Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[TheHellSite]

In Firefox I get the following error: PR_END_OF_FILE_ERROR

Hello,

I have same issue in firefox and chrome. In logs it is said "Received something which does not look like a PROXY protocol header"

I thought at first that it is a proxy problem and double checked your 20210613 update but my bind option pass-through set as accept-proxy

My current HAProxy version is 3.7 and opnsense is 21.7.6

I am running the setup with the latest OPNsense updates just fine, using Firefox (mainly) but Chrome or Edge work fine either.
It seems you did misconfigure something!

Post your haproxy export in a code box. (redact any sensitive information, but leave in the local IPs!)

[TheHellSite]

In Part 6, NAT Reflection: it applies to port forwarding rules, but in the guide you switched to a simple filter rule.

So there's only one option remaining: split DNS.

Thank you for pointing this out! I changed the guide some time ago and forgot to update that part.
Just keep in mind that there is nothing wrong with Split DNS, it is even the preferred way of doing it!

HAProxy has been rock solid, thanks again for your guide. I'm having a hard time only for Uptime Kuma, it uses websockets, and it's the only service that doesn't work behind HAProxy. The dev published a guide for the configuration behind several reverse proxies, unfortunately the only one missing is HAProxy: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy#nginx

I'm sure there's a way to make it work but I can't find it...

Isn't that just a simple web service displaying uptime of servers?
How are you accessing it on your local network? f.e. http://192.168.2.55:3001/ or https://192.168.2.55:3001/
If it is http then you will need to DISABLE SSL in the real server settings for uptime kuma.
If it is https then you will need to ENABLE SSL but DISABLE SSL verification in the real server settings for uptime kuma.

[Alessandro Del Prete]

Thank you for pointing this out! I changed the guide some time ago and forgot to update that part.
Just keep in mind that there is nothing wrong with Split DNS, it is even the preferred way of doing it!

I know, it's my preferred way too. I love DNS. Was just pointing out that there's only one option. :)

Isn't that just a simple web service displaying uptime of servers?
How are you accessing it on your local network? f.e. http://192.168.2.55:3001/ or https://192.168.2.55:3001/
If it is http then you will need to DISABLE SSL in the real server settings for uptime kuma.
If it is https then you will need to ENABLE SSL but DISABLE SSL verification in the real server settings for uptime kuma.

I've already reverse-proxied a lot of services, I know how that works. The problem is how Uptime Kuma works: it uses ws:// (websockets) connections in addition to HTTP, so you connect in http first to auth, then it starts communicating through WS, through a sort of tunnel. If you check that link I provided, you will see that for many proxies there's some custom configs to support that. The only proxy that does one-line config magic is caddy...it's tempting me a lot...everybody told me that caddy is the simplest one and it simply works, without doing any hard config work. But I already have HAProxy in place, and would like to stick to it.

UPDATE: I found this article https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/#advanced-configuration

Now I have to understand where to put those things in the UI on OPNsense. Is there a way to edit the config files directly?

[TheHellSite]

I've already reverse-proxied a lot of services, I know how that works. The problem is how Uptime Kuma works: it uses ws:// (websockets) connections in addition to HTTP, so you connect in http first to auth, then it starts communicating through WS, through a sort of tunnel. If you check that link I provided, you will see that for many proxies there's some custom configs to support that. The only proxy that does one-line config magic is caddy...it's tempting me a lot...everybody told me that caddy is the simplest one and it simply works, without doing any hard config work. But I already have HAProxy in place, and would like to stick to it.

Did you try something like this?
https://stackoverflow.com/a/22735431/17193869
or this
https://discourse.haproxy.org/t/using-reverse-proxy-with-secured-web-sockets-wss/2917

Otherwise your best bet is to ask in the haproxy discourse forum including your config export.
Sadly, I can't help everyone to get specific services running.

