Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[tomdh76]

Thx you @TheHellSite for this tutorial. Unfortunately I cannot get it to work. I always get a "503 service unavaible status"

If I use the internal addresses of the websites (192.168.2.40:8083 for example) I can login. But using the website.domain.com I get a 503 error. In the logs I see that the client is accessing the public Ip on port 443.

Please give further details on what is and whet it is not working.

Are you able to access your services via their domain name from a device outside of your local network?

Did you configure the DNS overrides for the local clients?

Also your Bitwarden server seems to be misconfigured are you sure it is serving SSL on the HTTP port? Also verify this for your other service.

Well, nothing is working, both not from within the local network and also not from outside.

I did configure the DNS override, but I first try to access the services from my mobile device.

I do not understand what you mean by serving SSL on the HTTP port. I think I followed your tutorial to the letter (except for using a Let's encrypt certificate by using cloudflare API from my domain)

Edit: I found it, I needed to uncheck the SSL tickbox in the real server settings. In your tutorial you have it checked and I saw in this forum someone else who had the same problem...

Thx alot!!

[TheHellSite]

I do not understand what you mean by serving SSL on the HTTP port. I think I followed your tutorial to the letter (except for using a Let's encrypt certificate by using cloudflare API from my domain)

It is dangerous to do things like exposing services to the internet when you don't even understand this simple question from me!  :-\

Read step 9 of my FAQ. You should also really read the explanation of the "SSL checkbox" in the server setup page!
I bet you are not accessing your services by their local ip using HTTPS you are likely accessing them using HTTP.

[tomdh76]

I do not understand what you mean by serving SSL on the HTTP port. I think I followed your tutorial to the letter (except for using a Let's encrypt certificate by using cloudflare API from my domain)

It is dangerous to do things like exposing services to the internet when you don't even understand this simple question from me!  :-\

Read step 9 of my FAQ. You should also really read the explanation of the "SSL checkbox" in the server setup page!
I bet you are not accessing your services by their local ip using HTTPS you are likely accessing them using HTTP.

Yes that was the problem...

[xkpx]

Strange but 503 error appear to me as well.
I tested with apache,nodejs,wamp nothing worked. They i try to redirect to my switch to see if my windows is not the problem... but nope.
DynamicDNS is configured and working fine,
All gui redirections disabled and opnsense gui port changed.
Added firewall rule to WAN , and no additional LAN rules added ( it's almost fresh install )
Acme - generated fine cert via dns. ( 2/4/2023, 7:23:39 PM   OK   2/4/2023, 7:23:40 PM )


Tested from external network via smartphone on cellular data.

One thing is that i am using proxmox to virtualize opnsense as "routerOnStick/Forbidden Router" and i pass two ports from quad NIC on promox-server as LAN/WAN for opnsense , and lan is going to dumb switch that transfer vlans/lan to rest of my house , so far not a single problem with that but maybe just maybe..

Code Select Expand

OPNsense 23.1_6-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

Code Select Expand

HAProxy version 2.6.7-c55bfdb 2022/12/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.7.html
Running on: FreeBSD 13.1-RELEASE-p5 FreeBSD 13.1-RELEASE-p5 stable/23.1-n250372-c4ad069e50a SMP amd64

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 and 0.0.0.0:80)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options
    option log-separate-errors
    option tcplog

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option log-separate-errors
    option httplog
    # ACL: NoSSL_condition
    acl acl_63dea06740dee5.93056632 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_63dea06740dee5.93056632

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63dea303583a84.37941891.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option log-separate-errors
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63dea0bbafdf17.31648976.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: XKP_backend ()
backend XKP_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server XKP_server 192.168.1.104:80 ssl verify none



# statistics are DISABLED

Code Select Expand

2023-02-05T10:45:38 Error haproxy ********:31073 [05/Feb/2023:10:45:38.668] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 2/1/0/0/0 0/0 "GET https://[********:/favicon.ico HTTP/2.0"

Code Select Expand

root@firewall:~ # haproxy -f /usr/local/etc/haproxy.conf -d
Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result FAILED
Total: 3 (2 usable), will use kqueue.

