Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[brooklynmind]

This has been answered 12 messages back.
https://forum.opnsense.org/index.php?topic=23339.msg143886#msg143886
[/quote]

Not really, as that person's question was different from mine.

• I'm looking to forward everything related to domain *.my1stdomain.xyz to nginx proxy manager (I needed to do this as npm works well with Authentik which I use for SSO for some of my apps)
  Whereas HAProxy handles everything related to *.my1stdomain.xyz (I already have this working without issues.

[Bunch]

I've been following this wonderfully crafted tutorial, so "THANK YOU" to the op for this.
Question (I know this might outside the scope of this tutorial):

• If I want HAProxy to handle *.my1stdomain.xyz which would be for specific services (already have this working flawlessly),
  but I would like to forward *.my2nddomain.xyz to nginx proxy manager running on docker so that nginx proxy manager will be used to manage that.

Is that something this setting can help to implement?

If you want nginx to handle TLS of *.my2nddomain.xyz, then the backend of *.my2nddomain.xyz will be in TCP mode.
And you need to set SNI_FRONTEND to something like #176

If you want keeping HAPROXY to handle TLS, you need to change config of nginx to accept proxy protocol, which is really out of scope

[brooklynmind]

If you want nginx to handle TLS of *.my2nddomain.xyz, then the backend of *.my2nddomain.xyz will be in TCP mode.
And you need to set SNI_FRONTEND to something like #176

If you want keeping HAPROXY to handle TLS, you need to change config of nginx to accept proxy protocol, which is really out of scope
[/quote]

Thanks a lot for your input. I'll play around with that and look at #176 as you pointed out.

[Stevoni]

Great tutorial!

I'm running into a problem accessing the sites within the network after following this tutorial and enabling Cloudflare proxy. Without the Cloudflare proxy I can access the sites both externally and internally but when I enable the Cloudflare proxy I'm unable to access the sites from the internal network.

This post, https://vitobotta.com/2019/12/23/real-ip-haproxy-ingress-behind-cloudflare/, explains how to get the correct IP but I'm not clear on how to implement that in the OPNsense HAProxy implementation. I found a similar question on the forums, https://forum.opnsense.org/index.php?topic=26419.msg127542#msg127542, but there wasn't any answer.

I created a condition with the Cloudflare IPs but I don't know where to go from there, any suggestions?

[TheHellSite]

Great tutorial!

I'm running into a problem accessing the sites within the network after following this tutorial and enabling Cloudflare proxy. Without the Cloudflare proxy I can access the sites both externally and internally but when I enable the Cloudflare proxy I'm unable to access the sites from the internal network.

This post, https://vitobotta.com/2019/12/23/real-ip-haproxy-ingress-behind-cloudflare/, explains how to get the correct IP but I'm not clear on how to implement that in the OPNsense HAProxy implementation. I found a similar question on the forums, https://forum.opnsense.org/index.php?topic=26419.msg127542#msg127542, but there wasn't any answer.

I created a condition with the Cloudflare IPs but I don't know where to go from there, any suggestions?

Sorry, but this is out of scope of this tutorial.

[mozart]

I followed the tutorial and added the necessary config to enable OpenVPN on port 443 but somehow it always keeps sending everything to the SSL_Backend.

My config file:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    2
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: SSL_hello
    acl acl_632625326b34a3.00256787 req_ssl_hello_type 1

    # ACTION: tcp_request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: tcp_request_content_accept_ssl
    tcp-request content accept if acl_632625326b34a3.00256787
    # ACTION: Openvpn_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6329deb37cfb97.45093681.txt)] if acl_632625326b34a3.00256787

# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_632463bc8a4e03.38927091 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_632463bc8a4e03.38927091

# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/632498ac5e6503.54058036.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6324642dba2f56.47189800.txt)]

# Backend: wiki ()
backend wiki
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server apache03 192.168.254.4:80

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Zoneminder_backend ()
backend Zoneminder_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ZoneMinder 192.168.254.22:80 source 192.168.254.2

# Backend: Nextcloud_Backend ()
backend Nextcloud_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server owncloud 192.168.254.23:443 ssl verify none

