"Quote from: TheHellSite on December 15, 2021, 01:02:57 AM
You are allowing inbound traffic on your WAN address 80+443 with our firewall rule but your SNI_frontend is only listening on the localhost address. This way it will never catch any traffic at all!
UPD: nevermind, it was my local cache and unbound cache. After purging everything it works just fine without any specific binding. Thank you for your help.
I have amended my config and compared again with the guide but I must be missing something.
Code Select
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_61a3f4fdabe975.79392880 req.ssl_ver gt 0
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_61a3f4fdabe975.79392880
# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61a3f8200d98a7.85727127.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 15m
# logging options
# ACL: LOCAL_SUBDOMAINS_SUBNET_condition
acl acl_61a3f9b4ed7092.44798843 src 192.168.0.0/24
# ACTION: LOCAL_SUBDOMAINS_map-rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61a3f5af2446f3.11405534.txt)] if acl_61a3f9b4ed7092.44798843
# Backend: unraid_backend ()
backend unraid_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server unraid_server 192.168.0.20:443 ssl verify none
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy
# Backend: opnsense_backend ()
backend opnsense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server opnsense_server 192.168.0.1:1443 ssl verify none
# Backend: qbittorrent_backend ()
backend qbittorrent_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server qbittorrent_server 192.168.0.20:8080
The setup is working only if I bind my host->ip in unbound overrides the way they are physically, in example unraid is binded to 192.168.0.20, opnsense is binded to 192.168.0.1 and other (see the pic). But if the redirects are set to 192.168.54.1 just like in the guide it just unable to connect.
In other words seems like 0_SNI_frontend doesn't listen to all addresses even if it is configured so.
Also a question: should I set any WAN rules even if I only routing the LAN traffic, cause now I didn't set any.