Available filters :
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace
Using kqueue() as the polling mechanism.
00000000:0_SNI_frontend.accept(0004)=0014 from [********:31207] ALPN=<none>
00000001:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000001:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/ HTTP/2.0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: cache-control: max-age=0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: upgrade-insecure-requests: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: cross-site
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: navigate
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-user: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: document
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000001:1_HTTPS_frontend.clicls[0017:ffff]
00000001:1_HTTPS_frontend.closed[0017:ffff]
00000002:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000002:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/favicon.ico HTTP/2.0
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: same-origin
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: no-cors
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: image
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: referer: https://********/
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000002:1_HTTPS_frontend.clicls[0017:ffff]
00000002:1_HTTPS_frontend.closed[0017:ffff]
00000000:SSL_backend.srvcls[0014:ffff]
00000000:SSL_backend.clicls[ffff:ffff]
00000000:SSL_backend.closed[ffff:ffff]


Code Select Expand

Interesting is that from opnsense ssh via wget i managed to download from server, and from windows too..
wget --save-headers http://ccc.network.ccc
This was with DNS override , but still not accessible by browser

image - https://i.ibb.co/bL8Wgbj/34.png

[tomdh76]

Strange but 503 error appear to me as well.
I tested with apache,nodejs,wamp nothing worked. They i try to redirect to my switch to see if my windows is not the problem... but nope.
DynamicDNS is configured and working fine,
All gui redirections disabled and opnsense gui port changed.
Added firewall rule to WAN , and no additional LAN rules added ( it's almost fresh install )
Acme - generated fine cert via dns. ( 2/4/2023, 7:23:39 PM   OK   2/4/2023, 7:23:40 PM )

Tested from external network via smartphone on cellular data.

One thing is that i am using proxmox to virtualize opnsense as "routerOnStick/Forbidden Router" and i pass two ports from quad NIC on promox-server as LAN/WAN for opnsense , and lan is going to dumb switch that transfer vlans/lan to rest of my house , so far not a single problem with that but maybe just maybe..

Code Select Expand

OPNsense 23.1_6-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

Code Select Expand

HAProxy version 2.6.7-c55bfdb 2022/12/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.7.html
Running on: FreeBSD 13.1-RELEASE-p5 FreeBSD 13.1-RELEASE-p5 stable/23.1-n250372-c4ad069e50a SMP amd64

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 and 0.0.0.0:80)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options
    option log-separate-errors
    option tcplog

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option log-separate-errors
    option httplog
    # ACL: NoSSL_condition
    acl acl_63dea06740dee5.93056632 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_63dea06740dee5.93056632

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63dea303583a84.37941891.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option log-separate-errors
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63dea0bbafdf17.31648976.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: XKP_backend ()
backend XKP_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server XKP_server 192.168.1.104:80 ssl verify none



# statistics are DISABLED

Code Select Expand

2023-02-05T10:45:38 Error haproxy ********:31073 [05/Feb/2023:10:45:38.668] 1_HTTPS_frontend~ 1_HTTPS_frontend/<NOSRV> -1/-1/-1/-1/0 503 217 - - SC-- 2/1/0/0/0 0/0 "GET https://[********:/favicon.ico HTTP/2.0"

Code Select Expand

root@firewall:~ # haproxy -f /usr/local/etc/haproxy.conf -d
Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result FAILED
Total: 3 (2 usable), will use kqueue.