[Alessandro Del Prete]

Did you try something like this?
https://stackoverflow.com/a/22735431/17193869
or this
https://discourse.haproxy.org/t/using-reverse-proxy-with-secured-web-sockets-wss/2917

I found this article from HAProxy guys:
https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/#simple-configuration

That's why I wanted to know if I can configure it via shell, working on the files directly. Do you know if that's possible?

[TheHellSite]

I found this article from HAProxy guys:
https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/#simple-configuration

That's why I wanted to know if I can configure it via shell, working on the files directly. Do you know if that's possible?

Oh very well, of course there is!
You just need to place these settings (one per line) in the advanced settings of the frontend/backend.

Frontends --> yourfrontend --> top left, enable advanced mode --> Advanced settings --> Option pass-through

As far as I am aware settings these options on the frontend will apply them to ALL services that are going through it.
But you should also be able to set them on the corresponding backend so that it will only apply to the specific service.

Code Select Expand

## routing based on websocket protocol header
  acl hdr_connection_upgrade hdr(Connection)  -i upgrade
  acl hdr_upgrade_websocket  hdr(Upgrade)     -i websocket
  use_backend bk_ws if hdr_connection_upgrade hdr_upgrade_websocket
  default_backend bk_web

This however is also just a combination of acl=condition and rule=use_backend.
It is basically saying: IF HTTP_header=Connection+Upgrade THEN USE_BACKEND AKUMA_ws_backend

[Alessandro Del Prete]

As far as I am aware settings these options on the frontend will apply them to ALL services that are going through it. But you should also be able to set them on the corresponding backend so that it will only apply to the specific service.

Not working, I don't think it's a config issue...

Seems like there were issues with websockets with older versions, newest v2.5 fixed several things regarding websockets support: https://www.haproxy.com/blog/announcing-haproxy-2-5/

Latest plugin has HAProxy v2.2.18, will have to wait for the upgrade...unless I can upgrade it manually...

[evathesalmon]

Post your haproxy export in a code box. (redact any sensitive information, but leave in the local IPs!)

Thank you for reply.

I only have map for internal network because I don't pass-through external traffic. And I also set host binding via unbound overrides all to 192.168.64.1.

Code Select Expand



#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 127.0.0.1:80, 127.0.0.1:443)
frontend 0_SNI_frontend
    bind 127.0.0.1:443 name 127.0.0.1:443
    bind 127.0.0.1:80 name 127.0.0.1:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
    bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_61a3f4fdabe975.79392880 req.ssl_ver gt 0

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_61a3f4fdabe975.79392880

# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61a3f8200d98a7.85727127.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61a3f5af2446f3.11405534.txt)]

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: unraid_backend ()
backend unraid_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server unraid_server 192.168.0.20:443 ssl verify none

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy

# Backend: opnsense_backend ()
backend opnsense_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server opnsense_server 192.168.0.1:1443 ssl verify none



[TheHellSite]

Thank you for reply.

I only have map for internal network because I don't pass-through external traffic. And I also set host binding via unbound overrides all to 192.168.64.1.

Check the cipher list and cipher suites on your HTTPS frontend! They don't match the ones I provide in my first post!

That one thing wonders me and might be your issue... Why did you set the SNI_frontend to listen on the localhost address? This makes no sense at all!
You are allowing inbound traffic on your WAN address 80+443 with our firewall rule but your SNI_frontend is only listening on the localhost address. This way it will never catch any traffic at all!

I never said to do so in my guide! Apart from the SSL_server address which can safely use the localhost address.

[evathesalmon]

You are allowing inbound traffic on your WAN address 80+443 with our firewall rule but your SNI_frontend is only listening on the localhost address. This way it will never catch any traffic at all!

UPD: nevermind, it was my local cache and unbound cache. After purging everything it works just fine without any specific binding. Thank you for your help. 

I have amended my config and compared again with the guide but I must be missing something.

