and
Test Type is "IF", conditions are "Nothing selected", execute function "Map domains to backend pools using a map file".
What conditions would I use to specify one or the other?
First of all, a huge thank you to TheHellSite for this detailed tutorial!
Unfortunately, I need your help. I have configured HAProxy as described in the tutorial. However, with my own domain.
All services that are to be reached externally work as desired. Only the internal service does not seem to be "noticed" by HAProxy. Unfortunately, no accesses to the "node2-ipmi" service from the source IP from the "10.10.10.0/24" network appear in the log. I cannot connect to the service "node2-ipmi".
In firefox i got this warning "SEC_ERROR_UNKNOWN_ISSUER".
Since no log entries appear in the log, I cannot attach any.
Config export:Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening to 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_65612d875c4e55.24914702 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_65612d875c4e55.24914702
# Frontend: 1_HTTPS_frontend (listening to 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6561dfa723cb35.23136075.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_FQDN_condition
acl acl_6563927a593ba4.09519486 src domain.tld
# ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
acl acl_65627ea0efa5d5.95729048 src 10.10.5.0/28 10.10.10.0/24 10.10.11.0/24
# ACL: nextcloud_caldav
acl acl_65626936202592.20944712 path_beg -i /.well-known/caldav
# ACL: nextcloud_carddav
acl acl_656269439b5220.54434789 path_beg -i /.well-known/carddav
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/656277f5815fc5.43737480.txt)] if acl_6563927a593ba4.09519486 || acl_65627ea0efa5d5.95729048
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65612e0d931f69.06203948.txt)]
# ACTION: nextcloud_dav
http-request set-path /remote.php/dav if acl_65626936202592.20944712 || acl_656269439b5220.54434789
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: cloud_backend ()
backend cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server cloud_server 10.10.20.5:80
# Backend: vw_backend ()
backend vw_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server vw_server 10.10.20.7:80
# Backend: office_backend ()
backend office_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server office_server 10.10.20.8:80
# Backend: rezepte_backend ()
backend rezepte_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server rezepte_server 10.10.20.9:3000
# Backend: cash_backend ()
backend cash_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server cash_server 10.10.20.10:5006
# Backend: node2-ipmi_backend ()
backend node2-ipmi_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server node2-ipmi_server 10.10.5.6:443 ssl verify none
# statistics are DISABLED
With best regards,
techsolo12
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 8
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 0.0.0.0:80)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_657ed45319efa3.43352536 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_657ed45319efa3.43352536
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657ed88b10e6c1.81075400.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/657ed57bcfd057.79414853.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Plex_DMZ_backend ()
backend Plex_DMZ_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
http-reuse safe
server Plex_Server_DMZ 10.10.20.11:32400 ssl verify none resolve-prefer ipv4
# statistics are DISABLED
Since version 10.0.x, if you want to use a reverse proxy and apply for a certificate outside docker, you can use FORCE_HTTPS_IN_CONF to force write https://<your_host> in the configuration file.
e.g.
seafile:
...
environment:
...
- SEAFILE_SERVER_LETSENCRYPT=false
- SEAFILE_SERVER_HOSTNAME=seafile.example.com
- FORCE_HTTPS_IN_CONF=true
...
and another victim of this error here :-\
both when trying to connect viaCode: [Select]http
andCode: [Select]https
Code: [Select]2023-11-22T16:33:22 Informational haproxy 134.xx.xx.xx:41647 [22/Nov/2023:16:33:22.341] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:21 Informational haproxy 134.xx.xx.xx:41645 [22/Nov/2023:16:33:21.262] 1_HTTP_frontend/127.4.4.3:80: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:18 Informational haproxy 134.xx.xx.xx:41642 [22/Nov/2023:16:33:18.847] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header
2023-11-22T16:33:18 Informational haproxy 134.xx.xx.xx:41641 [22/Nov/2023:16:33:18.795] 1_HTTPS_frontend/127.4.4.3:443: Received something which does not look like a PROXY protocol header
Versions:Code: [Select]Name HAProxy
Version 2.6.15-446b02c
Release_date 2023/08/09Code: [Select]Versions OPNsense 23.7.8_1-amd64
FreeBSD 13.2-RELEASE-p5
OpenSSL 1.1.1w 11 Sep 2023
I ran out of ideas what to try ???