Available filters :
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace
Using kqueue() as the polling mechanism.
00000000:0_SNI_frontend.accept(0004)=0014 from [********:31207] ALPN=<none>
00000001:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000001:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/ HTTP/2.0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: cache-control: max-age=0
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: upgrade-insecure-requests: 1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: cross-site
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: navigate
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-user: ?1
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: document
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000001:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000001:1_HTTPS_frontend.clicls[0017:ffff]
00000001:1_HTTPS_frontend.closed[0017:ffff]
00000002:1_HTTPS_frontend.accept(0007)=0017 from [********:31207] ALPN=h2
00000002:1_HTTPS_frontend.clireq[0017:ffffffff]: GET https://********/favicon.ico HTTP/2.0
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: host: ********
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: dnt: 1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-mobile: ?1
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: save-data: on
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: user-agent: Mozilla/5.0 (Linux; Android 13; Mi 9T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-ch-ua-platform: "Android"
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-site: same-origin
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-mode: no-cors
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: sec-fetch-dest: image
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: referer: https://********/
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-encoding: gzip, deflate, br
00000002:1_HTTPS_frontend.clihdr[0017:ffffffff]: accept-language: en-US,en;q=0.9
00000002:1_HTTPS_frontend.clicls[0017:ffff]
00000002:1_HTTPS_frontend.closed[0017:ffff]
00000000:SSL_backend.srvcls[0014:ffff]
00000000:SSL_backend.clicls[ffff:ffff]
00000000:SSL_backend.closed[ffff:ffff]


I see also in your backend for XKP SSL is checked. Could you try by unchecking the SSL?

[xkpx]

Totally my mistake of course, i somehow manage to confuse myself to put in map file xkp XKP_Server, instead of xkp XKP_backend, damn i did this tutorial 3 times already today to realize it.
Also forgot in ACME , OCSP must staple.
So far everything works.

[brynjolm]

Please refer to this post about it. Be warned I can not provide help for this since I am not using such a setup.

https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958

Still thank you for posting a link to a possible soloution. I have had my hunches but at least it narrows down the area at which to look at. Thank you and have a nice day!

[user78425653]

Just registered to say thank you @TheHellSite
Everything works!

[Dimi3]

Hello,

Decided to post the issue I'm having here, since for the love of god can't find what's wrong 😊

I implemented the guide to the letter using virtual IP. I setup 1 public service accessible from internet and few local accessible only ( I separate this on my DNS settings for domain. I only pointed xyz.mydomain.net to my public IP ( static ). Everything is working as expected.

Now I want to open full domain to my public IP, and implement step 7 of this guide to make only public services available over the internet, and limit the local services to LAN access only.

I added the local subdomains rule and map file as described in the guide, but for some reason it doesn't work...services are always available even if accessed from internet...like the LOCAL_SUBDOMAINS_map_conditions would not apply...but if I remove the PUBLIC_SUBDOMAINS-map-rule form HTTPS_frontend its is working, but only from local lan, as it should since, its limiting access to LAN only....when I put both  rules in my HTTPS_frontend the rule for local lan access only is not sticking, but websites are accessible from lan and internet.

Did I missed something obvious ?, or as it looks to me, like 2 rules are not handled in parallel, since with only one rule (either) its working.

Any help appreciated.

Posting my config;

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    maxconn                     128
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 100
    timeout client 30s
    timeout connect 4s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 100

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_Frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_Backend

    # logging options
    option tcplog

# Frontend: 1_HTTP_Frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_Frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: NoSSL_Condition
    acl acl_6241c8286b2146.46286925 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6241c8286b2146.46286925

# Frontend: 1_HTTPS_Frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6241cc05878570.68121182.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_map_conditions
    acl acl_63f758e46145e5.66171870 src 192.168.1.0/26

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63f7583a8314e2.36363887.txt)] if acl_63f758e46145e5.66171870
    # ACTION: PUBLIC_SUBDOMAINS_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6241c892a54f84.31767078.txt)]

# Backend: SSL_Backend (SSL_Backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Unifi_backend (Unifi_Backend)
backend Unifi_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Unifi 172.1.1.2:8443 ssl alpn h2,http/1.1 verify none source 192.168.1.1

