Messages

151

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 15, 2022, 05:37:21 pm »

This is not a question of your mother language not being english. 
This is a question of you not understanding the layout of HAProxy.

It is really hard for me to help here since you don't seem to understand the basics of a reverse proxy.
A reverse proxy is not a web server to host your sites! It is meant to route traffic to a web server.

Rule 1: You need at least ONE server for each backend.
With server I mean server created in HAProxy. A server in HAProxy represents the service (f.e. nextcloud, plex, ...) running on one of your physical servers.

Rule 2: Each backend will then present your individual services to your frontend.

HTTPS Frontend --> Mapfile --> PLEX_backend --> PLEX_server --> 192.168.2.30:32400
HTTPS Frontend --> Mapfile --> BLOG_backend --> BLOG_server --> 192.168.2.30:80
HTTPS Frontend --> Mapfile --> CLOUD_backend --> CLOUD_server --> 192.168.2.40:43569

Rule 3: A mapfile is simply mapping an access URL, f.e. www.yourdomain.com, against a backend.


To be fair it seems I misunderstood your setup/goal. But since you still didn't explain exactly what you are trying to achieve I am assuming you are trying to something like this.

Apache is your webserver. (www.yourdomain.com)
These vhost seem to provide subdirectories or individual websites. (f.e. service.yourdomain.com/subdir/)

Code: [Select]

#public subdomains mapping
flood 5erver_backend
frank 5erver_backend
www 5erver_backend
torrent 5erver_backend
grafana 5erver_backend
nas 5erver_backend
kvm 5erver_backend
monitoring 5erver_backend
speedtest 5erver_backend
sync 5erver_backend
tracker 5erver_backend
cloud NAS_backend
dav NAS_backend
Let me further explain to you the map file. I mean actually my first post does it, but you don't seem to understand or didn't read...

Code: [Select]

nas 5erver_backendnas.yourdomain.com --> NAS_backend

Code: [Select]

www 5erver_backendwww.yourdomain.com --> 5erver_backend

Code: [Select]

grafana 5erver_backendgrafana.yourdomain.com --> 5erver_backend

152

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 15, 2022, 03:25:08 pm »

FIRST: You should remove your personal info from your post.

SECOND: Another issue from not properly reading my guide.

Your solution is in Part 5 - Step 6.

Now we create the backend that belongs to an actual service. You will need one backend for each service.
If you have multiple servers serving the exact same content than you will want to add all servers into a single backend so HAProxy can actually balance the load between the servers.

YOU NEED: ... one backend for each service.

YOU DID: ... one backend for each server hosting individual services.

Just think about it... How should HAProxy even be able to talk to one of your services when you are only pointing him to the IP:Port of the server virtually hosting the service!? This makes no sense...
It is like telling someone "Meet me in New York in a bar." without telling him which bar.

153

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 15, 2022, 02:46:13 pm »

I have two Server with several vhosts behind a OPNsense Router/Firewall

Is this also possible to have two server which need certs? Or only one?

When if it’s possible, how I have to do it?

I got this error

[WARNING] (20353) : Proxy '1_HTTP_frontend': L6 sample fetches ignored on HTTP proxies (declared at /usr/local/etc/haproxy.conf.staging:70).
Warnings were found.
Configuration file is valid

What is wrong?

Never had this issue!

1. Go through my guide again. If you follow it step by step, you WILL HAVE a working setup. Otherwise you did something wrong.

2. Where is your config export? Nobody will be able to help you without a HAProxy config export!

154

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 15, 2022, 02:38:21 pm »

First of all thank you for the Guide it was great and helped me out a lot.

I just have a question as I have to use a vpn adapter call for work called Zscaler and it try to make a tunnel using port 443. How do i tell HAproxy as a default to only route only thing in the map file and dont intercept anything else. So the vpn client can create a tunnel.

Since your provided little to no info of the setup I am not really able to help you.
Also my guide is just to show beginners how things are done.

However if I understood your issue correctly, you can try the below. If that doesn't work you are better of asking in the HAProxy forums!

Add the following in the "Option pass-through" field of your 0_SNI_frontend.
Don't forget to create the backend along with the server for Zscaler. My example uses OpenVPN.