config is:Code: [Select]#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 8192
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local1 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Resolver: opnsense
resolvers 64fcd546611ba3.78740961
nameserver 127.0.0.1:53 127.0.0.1:53
nameserver 192.168.178.1:53 192.168.178.1:53
nameserver 9.9.9.9:53 9.9.9.9:53
nameserver 192.168.80.2:53 192.168.80.2:53
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
# NOTE: Mailer alert bofh ignored: not configured in any backend
# Mailer: alert CB
mailers 64fcc379c27b34.94392037
timeout mail 30s
mailer blah.blubb.25
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443, )
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL-backend
# logging options
# Frontend: 1_HTTP_frontend (listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
http-request use-service prometheus-exporter if { path /metrics }
# logging options
# ACL: NoSSL_condition
acl acl_6314a0aad6d518.84034638 ssl_fc
# ACL: find_acme_challenge
acl acl_6339cb3bd963e1.30823960 path_beg -i /.well-known/acme-challenge/
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_6314a0aad6d518.84034638
# ACTION: redirect_acme_challenges
use_backend acme_challenge_backend if acl_6339cb3bd963e1.30823960
# Frontend: 1_HTTPS_frontend (listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6314a6a33cce38.68245567.certlist
mode http
option http-keep-alive
option forwardfor
http-request use-service prometheus-exporter if { path /metrics }
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6314a164535f16.33310179.txt)]
# Backend (DISABLED): SSL-backend-old ()
# Backend: HomeAssistant_Backend (Homeassistant)
backend HomeAssistant_Backend
# health checking is DISABLED
email-alert mailers 64fcc379c27b34.94392037
email-alert from a@b.c
email-alert to a@b.c
email-alert level alert
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server HomeAssistant 192.168.80.21:8123 resolve-prefer ipv4
# Backend: PhotoPrism (PhotoPrism App on TrueNAS)
backend PhotoPrism
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PhotoPrism 192.168.80.30:2342
# Backend: Syncthing (Syncthing on TRueNAS)
backend Syncthing
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Syncthing 192.168.80.17:20910
# Backend: Paperless (paperless-ngx DMS)
backend Paperless
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PaperLess 192.168.80.30:8000
# Backend: FileBrowser (filebrowser on TrueNAS)
backend FileBrowser
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server FileBrowser 192.168.80.17:10187
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL-backend (SSL backend pool)
backend SSL-backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Libre_photos_backend (LibrePhotos in VM)
backend Libre_photos_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server LibrePhotos 192.168.80.30:3000
# Backend: Nextcloud_Backend (Nextcloud Backend)
backend Nextcloud_Backend
# health checking is DISABLED
email-alert mailers 64fcc379c27b34.94392037
email-alert from a@b.c
email-alert to a@b.c
email-alert level alert
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud 192.168.80.30:80 resolve-prefer ipv4
# Backend: Jellyfin_backend (Jellyfin in VM)
backend Jellyfin_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Jellyfin 192.168.80.30:8096
# Backend: PaperMerge (papermerge DMS)
backend PaperMerge
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server PaperMerge 192.168.80.17:10141
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
frontend prometheus_exporter
bind *:8404
mode http
http-request use-service prometheus-exporter if { path /metrics }
should I switch to nginx as reverse proxy ???
really?
Yes you were, since I was that "anyone" who fixed it for him and many others that contacted me via PM.My post was helpful to you?No, and I wasn't asking you either.
Fine with me.Feel free to click [applaud] to the left underneath my profile.Not for replies like these.
Again, fine with me.Additionally you can consider donatingOnly in your dreams.
Unless you're desperate to earn something, then I can tell you these posts don't work in your advantage.I think you are pretty smart, so if you take a look at the amount of views this guide has versus the number of people that actually donated you would be able to answer this on your own.