# Backend: KH_backend ()
backend KH_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server kh 192.168.10.50:80

# Backend: HA_backend ()
backend HA_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server ha 192.168.0.51:80

# Backend: HASS_backend ()
backend HASS_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server hass 192.168.254.13:8123

# Backend: BITWARDEN_backend ()
backend BITWARDEN_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server bitwarden 192.168.254.4:81

# Backend: Webmin_Backend ()
backend Webmin_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server sshgateway 192.168.254.34:10000 ssl verify none

# Backend: OPENVPN_backend ()
backend OPENVPN_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server OPENVPN_server 127.4.4.3:10194

When I try to connect to the OpenVPN server on port 443 I get this in the haproxy logs:

Code: [Select]

2022-09-23T13:16:23 Informational haproxy 1.2.3.4:43265 [23/Sep/2022:13:16:23.981] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2022-09-23T13:16:23 Informational haproxy Connect from 1.2.3.4:43265 to 4.3.2.1:443 (0_SNI_frontend/TCP)
2022-09-23T13:16:19 Informational haproxy 1.2.3.4:43264 [23/Sep/2022:13:16:19.866] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2022-09-23T13:16:19 Informational haproxy Connect from 1.2.3.4:43264 to 4.3.2.1:443 (0_SNI_frontend/TCP)

Any ideas?

[TheHellSite]

I followed the tutorial and added the necessary config to enable OpenVPN on port 443 but somehow it always keeps sending everything to the SSL_Backend.

Any ideas?

Configure your SNI_frontend like below and it should work.

Code: [Select]

frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    option log-separate-errors
    option tcplog
    # ACL: OPENVPN_condition
    acl acl_6143a3ff7e6bf2.30491250 req_ssl_hello_type 1

    # ACTION: OPENVPN_rule
    use_backend OPENVPN_backend if !acl_6143a3ff7e6bf2.30491250
    # WARNING: pass through options below this line
    tcp-request inspect-delay 5s
    tcp-request content accept if !{ req_ssl_hello_type 1 }


[mozart]

Thanks, I updated my frontend config:

Code: [Select]

# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: SSL_hello
    acl acl_632625326b34a3.00256787 req_ssl_hello_type 1

    # ACTION: Openvpn_map-rule
    use_backend OPENVPN_backend if acl_632625326b34a3.00256787
    # ACTION: tcp_request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: tcp_request_content_accept_ssl
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request content accept if !{ req_ssl_hello_type 1 }


I think it matches your example but I still get errors in the haproxy log:

Code: [Select]

2022-09-23T14:52:32 Informational haproxy 1.2.3.4:42250 [23/Sep/2022:14:52:32.904] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure
2022-09-23T14:52:32 Informational haproxy Connect from 1.2.3.4:42250 to 4.3.2.1:443 (0_SNI_frontend/TCP)
2022-09-23T14:52:31 Informational haproxy Connect from 192.168.254.13:52460 to 192.168.254.1:443 (0_SNI_frontend/TCP)

I looked a bit further and now I do see entries appearing in the OpenVPN logs so I will check those out first.

[keyboardDabbler]

hi guys,

I am trying to setup a SSO using keycloak, openLDAP and other providers. I have it all working locally but now wanting to communicate to the LDAP server via ldap://ldap.mydomain.com instead of ldap://192.168.1.104:1389.

The only difference that i have tried is changing the mode on the backend server from HTTP to TCP. I just recieve a timeout error when testing.

Code: [Select]

2022-09-24 13:40:25,284 ERROR [org.keycloak.services] (executor-thread-39) KC-SERVICES0055: Error when connecting to LDAP: ldap.mydomain.com:389: javax.naming.CommunicationException: ldap.mydomain.com:389 [Root exception is java.net.SocketTimeoutException: connect timed out]

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     100000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_62bbec3b1189e7.31090598 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_62bbec3b1189e7.31090598

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62bbef8e4ab6b5.77631912.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62bbecc24b7a71.66647551.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: PRISM_backend ()
backend PRISM_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server PRISM_server 192.168.1.103:2342

# Backend: REQUEST_backend ()
backend REQUEST_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server REQUEST_server 192.168.1.104:5055

# Backend: LDAP_backend ()
backend LDAP_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server LDAP_server 192.168.1.104:1636 ssl verify none


[bunchofreeds]

Thanks @TheHellSite for an awesome tutorial and support to us all with OPNsense & HAproxy
I have a perfectly working HAproxy thanks to you with dynamic DNS, LetsEncrypt and multiple reverse proxied sites.

