Messages

Hi. I've not watched these but from the titles they seem to be how-to setup haproxy on OPNSense.
My config is simple but to simplify it a bit more: I have a server on the LAN that hosts nextcloud. It has its own ip address in the LAN space 192.168.5.158. On it is a kind of LAMP stack yes, apache as the webserver, mysql database and redis. Nothing other than the nextcloud requirements except the data, database and configs are on zfs datasets.
The important part for your question is that on OPN's haproxy, all I do is reverse proxy the connections to that ip.

So in your case to reverse proxy from haproxy to your nextcloud installation, you create your backend and real server. Your pictures there show the backend, looks right although I have added the required:

Code Select Expand

acl carddav-endpoint path_beg /.well-known/carddav     
http-request set-path /remote.php/dav if carddav-endpointas passthrough options. Note this is something you might want but is not why you would get an http 503, that you are dealing with.
you need to revise your "real server" on haproxy settings. It needs to be the ip of the webserver of nextcloud.

probe is the right word, I get what you are saying but no, OPN as in the OS does not.
These rules are the default ones to be able to manage it so is not that https://docs.opnsense.org/manual/firewall_settings.html#disable-anti-lockout

Do you have any port forwards on WAN ?

It doesn't. The names of rules and conditions can be totally random and still be used in evaluations. They get issued an internal identifier like acl acl_67ced2068d01c7.64292703 . Useful is the "test syntax". Bad settings will be shown with errror. Warnings and Notices but all ending with a "configuration is valid" will not crash it.

This is only the setup of the haproxy backend so it is very hard to know where there might be a problem. Please know that I do not do docker, have no interest whatsoever in it. If anything I want to run is docker-only, I move on looking for an alternative that does have "old style" application configurations.
So now let's establish the overall setup. By the way mine is very largely based on this haproxy-on-opn-tutorial-by-thehellsite.
Take a look at the picture to figure out if you are on the same setup and if different, please explain it. But you can follow that as a basis for an uncomplicated setup: create real server (your nextcloud), create a backend containing that server, create a front end WITH A TLS CERT, create firewall rules to allow the front end to be accessed. Here your haproxy --> backend server can be http or https but if you do https, then you have to deal with those certs separately. Makes sense?

I fail to understand. OPN does not probe. It is a routing firewall when in standard setup, so it receives traffic and routes it, like a border police. Allows or rejects the passing between two networks. Only traffic initiating from itself is any specific setting or service enabled by the user.
Therefore you are probably more interested in knowing what is the traffic that is going to LAN on port 22. Where is it coming from, and is it allowed.
By default SSH traffic from WAN to LAN will be blocked. So if it is coming in, someone has created a rule on the firewall to allow it. So if it is allowed, you probably don't want to be alerted every time. But if you are, then that's a conversation to have.
So back to the very start. Have you identified the originating traffic?

I have re-read it and I stand corrected. Those are NVMEs not SATAs. The 1x2.5 SATA is the one I am saying is standard SATA.

This is what I see when I follow the link:

Storage: 2 x M.2 2280 PCIE3.0 x1 NVME SSD and 1 x 2.5 inch SATA SSD/HDD
Network Card: Intel 2.5GbE I226-V, UDE built-in filter connector
I/O interface: Power ON/OFF, CLR CMOS, 2 x USB 3.0, Type-C for display/USB, TF, 2 x USB2.0, HDMI, DP, 4 x LAN, DC_IN.
Expansion: 1 x M.2 slot for M.2 2280 NVME SSD or M.2 WiFi 6, 2 choose 1.

The linked mini pc https://amzn.eu/d/21CumzH has the spec is listed as
storage: 2 x M.2 2280 PCIE3.0 x1 NVME SSD and 1 x 2.5 inch SATA SSD/HDD
So it can apparently work with M.2 SSD (SATA) , NVME SSD and standard SATA interfaces. Not only NVMe. Although it might need selecting from uEFI if the M.2 is storage or Wifi module.
That said, it sounds like the SSD could be faulty. My guess is just needs creating a partition table (needs GPT because this machine apparently only does uEFI). Forget MS Windows, their tools are pants.

automate alerting to what condition, sorry?  All this so far is how to use the live view.

zeanarmor has the ability to block some of the social networks.

post your haproxy config here by adding the picture to the post, not as an attachment. I for one won't be clicking on it.
I have just resolved the last gnarly bit of my setup. My nextcloud is in a freebsd jail on another host to OPN. Haproxy on OPN does the reverse proxy and terminates the TLS and I am leaving nextcloud on http internally.

fair enough. I thought you had missed that message.

he's already said he's not using that feature ;)

Make it simple.
Firewall > Settings > Advanced > Logging: Tick to log default block, default pass and outbound NAT <=don't forget to change it all back.
Go back to Firewall > Log Files > Live View: Change the drop down for the number of entries from the default 25 to say 100.
Now stop the capture when you get the hit you're interested in but don't forget that if you still have those filters in place, you need to remove them to see the other legs of traffic.

This is pretty nice work. I have no use for it but thanks for sharing @wrobelda.