But then I think perhaps you're not aware how some other people read your messages, so perhaps this makes you aware. If you want to take my advise, stop posting if you don't want to help (its fine!) but don't be like this.Just so you know your issue and the ones of many others posting here is based on the fact that (you) misread / skipped / oversaw a tiny but very important bit of the configuration.
...apologies.
1. Reinstall the HAProxy plugin.
pkg install -f os-haproxy
2. Apply the patch.
opnsense-patch -c plugins 404c19f6e
3. Restart HAProxy from the OPNsense dashboard or reboot OPNsense.
EDIT:
HAProxy refuses to start if a self-signed certificate is configured as (default) certificate under the SSL offloading section on a (HTTPS) frontend.
So for now it is best to remove the "INVALID_SNI" certificate as default from the HTTPS frontend.
/path/to/default.crt.pem !*
/path/to/fqdn.crt.pem [ocsp-update on alpn h2,http/1.1] foo.bar
/path/to/wildcard.crt.pem [ocsp-update on alpn h2,http/1.1] *.foo.bar
EDIT:
HAProxy refuses to start if a self-signed certificate is configured as (default) certificate under the SSL offloading section on a (HTTPS) frontend.
So for now it is best to remove the "INVALID_SNI" certificate as default from the HTTPS frontend.
@TheHellSite
I'm _not_ using your plugin, but I do use HAProxy on other systems with a crt-list, default self-signed cert and ocsp updates. So a shot in the dark, not sure if this "solves" your problem: You might want to declare your "default" certificate with "!*" in a crt-list to prevent errors:
https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#5.1-crt-list
/etc/haproxy/frontend-crt-list.confCode: [Select]/path/to/default.crt.pem !*
/path/to/fqdn.crt.pem [ocsp-update on alpn h2,http/1.1] foo.bar
/path/to/wildcard.crt.pem [ocsp-update on alpn h2,http/1.1] *.foo.bar
Hello @TheHellSite
I was using opnsense with HAProxy > 1 year.
Thanks for opffering this free tutorial, it definitely made the world better (at least for me).
The problem with opnsene 24.1 and HAProxy 4.2 hit me as well.
I will be happy when the "strict-sni" update of your guide is released.
Thank you in advance.
Hello @TheHellSite
I was using opnsense with HAProxy > 1 year.
Thanks for opffering this free tutorial, it definitely made the world better (at least for me).
The problem with opnsene 24.1 and HAProxy 4.2 hit me as well.
I will be happy when the "strict-sni" update of your guide is released.
Thank you in advance.
It just dropped.
@TheHellSite, many thanks and kudos for your tremendous effort, contribution and help!
I try to avoid seeking for help and solve my problems on my own. But after upgrading to 24.1 I stuck in the CRON configuration when it comes to the update HAProxy OCSP Data you mentioned in Part5.4, this feature has disappeared and can no longer be selected. I assume this is needed to get the OCSP must staple extension running.
Is there an alternative way of configuring or what I'm doing wrong or missing.
Thanks loop0
Attention!
Hey everyone,
after the upgrade to 24.1, please check your cron job for updating OCSP data.
Since that function is no longer available from the list, mine was set to "Automatic firmware update", which could potentially be *really* bad :o
@TheHellSite: Thank you for the guide and the ongoing maintenance, much appreciated! :) (beer is on the way)
@TheHellSite, many thanks and kudos for your tremendous effort, contribution and help!
I try to avoid seeking for help and solve my problems on my own. But after upgrading to 24.1 I stuck in the CRON configuration when it comes to the update HAProxy OCSP Data you mentioned in Part5.4, this feature has disappeared and can no longer be selected. I assume this is needed to get the OCSP must staple extension running.
Is there an alternative way of configuring or what I'm doing wrong or missing.
Thanks loop0
As i know the OCSP update cronjob isn't needed anymore since the OCSP feature was completely revamped with the actual version of haproxy 4.2 which is bundled in opnsense 24.1
I had some errors with the OCSP updates so i opened a issue in the opnsense/plugins github repo.
https://github.com/opnsense/plugins/issues/3755
I am not sure this was mentioned before but https://desec.io no longer new registrations for DynDNS.
