"
Thanks for a great tutorial! I have followed it but tried to adapt it to my use case, but I think I am missing something that someone else perhaps has run into?
Eventually, I plan to have a couple of public services but I am not really there yet :) In the meantime, I have a couple of services running on a docker host which I would like to just expose internally via a proxy with the domain name that I have purchased. These are services running without any ssl so only http but I think I might have missed something around that as I get redirected to https, or is that expected? Trying to reach any of these services I get a 503 Service Unavailable.
Perhaps worth mentioning is that I am using AdGuard with Unbound set as my Upstream DNS, and added the services as overrides in Unbound eg. test.thisismydomain.com with the internal IP of OPNsense as the target (10.0.1.1). Is that correct?
Sorry for all the questions. I could ofc run nginx or traefik on my docker host instead, just thought I would try this out first :)
Eventually, I plan to have a couple of public services but I am not really there yet :) In the meantime, I have a couple of services running on a docker host which I would like to just expose internally via a proxy with the domain name that I have purchased. These are services running without any ssl so only http but I think I might have missed something around that as I get redirected to https, or is that expected? Trying to reach any of these services I get a 503 Service Unavailable.
Perhaps worth mentioning is that I am using AdGuard with Unbound set as my Upstream DNS, and added the services as overrides in Unbound eg. test.thisismydomain.com with the internal IP of OPNsense as the target (10.0.1.1). Is that correct?
Sorry for all the questions. I could ofc run nginx or traefik on my docker host instead, just thought I would try this out first :)
Code Select
curl -vvvv http://test.thisismydomain.com
* Trying 10.0.1.1:80...
* Connected to test.thisismydomain.com (10.0.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: test.thisismydomain.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< content-length: 0
< location: https://test.thisismydomain.com/
<
* Connection #0 to host test.thisismydomain.com left intactCode Select
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62742 to 10.0.1.1:80 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62740 to 10.0.1.1:80 (0_SNI_frontend/TCP)Code Select
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64f0ce32710c92.22370601 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64f0ce32710c92.22370601
# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64f0da0792f405.45981915.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: LOCAL_SUBNETS_condition
acl acl_64f0df6633f1c3.71515106 src_is_local
# ACTION: LOCAL_SUBDOMAINS_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64f0ded2f1b488.73578425.txt)] if acl_64f0df6633f1c3.71515106
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_SERVER 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: test_backend ()
backend test_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server test 10.0.1.110:49005
# statistics are DISABLED
