I'm using HAProxy + ACME on OPNsense to provide a reverse proxy to my internal services. After another small conditions issue, I now have it working as expected from the external internet on my phone (LTE connection).
I going to it using chrome and firefox by typing in the FQDN: https://server1.mydomain.com
However when I turn on wifi and am on the same network as the Real Server I get an ERR_TIMED_OUT. In HAProxy log I get a handshake failure error. I tried it using the same process with my laptop with a VPN to the internet and connecting in, the internal site loads as expected. When I disconnect the VPN an try it on the same subnet I get the same error as my phone.
2022-08-31T12:59:21-04:00 Error haproxy 173.66.23.118:2188 [31/Aug/2022:12:59:21.223] default_443/0.0.0.0:443: SSL handshake failure
Quoteon the same network as the Real Server
as the Real Server? (with public ip *.*.*.*:2188?) or as the WAN address?
The Real Server is an internal: 10.0.0.10:5001
The Public IP is: 173.67.25.115:443
The Router Internal address: 10.0.0.1
Could this have something to do with the devices being on the same firewall interface?
Desktop -> vlan2 (firewall) > wan (firewall) -> vlan2 (firewall) -> nas
If I do the following with my laptop and phone it works:
Laptop (wifi) -> vlan3 (firewall) > wan (firewall) -> vlan2 (firewall) -> nas
i think it may be related to "reply-to" on wan rules but I don't have a chance to try to reproduce the situation right now..
can you check with "Disable reply-to" enabled in Firewall: Settings: Advanced ?
I have checked that option and then rebooted the firewall but still no change. :-(
I'm still not able to access the reverse proxied websites from the internal subnet that the real servers are on. I can access them from another subnet and from the internet but not locally.
Hi,
is there any reason why you do not access the server directly from internal?
You simply need to create a DNS zone mydomain.com on a DNS server which your internal devices are pointing to. And then just add the A record of your server with the internal IP Address.
https://itfreetraining.com/lesson/splitbrain/
cheers,
andreas
I'm using the HAproxy + ACME and wanted my internal site to use the offical TLS certificate instead of the self signed ones.
Let haproxy listen to LAN and set DNS to LAN IP
Right now it's listening on 0.0.0.0:443 (and another public on 80).
My WAN changes every so often.
Then add an override from internal IP to LAN address :)
Happy to do that and test, where do I add the override?
It depends, which DNS server Do your internal clients use?