Code: [Select]

tcp-request inspect-delay 5s
use_backend OPENVPN_backend if req_ssl_hello_type 1
tcp-request content accept if !{ req_ssl_hello_type 1 }


155

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: January 29, 2022, 09:37:27 am »

You have to set your backends and frontends to HTTP Mode.
Also disable SSL offloading on the frontends.

But I can't guarantee for sure that it will work.
TCP Mode will never (with a few exceptions) work because there is no header in the packets that would tell HAProxy which service to send the traffic to.

HTTP Mode could work, but you might need to create some "http header contains..." conditions.

156

General Discussion / Re: WireGuard SiteToSite tunnel outbound NAT rule necessary

« on: January 24, 2022, 01:02:39 am »

So I removed the NAT outbound rule and allowed both remote networks on the wireguard interfaces firewall rules.

Still not working. Though I now have firewall logs on both sides indicating that the traffic goes from Site_B to Site_A but it is still not coming back.

EDIT: The easiest solution was to just leave "Disable Routes" unticked. One could also create a static route, but then you would also need to create a gateway.

157

General Discussion / Re: WireGuard SiteToSite tunnel outbound NAT rule necessary

« on: January 22, 2022, 10:04:51 am »

Well, I totally overlooked that firewall rule part.
Going to try this.

But why didn't the firewall live log on Site_A display any blocked/dropped traffic from the Site_B networks.
By default it is showing everything that is getting blocked.

158

General Discussion / Re: WireGuard SiteToSite tunnel outbound NAT rule necessary

« on: January 20, 2022, 10:46:03 pm »

I think you misunderstood the issue.

I already have the tunnel up and running! I was just asking why the outbound NAT rule is necessary.

159

General Discussion / WireGuard SiteToSite tunnel outbound NAT rule necessary

« on: January 20, 2022, 07:10:17 pm »

Hello,

I had my road warrior WireGuard setup running on OPNsense_A at Site_A for quite some time now.
My mobile clients have access to my LAN or can even tunnel their entire traffic through my OPNsense.

At Site_B I have my OPNsense_B and SOME clients in that network need access to the services at Site_A.

So I added the OPNsense_B "sort of" as another road warrior client to the WireGuard instance of OPNsense_A.

I didn't enable the pull routes feature of the wireguard interface since I only want some clients to go through the tunnel. So I added the gateway IP to the wg_interface and created a gateway in settings of OPNsense_B.
At this point the tunnel was already working and I was able to ping the wireguard interface address at Site_A using the OPNsense diagnostics tool.

I then created a firewall rule (see attached files) that will only route selected clients to the network of Site_A and thought that would be enough. I was wrong, I also needed to add a NAT outbound rule (see attached files) that translates everything to the OPNsense_B_WG_interface address.

Can someone please explain to me why that outbound NAT rule is necessary? I know what it does but I just can't figure out why it is necessary. Without the outbound rule I can see that my OPNsense_B is routing the traffic to OPNsense_A but in the logs of OPNsense_A is no sign of it. The Site_B networks are listed in the Allowed IPs of Site_B peer.

Ultimately I would like OPNsense_A and the services in that network to know the real local IP of Site_B clients that accessed them.

(I know that the firewall rule is currently giving the whole VLAN_CLIENT network access to the network of Site_A. I will change this when everything is working as expected.)

160

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: January 10, 2022, 10:10:57 pm »

You have to create a condition and rule for that service. And then place that rule on the 0_SNI_frontend.

However you CAN NOT do url conditions, f.e. service.domain.com ....


OR

You create a new TCP frontend that listens on that port.
Then create server + backend for the service and set this backend on the new tcp frontend as default backend.

OR

you simply use a port forwarding.....

161

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: January 05, 2022, 06:34:51 pm »

Two of my services aren't working as expected at the moment, and that's Firefly III and Grocy. Everything else is working.

For Firefly, I came across this thread on Github discussing my exact issue. It was apparently fixed in this comment. My Docker env TRUSTED_PROXIES is set to ** already. Do I need to edit 1_HTTPS_frontend or 1_HTTP_frontend? I see that both of those have the option X-Forwarded-For header enabled in my HAProxy.

For Grocy, I'm having the issue described here, on Github. Someone using nginx mentioned they solved the issue by adding proxy_set_header X-Forwarded-Proto https; to their nginx config.