For the German speaking audience I can highly recommend https://ipv64.net/
Many texts on the website are English, but someone not speaking German might have problems understanding everything
Just chiming in here --The main purpose of the tutorial is not to to access the OPN UI, for which your method makes perfect sense, but instead to reverse proxy services that are hosted internally in a LAN.
Thanks very much doing all the work on this How-To, OP, and for keeping it updated, etc.
I successfully implemented it in my modest OPNsense instances/networks, before realizing that for small networks where there may never be more than perhaps 1 to 3 people logging in to a given OPNsense instance, in fact it's far more secure to simply shut off all HTTP listening on external network ports, and instead use SSH tunnels / port redirects, i.e. ssh -L 9450:localhost:80 my.opnsense.host to connect directly to the opnSense instance and access the webgui that way. Then it doesn't matter at all whether HTTPS is active as the entire connection takes place inside the highly-secured SSH network connection. With SSL tunnels there is no need for a webgui process to be listening anywhere except localhost:80.
It avoids the major overhead and ongoing maintenance complexity of getting a public/real SSL certificate issued, emplaced, and dealing with ongoing renewals, etc.
Just chiming in here --The main purpose of the tutorial is not to to access the OPN UI, for which your method makes perfect sense, but instead to reverse proxy services that are hosted internally in a LAN.
Thanks very much doing all the work on this How-To, OP, and for keeping it updated, etc.
I successfully implemented it in my modest OPNsense instances/networks, before realizing that for small networks where there may never be more than perhaps 1 to 3 people logging in to a given OPNsense instance, in fact it's far more secure to simply shut off all HTTP listening on external network ports, and instead use SSH tunnels / port redirects, i.e. ssh -L 9450:localhost:80 my.opnsense.host to connect directly to the opnSense instance and access the webgui that way. Then it doesn't matter at all whether HTTPS is active as the entire connection takes place inside the highly-secured SSH network connection. With SSL tunnels there is no need for a webgui process to be listening anywhere except localhost:80.
It avoids the major overhead and ongoing maintenance complexity of getting a public/real SSL certificate issued, emplaced, and dealing with ongoing renewals, etc.
It avoids the major overhead and ongoing maintenance complexity of getting a public/real SSL certificate issued, emplaced, and dealing with ongoing renewals, etc.
Hi all,
I'm trying to get my internally hosted services to report the originating client IP when going through a proxy chain starting with Cloudflare then to HAproxy. Currently HAproxy logs shows the local CloudFlare CDN address.
Cloudflare is setup to proxy and is Full (Strict) meaning I'm using the Cloudflare origin cert offloaded at HAproxy
I've found that cloudflare do collect the Client IP within cf-connecting-ip
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
And I have found this post that helps someone with pfSense to do what I want
https://forum.netgate.com/topic/176777/haproxy-cloudflare-restoring-original-ip/3
What I'm not sure about is how (if possible) to get HAproxy to reference the cloudflare IP address list to know what sessions to insert the cf-connecting-ip into x-forwarded-for
Ideally this is in the form of some alias or map that dynamically checks https://www.cloudflare.com/ips-v4
Thanks for any help with this, also it's not urgent at all and just for my home setup and for fun really.
OPNsense is up-to-date -->
OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
Firefox: 121.0 (64-bit), archlinux (doesn't matter, latest update on windows brings up the same issue)
DEFAULT in FF: security.ssl.enable_ocsp_stapling = true
--> leads to no access on any pages with certs following the tutorial. At least if pages are secured to local access only. I assume, same error for public access.
