OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of aleksander.lyse@gmail.com »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - aleksander.lyse@gmail.com

Pages: [1]
1
Tutorials and FAQs / Re: Tutorial 2023/03: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: March 24, 2023, 05:00:55 pm »
I have followed the guide, and I think to the letter. Everything works on absolutely all services I added, except Portainer. I see on other forums Portainer is a bit choosy when it comes to proxy, but no real solution out there to fix it.

The target of this is to proxy portainer.domain.tld to ip-of-portainer:9000 (portainer docs say to route proxy to 9000, the non ssl port, not 9443, the ssl port), but I have tried both. Same result.

The error is: ERR_HTTP2_SERVER_REFUSED_STREAM - I was thinking it could e the HTTP2 option in 1_HTTPS_frontend, so I tried to uncheck it to try. It then give the error: ERR_EMPTY_RESPONSE

This is the corresponding log in debug mode:

With HTTP2 unchecked:
Code: [Select]
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.850] 0_SNI_frontend SSL_backend/SSL_server 1/0/11 506 -- 1/1/4/0/0 0/0
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.856] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/5/0/0 0/0 "GET / HTTP/1.1"
With HTTP2 checked:
Quote
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.608] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/10/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"   
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.604] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/9/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"   
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.602] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/8/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"

Here is the full config export:

Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
    total-max-size 4
    max-age 60
    process-vary off

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options
    option tcplog

# Frontend: 1_HTTP_frontend (Listening on 10.0.1.15:80)
frontend 1_HTTP_frontend
    bind 10.0.1.15:80 name 10.0.1.15:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6418a05ee27409.36162049 ssl_fc

    # ACTION: HTTP_to_HTTPS_rule
    http-request redirect scheme https code 301 if !acl_6418a05ee27409.36162049

# Frontend: 1_HTTPS_frontend (Listening on 10.0.1.15:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 10.0.1.15:443 name 10.0.1.15:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6418a3dac5bd67.76211333.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_SUBNET_conditions
    acl acl_6418cb7541c572.65233357 src 10.0.1.0/24 10.0.3.0/24 10.0.4.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418cadaadbdd1.17042036.txt,SSL_backend)] if acl_6418cb7541c572.65233357
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418a10a9104c5.33815067.txt,SSL_backend)]

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 10.0.1.15 send-proxy-v2 check-send-proxy

# Backend: Dashboard_backend ()
backend Dashboard_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Dashboard_server 10.0.3.4:3000

# Backend: Radarr_backend ()
backend Radarr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Radarr_server 10.0.3.6:7878

# Backend: Router_backend ()
backend Router_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Router_server 10.0.1.1:8443

# Backend: Nzbget_backend ()
backend Nzbget_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nzbget_server 10.0.3.7:6789

# Backend: Nas_backend ()
backend Nas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nas_server 10.0.1.10:5000

# Backend: Jackett_backend ()
backend Jackett_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jackett_server 10.0.3.8:9117

# Backend: Sonarr_backend ()
backend Sonarr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Sonarr_server 10.0.3.5:8989

# Backend: Portainer_backend ()
backend Portainer_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Portainer_server 10.0.3.3:9000 send-proxy-v2 check-send-proxy

# Backend: Plex_backend ()
backend Plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Plex_server 10.0.1.10:32400

# Backend: Overseerr_backend ()
backend Overseerr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Overseerr_server 10.0.3.10:5055

# Backend: Tautulli_backend ()
backend Tautulli_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Tautulli_server 10.0.3.9:8181

# Backend: Download_backend ()
backend Download_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Download_server 10.0.1.10:8000

# Backend: Nzb_backend ()
backend Nzb_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nzb_server 10.0.3.11:8080



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2