You should (but don't have to) leave the x-forwarded-for header enabled. It is very useful since the real servers (firefly, grocy, ...) will get to know the original IP of the client trying to access it.

The links you posted both imply that your issues COULD be resolved by adding the following to your "HTTPS_frontend".

HAProxy --> Virtual Services --> Public Services --> 1_HTTPS_frontend --> Edit --> Enable "advanced mode" (top left corner) --> Scroll down to "Advanced settings" --> Option pass-through --> insert the below code --> Save --> Apply

Code: [Select]

http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
You might not need both lines so play around until you find the necessary line(s) and please post the final solution!

If both of your services are working now then I suggest to remove that setting from your HTTPS_frontend and set it on the firefly and grocy backends instead!

HAProxy --> Virtual Services --> Public Services --> firefly/grocy backend --> Edit --> Enable "advanced mode" (top left corner) --> Scroll down to "Tuning options" --> Option pass-through --> insert the above code --> Save --> Apply

162

Tutorials and FAQs / Re: Tutorial 2021/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: January 04, 2022, 01:16:56 am »

First of all please use the correct cipher list and suites, see the beginning of my OP.
You are still using AES128 ciphers indicating you didn't read my tutorial correctly.

Next thing would be to clear your browser cache.
Is it only firefly that is not working or are others also affected?

Are you using a trusted lets encrypt cert or a selfsigned one?

163

Tutorials and FAQs / Re: Tutorial 2021/11: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: December 15, 2021, 01:02:57 am »

Thank you for reply.

I only have map for internal network because I don't pass-through external traffic. And I also set host binding via unbound overrides all to 192.168.64.1.

Check the cipher list and cipher suites on your HTTPS frontend! They don't match the ones I provide in my first post!

That one thing wonders me and might be your issue... Why did you set the SNI_frontend to listen on the localhost address? This makes no sense at all!
You are allowing inbound traffic on your WAN address 80+443 with our firewall rule but your SNI_frontend is only listening on the localhost address. This way it will never catch any traffic at all!

I never said to do so in my guide! Apart from the SSL_server address which can safely use the localhost address.

164

Tutorials and FAQs / Re: Tutorial 2021/11: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: December 14, 2021, 01:36:46 pm »

I found this article from HAProxy guys:
https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/#simple-configuration

That's why I wanted to know if I can configure it via shell, working on the files directly. Do you know if that's possible?

Oh very well, of course there is!
You just need to place these settings (one per line) in the advanced settings of the frontend/backend.

Frontends --> yourfrontend --> top left, enable advanced mode --> Advanced settings --> Option pass-through

As far as I am aware settings these options on the frontend will apply them to ALL services that are going through it.
But you should also be able to set them on the corresponding backend so that it will only apply to the specific service.

Code: [Select]

## routing based on websocket protocol header
  acl hdr_connection_upgrade hdr(Connection)  -i upgrade
  acl hdr_upgrade_websocket  hdr(Upgrade)     -i websocket
  use_backend bk_ws if hdr_connection_upgrade hdr_upgrade_websocket
  default_backend bk_web
This however is also just a combination of acl=condition and rule=use_backend.
It is basically saying: IF HTTP_header=Connection+Upgrade THEN USE_BACKEND AKUMA_ws_backend

165

Tutorials and FAQs / Re: Tutorial 2021/11: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: December 14, 2021, 11:36:16 am »

I've already reverse-proxied a lot of services, I know how that works. The problem is how Uptime Kuma works: it uses ws:// (websockets) connections in addition to HTTP, so you connect in http first to auth, then it starts communicating through WS, through a sort of tunnel. If you check that link I provided, you will see that for many proxies there's some custom configs to support that. The only proxy that does one-line config magic is caddy...it's tempting me a lot...everybody told me that caddy is the simplest one and it simply works, without doing any hard config work. But I already have HAProxy in place, and would like to stick to it.

Did you try something like this?
https://stackoverflow.com/a/22735431/17193869
or this
https://discourse.haproxy.org/t/using-reverse-proxy-with-secured-web-sockets-wss/2917

Otherwise your best bet is to ask in the haproxy discourse forum including your config export.
Sadly, I can't help everyone to get specific services running.