Text only | Text with Images

OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: analog on July 21, 2021, 04:55:54 PM

Title: Not sure what I'm doing wrong HAproxy
Post by: analog on July 21, 2021, 04:55:54 PM
Hi there, some background on my setup/intentions.

I'm trying to setup a nextcloud server on my LAN, and use HAproxy running on OPNsense as a reverse proxy and ssl offload. I currently have NAT rules allowing ports 443 and 80 direct to the nextcloud host (though I don't believe this is correct for my end goal.) and the traffic flows correctly with no SSL. When I enable the HAproxy service, nothing seems to change.

Basically, I'm not sure what firewall rules/proxy config I need. If anyone has any advice, or can point me to any resources I've missed, I'd really appreciate it. Thank you!

Here is the HAproxy config:
Code Select
#
# Automatically generated configuration.
# Do not edit this file manually.
#

#
# NOTE: HAProxy is currently DISABLED
#
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: cloud.mydomain (nextcloud)
frontend cloud.mydomain
    http-response set-header Strict-Transport-Security "max-age=15768000"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/60f61d81b268b0.59299585.certlist
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/60f61d81b268b0.59299585.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: cloudmercurysh
    acl acl_60f61c51384f19.94264676 hdr(host) -i cloud.mydomain
    # ACL: nc_caldav
    acl acl_60f61f185cebf7.32684781 path_end -i /.well-known/caldav
    # ACL: nc_carddav
    acl acl_60f61f4a0bec96.53535847 path_end -i /.well-known/carddav
    # ACL: nc_nodeinfo
    acl acl_60f61f74e56445.36705108 path /.well-known/nodeinfo
    # ACL: nc_webfinger
    acl acl_60f61f9051b7f8.52959457 path /.well-known/webfinger

    # ACTION: cloudmercurysh
    use_backend cloud.mercury.sh if acl_60f61c51384f19.94264676
    # ACTION: nc_caldav
    http-request redirect code 301 location /remote.php/dav if acl_60f61c51384f19.94264676 acl_60f61f185cebf7.32684781
    # ACTION: nc_carddav
    http-request redirect code 301 location /remote.php/dav if acl_60f61c51384f19.94264676 acl_60f61f4a0bec96.53535847
    # ACTION: nc_nodeinfo
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_60f61c51384f19.94264676 acl_60f61f74e56445.36705108
    # ACTION: nc_webfinger
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_60f61c51384f19.94264676 acl_60f61f9051b7f8.52959457

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: cloud.mydomain (nextcloud server)
backend cloud.mercury.sh
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server cloud.mydomain 192.168.42.22:80


Text only | Text with Images