Changing the default in FF to false gives access back.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 2
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.ocsp-update.mindelay 300
tune.ssl.ocsp-update.maxdelay 3600
httpclient.resolvers.prefer ipv4
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr libc,last
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0000:443 0000:80)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend ssl_backend
# logging options
# Frontend: 1_HTTP_frontend (listen on 10.1.2.3:80)
frontend 1_HTTP_frontend
bind 10.1.2.3:80 name 10.1.2.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: no_ssl_condition
acl acl_642ff4b1bd6b30.27652312 ssl_fc
# ACTION: http_to_https_rule
http-request redirect scheme https code 301 if !acl_642ff4b1bd6b30.27652312
# Frontend: 1_HTTPS_frontend (listen on 10.1.2.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 10.1.2.3:443 name 10.1.2.3:443 accept-proxy ssl curves secp384r1 strict-sni no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/642ffac3a289a1.74357812.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/642ff59e3f1923.99537840.txt)]
# Backend (DISABLED): acme_challenge_backend (Added by ACME Client plugin)
# Backend: ssl_backend (ssl virtual ip backend)
backend ssl_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server ssl_server 10.1.2.3 send-proxy-v2 check-send-proxy
# Backend: test_backend (test backend pool)
backend test_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server test_server 10.1.1.100:81
# statistics are DISABLED
frontend prometheus_exporter
bind *:8404
mode http
http-request use-service prometheus-exporter if { path /metrics }
tune.h2.max-frame-size 4048576
tune.pipesize 4048576
tune.h2.initial-window-size 1048576
tune.h2.be.initial-window-size 1048576
tune.h2.fe.initial-window-size 1048576
I have a question about HAproxy SSL performance with large downloads:
Using a NAT port forward to an internal HTTPS nginx server, I get full wire speed i.e. (45 MByte/s) from the outside, but using HAproxy following this tutorial, I am limited to download speeds of ~4-5 MByte/s.
I have tried to use HTTP instead of HTTPs for the backend server connection to no avail.
I suspected that the SSL termination would lead to an interrupt of the streaming flow in that each packet must be acknowledged over the whole chain before the next one can get requested, so I have somewhat optimized my throughput by a factor of 2 via this tuning:Code: [Select]tune.h2.max-frame-size 4048576
tune.pipesize 4048576
tune.h2.initial-window-size 1048576
tune.h2.be.initial-window-size 1048576
tune.h2.fe.initial-window-size 1048576
But it seems that the HTTPS termination within HAproxy itself is the culprit. I found some other source (https://forum.netgate.com/topic/152492/haproxy-slow-on-wan-jagged-throughput) that suggest there might be a problem with only some ISPs showing that behaviour when SSL traffic is terminated by HAproxy.
Does everybody else see this or may my ISP really be the culprit?
That's strange... Do you have OPNsense version 24.1.6 installed?
I also use direct peering, no tunnels or anything. FWIW, the issue does not happen when I access the port from inside, i.e. without any delays. So it is not a general bottleneck. I see it happen only when I access the service from outside, with different counterparts.
- OpenSSL: version 3.1 is now supported. It's less slow than 3.0 but still
significantly slower than 1.1.1, but might be usable for most users with
a low enough traffic.
Hey there and thank you so, so much for this great tutorial! It gave me exactly what I needed!
Yet there is a reason why I'm quoting this particular post.
Configuration made basing on your tutorial was working flawlessly on version 23.7.1 (os-haproxy 4.0, haproxy26 2.6.14), but after update to 23.7.2 and haproxy26 2.6.15 HAProxy service was failing to start.
I followed sorano's suggestion to not use virtual ip and bingo! That was it (it took me hours to find out where the issue is, as there were no message in logs - just a startup failure of HAProxy).
Maybe it would be good to add adnotation or a second way to configure HTTPS_frontend?
I can confirm that it works flawlessly with dynamic WAN ip.
Once again thank you very much and @sorano too :)
Cheers
Paweł
Thanks for the great tutorial.Ping
Is there a way to exclude the HTTPS force for specific Backends? (Based on the tutorial here). Background: For HomeAssistant and stupid IOT devices, i need to have my HA instance reachable over http, too (with a different domain at least so i can firewall it a lot :D)
Thanks for the great tutorial.Ping
Is there a way to exclude the HTTPS force for specific Backends? (Based on the tutorial here). Background: For HomeAssistant and stupid IOT devices, i need to have my HA instance reachable over http, too (with a different domain at least so i can firewall it a lot :D)
How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_mapfile_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your "NOSSLservice_server" is running in TCP mode.