OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • HAProxy with OPNSense and DMZ?
« previous next »
  • Print
Pages: [1]

Author Topic: HAProxy with OPNSense and DMZ?  (Read 1872 times)

white_rabbit

  • Full Member
  • ***
  • Posts: 239
  • Karma: 4
    • View Profile
HAProxy with OPNSense and DMZ?
« on: November 02, 2019, 08:45:46 am »
Hi.
I tried to install HAProxy on our OPNSense-FW and found a step-by-step-instruction…
now some things are working while others dont. I cant’ find the mistake – maybe one of the wizzzards here?

I have a DMZ with 172.17.17.0/24 and OPNSense on .254
I used two virtual devices: 172.17.17.252 and .253 and as a Test-Server 172.17.17.5 (later for nextcloud)

When I use http(s)://nextcloud2.linux.my-domain.com in my LAN everything works fine. The apache2 answers correctly for Port 80 and 443. So I guess the configuration is ok?

I also already set a CNAME to *.linux.my-domain.com on our external Server (my-domain.com) and a port forwading for 80 and 443 to the WAN-IP of the OPNSense.

So ping nextcloud2.linux.my-domain.com works everywhere.

Nevertheless I can’t access the nextcloud-Host behind the Rev.Proxy from my DMZ, WAN or from outside.
Can anyone tell me what’s wrong or missing?
DMZ: HTTP/1.1 301 Moved Permanently
WAN: No route to host.

Thanks for a hint.

Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: http_DMZ_WAN (internal and external http)
frontend http_DMZ_WAN
    bind 172.17.17.252:80 name 172.17.17.252:80
    bind 172.17.17.253:80 name 172.17.17.253:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_45e5bfd9525e2e7.18783878 path_beg -i /.well-known/acme-challenge/
    # ACL: Nextcloud_Bedingung
    acl acl_5ebafdd99a40d7.14505678 hdr_end(host) -i nextcloud2.linux.my-domain.com

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_45e5bfd9525e2e7.18783878
    # ACTION: Nextcloud
    use_backend Nextcloud_Backend if acl_5ebafdd99a40d7.14505678

# Frontend: https_DMZ_WAN (internal and external https)
frontend https_DMZ_WAN
    bind 172.17.17.252:443 name 172.17.17.252:443 ssl  crt-list /tmp/haproxy/ssl/4baf2ad81dea1.61416316.certlist
    bind 172.17.17.253:443 name 172.17.17.253:443 ssl  crt-list /tmp/haproxy/ssl/4baf2ad81dea1.61416316.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Nextcloud_Bedingung
    acl acl_5ebafdd99a40d7.14505678 hdr_end(host) -i nextcloud2.linux.my-domain.com

    # ACTION: Nextcloud
    use_backend Nextcloud_Backend if acl_5ebafdd99a40d7.14505678

# Frontend: https_DMZ (internal https)
frontend https_DMZ
    bind 172.17.17.253:443 name 172.17.17.253:443 ssl  crt-list /tmp/haproxy/ssl/5dbaf62c571809.61471992.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

# Backend: Nextcloud_Backend (Nextcloud_Backend)
backend Nextcloud_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: not-SSL
    acl acl_5dbaf90c2d38c3.66671068 req.proto_http

    # ACTION: redirect_SSL
    http-request redirect scheme https code 301 if acl_5dbaf90c2d38c3.66671068

    http-reuse safe
    server nextcloud_Host 172.17.17.5:443

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580


Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • HAProxy with OPNSense and DMZ?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2