However, I have not changed the default port for OPNsense away from 443

I have three externally accessible sites all via my single public IP, which are directed to three different backend servers using HAproxy
These public urls are specified in the 'listening addresses' of my public service using their ww.example.com:443 format. I have not specified a broad 0.0.0.0:443 for example

What's your view on this setup and its possible conflict with the OPNsesne webserver. Am I correct to specify the url's and therefore HAproxy is only listening for these and not the url or IP for OPNsense?

Thanks for any advice

[phib3r]

My config is working great thanks to this post ! I do have a quick question that you may be able to expand on - requiring client certificates from a specific sub domain. I have tried out a few things, but all that seems to happen is that all the sub domains request client certs. I have tried to create a new public https frontend and have that look up from a different mapping file - but all that seems to happen is that the original https front end just now requires client certs. I would post my config - but it is currently working and to the letter what you have posted with just some more sub domains added. Any help or pointing in the right direction would be fantastic.

M

[phib3r]

To the LDAP question above might be that LDAP is using UDP and not tcp

[phib3r]

Might be - sorry

[Morta]

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 1000s
    timeout connect 1000s
    timeout server 1000s
    retries 3
    default-server init-addr libc,last
    default-server maxconn 5000

# autogenerated entries for ACLs

# userlists generated from groups
userlist Allowedusers
    user joel insecure-password XXX
    user mopidy insecure-password XXX
    # NOTE: UserlistAddUsers called with empty group data


# autogenerated entries for config in backends/frontends
userlist list_6245eeb66d3ab2.08976803
    # Origin: MOPIDY_backend
    user mopidy insecure-password XXX
    user joel insecure-password XXX
    # WARNING: skipping duplicate username (mopidy)


# autogenerated entries for stats




# Frontend: SNI_frontend (Listening on http&https)
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind :::80 name :::80
    bind :::443 name :::443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 1000s

    # logging options

# Frontend: HTTP_frontend (Listening 127.0.0.1:80)
frontend HTTP_frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    bind [::1]:80 name [::1]:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 1000s

    # logging options
    # ACL: NoSSL_condition
    acl acl_621d0b77c74989.24704837 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_621d0b77c74989.24704837

# Frontend: HTTPS_frontend (Listinging on 127.0.0.1:443)
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621d11c7cad951.61400293.certlist
    bind [::1]:443 name [::1]:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/621d11c7cad951.61400293.certlist
    mode http
    option http-keep-alive
    default_backend WEBSERVER_backend
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/621d0c7054ddb7.46420139.txt)]
    # WARNING: pass through options below this line
      # Matrix client traffic
      acl matrix-host hdr(host) -i chat.XXX.ch chat.XXX.ch:443
      acl matrix-path path_beg /_matrix
      acl matrix-path path_beg /_synapse/client
   
      use_backend MATRIX_backend if matrix-host matrix-path

# Frontend: MATRIX_frontend (Listining * Port 8448)
frontend MATRIX_frontend
    bind *:8448 name *:8448 alpn h2,http/1.1 ssl  crt-list /tmp/haproxy/ssl/6256daae2378c2.17892750.certlist
    bind [::]:8448 name [::]:8448 alpn h2,http/1.1 ssl  crt-list /tmp/haproxy/ssl/6256daae2378c2.17892750.certlist
    mode http
    option http-keep-alive
    default_backend MATRIX_backend
    # tuning options
    timeout client 1000s

    # logging options
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
      http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
      http-request set-header X-Forwarded-For %[src]