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
    bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_61a3f4fdabe975.79392880 req.ssl_ver gt 0

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_61a3f4fdabe975.79392880

# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61a3f8200d98a7.85727127.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNET_condition
    acl acl_61a3f9b4ed7092.44798843 src 192.168.0.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61a3f5af2446f3.11405534.txt)] if acl_61a3f9b4ed7092.44798843

# Backend: unraid_backend ()
backend unraid_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server unraid_server 192.168.0.20:443 ssl verify none

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy

# Backend: opnsense_backend ()
backend opnsense_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server opnsense_server 192.168.0.1:1443 ssl verify none

# Backend: qbittorrent_backend ()
backend qbittorrent_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server qbittorrent_server 192.168.0.20:8080


The setup is working only if I bind my host->ip in unbound overrides the way they are physically, in example unraid is binded to 192.168.0.20, opnsense is binded to 192.168.0.1 and other (see the pic). But if the redirects are set to 192.168.54.1 just like in the guide it just unable to connect.

In other words seems like 0_SNI_frontend doesn't listen to all addresses even if it is configured so.

Also a question: should I set any WAN rules even if I only routing the LAN traffic, cause now I didn't set any.

[boredpanda]

Hello,

when I started implementing HAProxy in my network I couldn't find any complete and well written guide out there. I had to puzzle everything together from various websites.
So I thought I would save many of you a lot of time and provide my ultimate HAProxy on OPNsense guide.  :)

Hello! And thank you very much for your well-written guide. It made my switch from pfSense to OPNsense far smoother! HAProxy in pfSense looks quite different from HAProxy in OPNsense.

I self-host a bunch of services on a local server, and all the services are in dockers, meaning they all have the same IP but different ports. Most of the services worked just fine following your guide, but I'm noticing a few odd things. For instance, on my Firefly III installation, I get the error in the attachment and I'm unable to log in. If I visit the IP:PORT address, it works fine. Any suggestions on changes I could maybe make to my configuration?

None of my services are publicly exposed and I'm using a FQDN just to not having to remember port numbers.

My config is below. Thanks! :)

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
    bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_61d029838380d8.68540995 req.ssl_ver gt 0

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_61d029838380d8.68540995

# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61d02d156c0846.98881851.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    # ACL: EXTERNAL_conditions
    acl acl_61d066f2cc9639.62892989 src 193.138.218.219
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_61d05461151001.71548589 src 192.168.1.0/24 192.168.70.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61d053aef188f4.27343600.txt)] if acl_61d066f2cc9639.62892989 || acl_61d05461151001.71548589
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61d029eb5a9da6.54806678.txt)]

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy

# Backend: nextcloud_backend ()
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server nextcloud_server 192.168.1.12:444 ssl verify none

# Backend: miniflux_backend ()
backend miniflux_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server miniflux_server 192.168.1.12:5600

# Backend: joplin_backend ()
backend joplin_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server joplin_server 192.168.1.12:22300

# Backend: calibre_backend ()
backend calibre_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server calibre_server 192.168.1.12:8083

# Backend: emby_backend ()
backend emby_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server emby_server 192.168.1.12:8096

# Backend: grocy_backend ()
backend grocy_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server grocy_server 192.168.1.12:9283

# Backend: hydra_backend ()
backend hydra_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server hydra_server 192.168.1.12:5076

# Backend: piwigo_backend ()
backend piwigo_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server piwigo_server 192.168.1.12:8099

# Backend: collabora_backend ()
backend collabora_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server collabora_server 192.168.1.12:9980

# Backend: freshrss_backend ()
backend freshrss_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server freshrss_server 192.168.1.12:8066

# Backend: wallabag_backend ()
backend wallabag_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server wallabag_server 192.168.1.12:6500

# Backend: wikijs_backend ()
backend wikijs_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server wikijs_server 192.168.1.12:3000

# Backend: heimdall_backend ()
backend heimdall_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server heimdall_server 192.168.1.12:8538

# Backend: monica_backend ()
backend monica_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server monica_server 192.168.1.12:8956

# Backend: firefly_backend ()
backend firefly_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server firefly_server 192.168.1.12:8088

# Backend: paperless_1_backend ()
backend paperless_1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server paperless_1_server 192.168.1.12:8016

# Backend: paperless_2_backend ()
backend paperless_2_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server paperless_2_server 192.168.1.12:8006


[TheHellSite]

First of all please use the correct cipher list and suites, see the beginning of my OP.
You are still using AES128 ciphers indicating you didn't read my tutorial correctly.

