HAProxy access from internal network

Started by cyrus104, August 31, 2022, 07:06:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 31, 2022, 07:06:16 PM
I'm using HAProxy + ACME on OPNsense to provide a reverse proxy to my internal services. After another small conditions issue, I now have it working as expected from the external internet on my phone (LTE connection).

I going to it using chrome and firefox by typing in the FQDN: https://server1.mydomain.com

However when I turn on wifi and am on the same network as the Real Server I get an ERR_TIMED_OUT. In HAProxy log I get a handshake failure error. I tried it using the same process with my laptop with a VPN to the internet and connecting in, the internal site loads as expected. When I disconnect the VPN an try it on the same subnet I get the same error as my phone.

Code Select
2022-08-31T12:59:21-04:00 Error haproxy 173.66.23.118:2188 [31/Aug/2022:12:59:21.223] default_443/0.0.0.0:443: SSL handshake failure
September 01, 2022, 02:52:25 PM #1
Quoteon the same network as the Real Server
as the Real Server? (with public ip *.*.*.*:2188?) or as the WAN address?
September 01, 2022, 07:56:00 PM #2
The Real Server is an internal: 10.0.0.10:5001
The Public IP is: 173.67.25.115:443
The Router Internal address: 10.0.0.1
September 01, 2022, 09:43:49 PM #3
Could this have something to do with the devices being on the same firewall interface?

Desktop -> vlan2 (firewall) > wan (firewall) -> vlan2 (firewall) -> nas

If I do the following with my laptop and phone it works:

Laptop (wifi) -> vlan3 (firewall) > wan (firewall) -> vlan2 (firewall) -> nas
September 02, 2022, 07:01:04 PM #4
i think it may be related to "reply-to" on wan rules but I don't have a chance to try to reproduce the situation right now..
can you check with "Disable reply-to" enabled in Firewall: Settings: Advanced ?
September 03, 2022, 07:28:55 PM #5
I have checked that option and then rebooted the firewall but still no change. :-(
September 24, 2022, 02:27:35 AM #6
I'm still not able to access the reverse proxied websites from the internal subnet that the real servers are on. I can access them from another subnet and from the internet but not locally.
September 24, 2022, 08:35:35 AM #7
Hi,
is there any reason why you do not access the server directly from internal?
You simply need to create a DNS zone mydomain.com on a DNS server which your internal devices are pointing to. And then just add the A record of your server with the internal IP Address.

https://itfreetraining.com/lesson/splitbrain/

cheers,
andreas
September 24, 2022, 06:18:49 PM #8
I'm using the HAproxy + ACME and wanted my internal site to use the offical TLS certificate instead of the self signed ones.
September 24, 2022, 08:41:13 PM #9
Let haproxy listen to LAN and set DNS to LAN IP
September 24, 2022, 09:22:50 PM #10
Right now it's listening on 0.0.0.0:443 (and another public on 80).

My WAN changes every so often.
September 24, 2022, 09:45:24 PM #11
Then add an override from internal IP to LAN address  :)
September 25, 2022, 08:55:33 PM #12
Happy to do that and test, where do I add the override?
September 25, 2022, 09:19:34 PM #13
It depends,  which DNS server Do your internal clients use?
Print
Go Up Pages1
User actions