# Frontend: SSH_frontend (Listining * Port 22)
frontend SSH_frontend
    bind *:22 name *:22 alpn h2,http/1.1
    bind [::]:22 name [::]:22 alpn h2,http/1.1
    mode tcp
    # tuning options
    timeout client 1000s

    # logging options

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend: WEBSERVER_backend ()
backend WEBSERVER_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    acl restricted_page path_beg /wp-admin
    acl auth_ok http_auth(Allowedusers)
    http-request auth if restricted_page !auth_ok
   
    http-reuse safe
    server WEBSERVER_server 192.168.1.100:80 send-proxy-v2 check-send-proxy
    server WEBSERVER_server_ipv6 XXX:168:a774::2000:80 send-proxy-v2 check-send-proxy

# Backend: NAS_backend ()
backend NAS_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-reuse safe
    server NAS_server 192.168.1.118:80
    server NAS_server_ipv6 XXX:168:a774::1000:80

# Backend: WEBSERVER_SSL_backend ()
backend WEBSERVER_SSL_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
   
    http-reuse safe
    server WEBSERVER_server_ssl 192.168.1.100:443
    server WEBSERVER_server_ssl_ipv6 XXX:168:a774::2000:443

# Backend: MOPIDY_backend ()
backend MOPIDY_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    acl auth_ok http_auth(list_6245eeb66d3ab2.08976803)
    http-request auth if !auth_ok
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    acl is_root path -i /
    redirect code 301 location /iris if is_root
    http-reuse safe
    server MOPIDY_server 192.168.1.100:6680

# Backend: MATRIX_backend ()
backend MATRIX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
      http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
      http-request set-header X-Forwarded-For %[src]
    http-reuse safe
    server MATRIX_server 192.168.1.100:8008
    server MATRIX_server_ipv6 XXX:168:a774::2000:8008

# Backend: KVM_backend ()
backend KVM_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-reuse safe
    server KVM_server 192.168.1.105:80

# Backend: SYNC_backend ()
backend SYNC_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
      http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
      http-request set-header X-Forwarded-For %[src]
    http-reuse safe
    server SYNC_server 192.168.1.100:5050

# Backend: ROUTER_SSH_backend ()
backend ROUTER_SSH_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    server ROUTER_SSH_Server 192.168.1.1:22
    server ROUTER_SSH_Server_ipv6 XXX:168:a774::1000:22

# Backend: NAS_SSH_backend ()
backend NAS_SSH_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    server NAS_server_ipv6 XXX:168:a774::1000:80
    server NAS_SSH_server 192.168.1.118:22

# Backend: KVM_SSH_backend ()
backend KVM_SSH_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    server KVM_SSH_server 192.168.1.105:22

# Backend: SERVER_SSH_backend ()
backend SERVER_SSH_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 1000s
    timeout server 1000s
    server SERVER_SSH_server 192.168.1.100:22
    server SERVER_SSH_server_ipv6 XXX:168:a774::2000:22

Could someone say why my SSH service points everytime to the Router and doesn't split to ssh, ssh.kvm, ssh.server, ssh.nas?

My map file looks like

Code: [Select]

#public access subdomains
flood WEBSERVER_backend
kvm KVM_backend
nas WEBSERVER_backend
grafana WEBSERVER_backend
phpmyadmin WEBSERVER_backend
speedtestserver WEBERSERVER_backend
cloud NAS_backend
dav NAS_backend
stefan NAS_backend
mopidy MOPIDY_backend
git WEBSERVER_backend
chat MATRIX_backend
admin WEBSERVER_backend
sync SYNC_backend
ssh.nas NAS_SSH_backend
ssh.server SERVER_SSH_backend
ssh ROUTER_SSH_backend
ssh.kvm KVM_SSH_backend

Is a frontend for port 22 necessary?
Thanks for advices.

[Bunch]

Just think a little bit deeper:
I'm afraid SSH_frontend will never able to bind if your router is 192.168.1.1
As it always using port 22, you will never able to take port 22 with HAProxy.
Thus, everything related to SSH_frontend will never work until you change SSH of your router to different port