Next thing would be to clear your browser cache.
Is it only firefly that is not working or are others also affected?

Are you using a trusted lets encrypt cert or a selfsigned one?

[boredpanda]

First of all please use the correct cipher list and suites, see the beginning of my OP.
You are still using AES128 ciphers indicating you didn't read my tutorial correctly.

Next thing would be to clear your browser cache.
Is it only firefly that is not working or are others also affected?

Are you using a trusted lets encrypt cert or a selfsigned one?

That's fair enough! I have updated my configuration with the correct cipher list and suites. My browser cache has been cleared and I've tried multiple browsers on different computers. The issue still remains. I am using a trusted let's encrypt cert (wildcard domain managed by ACME on OPNsense).

Two of my services aren't working as expected at the moment, and that's Firefly III and Grocy. Everything else is working.

For Firefly, I came across this thread on Github discussing my exact issue. It was apparently fixed in this comment. My Docker env TRUSTED_PROXIES is set to ** already. Do I need to edit 1_HTTPS_frontend or 1_HTTP_frontend? I see that both of those have the option X-Forwarded-For header enabled in my HAProxy.

For Grocy, I'm having the issue described here, on Github. Someone using nginx mentioned they solved the issue by adding proxy_set_header X-Forwarded-Proto https; to their nginx config.

[TheHellSite]

Two of my services aren't working as expected at the moment, and that's Firefly III and Grocy. Everything else is working.

For Firefly, I came across this thread on Github discussing my exact issue. It was apparently fixed in this comment. My Docker env TRUSTED_PROXIES is set to ** already. Do I need to edit 1_HTTPS_frontend or 1_HTTP_frontend? I see that both of those have the option X-Forwarded-For header enabled in my HAProxy.

For Grocy, I'm having the issue described here, on Github. Someone using nginx mentioned they solved the issue by adding proxy_set_header X-Forwarded-Proto https; to their nginx config.

You should (but don't have to) leave the x-forwarded-for header enabled. It is very useful since the real servers (firefly, grocy, ...) will get to know the original IP of the client trying to access it.

The links you posted both imply that your issues COULD be resolved by adding the following to your "HTTPS_frontend".

HAProxy --> Virtual Services --> Public Services --> 1_HTTPS_frontend --> Edit --> Enable "advanced mode" (top left corner) --> Scroll down to "Advanced settings" --> Option pass-through --> insert the below code --> Save --> Apply

Code Select Expand

http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]

You might not need both lines so play around until you find the necessary line(s) and please post the final solution!

If both of your services are working now then I suggest to remove that setting from your HTTPS_frontend and set it on the firefly and grocy backends instead!

HAProxy --> Virtual Services --> Public Services --> firefly/grocy backend --> Edit --> Enable "advanced mode" (top left corner) --> Scroll down to "Tuning options" --> Option pass-through --> insert the above code --> Save --> Apply

[boredpanda]

The links you posted both imply that your issues COULD be resolved by adding the following to your "HTTPS_frontend".

HAProxy --> Virtual Services --> Public Services --> 1_HTTPS_frontend --> Edit --> Enable "advanced mode" (top left corner) --> Scroll down to "Advanced settings" --> Option pass-through --> insert the below code --> Save --> Apply

Code Select Expand

http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]

You might not need both lines so play around until you find the necessary line(s) and please post the final solution!

The second line didn't work, but http-request set-header X-Forwarded-Proto https if { ssl_fc } solved the issue with both services, so I have added the line to both of the back ends. Thank you so much! ;)