# Backend: Homeassistant_backend (Homeassistant_Backend)
backend Homeassistant_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Homeassistant 192.168.1.3:8123

# Backend: Docker_OCI_backend (Docker_OCI_Backend)
backend Docker_OCI_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server docker 172.1.1.2:9443 ssl alpn h2,http/1.1 verify none source 192.168.1.1



# statistics are DISABLED





[TheHellSite]

Hello,

Decided to post the issue I'm having here, since for the love of god can't find what's wrong 😊

I implemented the guide to the letter using virtual IP. I setup 1 public service accessible from internet and few local accessible only ( I separate this on my DNS settings for domain. I only pointed xyz.mydomain.net to my public IP ( static ). Everything is working as expected.

Now I want to open full domain to my public IP, and implement step 7 of this guide to make only public services available over the internet, and limit the local services to LAN access only.

I added the local subdomains rule and map file as described in the guide, but for some reason it doesn't work...services are always available even if accessed from internet...like the LOCAL_SUBDOMAINS_map_conditions would not apply...but if I remove the PUBLIC_SUBDOMAINS-map-rule form HTTPS_frontend its is working, but only from local lan, as it should since, its limiting access to LAN only....when I put both  rules in my HTTPS_frontend the rule for local lan access only is not sticking, but websites are accessible from lan and internet.

Did I missed something obvious ?, or as it looks to me, like 2 rules are not handled in parallel, since with only one rule (either) its working.

Please post a screenshot of the rule order in the HTTPS_frontend.
Please also post your two map files. (domain name redacted)

[Dimi3]

sure..

screnshoots attached.

thanks.

[TheHellSite]

Hello,

Decided to post the issue I'm having here, since for the love of god can't find what's wrong 😊

I implemented the guide to the letter using virtual IP. I setup 1 public service accessible from internet and few local accessible only ( I separate this on my DNS settings for domain. I only pointed xyz.mydomain.net to my public IP ( static ). Everything is working as expected.

Now I want to open full domain to my public IP, and implement step 7 of this guide to make only public services available over the internet, and limit the local services to LAN access only.

I added the local subdomains rule and map file as described in the guide, but for some reason it doesn't work...services are always available even if accessed from internet...like the LOCAL_SUBDOMAINS_map_conditions would not apply...but if I remove the PUBLIC_SUBDOMAINS-map-rule form HTTPS_frontend its is working, but only from local lan, as it should since, its limiting access to LAN only....when I put both  rules in my HTTPS_frontend the rule for local lan access only is not sticking, but websites are accessible from lan and internet.

Did I missed something obvious ?, or as it looks to me, like 2 rules are not handled in parallel, since with only one rule (either) its working.

Part 7 - Step 4 ist your solution.
A typical "I didn't read properly" mistake.

[Dimi3]

call me stupid but i dont see the error in cofig :), my map files, public and local have all backends (subdomains defined internet accessible and local accessible), also the https frontend has the LOCAL_SUBDOMAINS_map-rule in first place and PUBLIC in second place.

will read it a few more times :)

[TheHellSite]

call me stupid but i dont see the error in cofig :), my map files, public and local have all backends (subdomains defined internet accessible and local accessible), also the https frontend has the LOCAL_SUBDOMAINS_map-rule in first place and PUBLIC in second place.

will read it a few more times :)

I updated Part 7 to make it (no offense) noob proof.
Please read ALL of it again, slowly.

[xkpx]

I saw in few places that haproxy is only tcp/http proxy, today i tried to setup RustDesk host and everything except that hbbs - RustDesk ID/Rendezvous server ( https://rustdesk.com/docs/en/self-host/install/ ) works so far.
I get that 21116 is UDP and maybe will be not possible to reverse proxy this but i need to ask is there a way to get it working ?

Another question is there a way to make range of port like 21115-21117 because adding some services may make the UI little overcrowded in time