Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[TheHellSite]

First off, thank you TheHellSite for this amazing tutorial. I highly appreciate your level of attention to detail and the  after post support.

The purpose of my design is to expose my Jellyfin Server for remote access from a 2nd home, but hopefully in a secure fashion. As far as I can tell, I'm trying to match your network diagram from the first post aside from JF vs Plex.

I almost feel bad asking for help today because I sense it's something stone deaf obvious I've missed. I even slept on it and went back through each step from the very start and I can't see any fat finger errors.

So with apologies in advance, I'm hoping you can offer some troubleshooting for instances where the SSL Server Test comes back as T / Certificate name mismatch. I've made it to the end of Step 5.

Protocol Support, Key Exchange, and Cipher Strength are all top marks, but SSL Test is marking me T because of the invalid cert.

Here's a link to my HAProxy Config - https://pastebin.com/P5QtYPUt

My ACME Client log looks identical to your screenshot in the tutorial. I have redone the issue/renew procedure and the log comes back looking happy again.

I'm happy to post screenshots that would help diagnose. Appreciate any redirect on where to start looking.

The error pretty much says it all. I really don't know why you have to ask for help. I wonder if people nowadays are just too lazy to simply google such easy errors themselve?

Actually you shouldn't even need to google it. I might start taking money for giving lazy support...
https://www.globalsign.com/en/blog/what-is-common-name-mismatch-error

[coreyinoz]

So with apologies in advance, I'm hoping you can offer some troubleshooting for instances where the SSL Server Test comes back as T / Certificate name mismatch. I've made it to the end of Step 5.

The error pretty much says it all. I really don't know why you have to ask for help. I wonder if people nowadays are just too lazy to simply google such easy errors themselves?

Actually you shouldn't even need to google it. I might start taking money for giving lazy support...
https://www.globalsign.com/en/blog/what-is-common-name-mismatch-error

Yikes. I'm sorry to have put you out. I guess one of the risks of having a clear tutorial is that people like me can get in beyond their expertise.

I didn't realize that inserting 'www' in front of my domain on the SSL test was the difference between a pass or fail. I get an A when testing www.mydomain.dedyn.io

Thanks for the help.

[otherego]

Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
 nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configuration

Code: [Select]

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName nextcloud.mysite.com
<FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
</VirtualHost>

config.php

Code: [Select]


{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "10.0.0.48",
            "nextcloud.mysite.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.4.1",
        "overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "nextcloud.mysite.com",
        "overwriteprotocol": "https",
        "overwritecondaddr": "^10\\.0\\.0\\.1$",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "default_phone_region": "IT",
        "app_install_overwrite": [],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
    }
}



 haproxy.conf

Code: [Select]


global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64188d5dce2390.01132494 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494

# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Nextcloud_backend ()
backend Nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nextcloud_server 10.0.0.48:80 ssl verify none





[sapphire]

With a "wrong" MTU, shouldn't the VPN connection be shaky with every device from every "outside" network? It's working 100% all the time on my mobile internet (and my girlfriend's as well), and it's working 100% all the time for ssllabs but only some "Is it down or just me"-kinda sites. But for at least 2 friends (one using the newest Opera Browser on Windows), there are timeouts while trying to connect to my websites. Same for a Windows VPS hosted on AWS - can't get a handshake there either (using newest Chrome browser).

I got no problems with my mailserver/proxmox mail gateway at home. I got no hickups with SSH via NAT. I got no issues with gaming servers at home (friends can connect to it). So I think, something isn't working correctly with my haproxy, sadly

That depends on PMTU discovery, so not every connection has to fail. Try reducing MTU/MSS just for the wireguard interface group like so:

OMG, this fixed it! Now I can reach my addresses even with before problematic peers. Thank you so much @thehellsite and @meyergru!

Root Domains
Now I got another question. Did I understand it right, that the tutorial is only working with subdomains, not with root domains? I think, I would have to setup rules to achieve redirects from example.com to www.example.com right?

[TheHellSite]

OMG, this fixed it! Now I can reach my addresses even with before problematic peers. Thank you so much @thehellsite and @meyergru!

Root Domains
Now I got another question. Did I understand it right, that the tutorial is only working with subdomains, not with root domains? I think, I would have to setup rules to achieve redirects from example.com to www.example.com right?

You are welcome. Like I (we) said most of the times when there are intermidiate issues with VPN tunnels it is because of MTU/MSS beeing to high resulting in packet fragmentation.

You can also make it work for root domains. Either set the backend you want to be served on the root domain as default backend in the HTTPS_frontend or change your mapfile and write the full FQDN before the backend (so not just the subdomain). The first method works for sure the later I am not entirely sure. But you can also create a redirect condition and rule set and place it before the map file rule.

[TheHellSite]

Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
 nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configuration

Code: [Select]

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName nextcloud.mysite.com
<FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
</VirtualHost>

config.php

Code: [Select]


{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "10.0.0.48",
            "nextcloud.mysite.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.4.1",
        "overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "nextcloud.mysite.com",
        "overwriteprotocol": "https",
        "overwritecondaddr": "^10\\.0\\.0\\.1$",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "default_phone_region": "IT",
        "app_install_overwrite": [],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
    }
}



 haproxy.conf

Code: [Select]


global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64188d5dce2390.01132494 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494

# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Nextcloud_backend ()
backend Nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nextcloud_server 10.0.0.48:80 ssl verify none





Your nextcloud server is misconfigured in haproxy, I highly doubt your nextcloud needs SSL ticked. But this might not be the only issue and I won't give support for services I am not using.

[otherego]

thank you btw i've tried to remove SSL ticket too.. but unfortunately error still there..
i have no clue where i can get some help. things are mixing so need to be adviced for nextcloud, for haproxy and how to implement into opnsense...

[Bunch]

Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
 nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configuration

Code: [Select]

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName nextcloud.mysite.com
<FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
</VirtualHost>

config.php

Code: [Select]


{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "10.0.0.48",
            "nextcloud.mysite.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.4.1",
        "overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "nextcloud.mysite.com",
        "overwriteprotocol": "https",
        "overwritecondaddr": "^10\\.0\\.0\\.1$",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "default_phone_region": "IT",
        "app_install_overwrite": [],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
    }
}



 haproxy.conf

Code: [Select]


global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64188d5dce2390.01132494 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494

# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Nextcloud_backend ()
backend Nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nextcloud_server 10.0.0.48:80 ssl verify none





Have you tried removing the value of the following items?
"overwrite.cli.url"
"overwritehost"
"overwriteprotocol"
"overwritecondaddr"

Since SNI is handled by HAProxy already. I don't think they are necessary.
And the issue might caused by this too.
(HAProxy tried to reach 10.0.0.48:80, nextcloud response to browser it need to "overwrite"(redirect) to https://nextcloud.mysite.com, but browser is already accessing with this path. So the browser don't know what should be redirect (or having dead loop for the worst case) and give you "too many redirects" error.

[Grenen]

I need some help with ciphers and understanding the part in HTTPS_frontend and what i can change.

Im trying to setup a webhook to integrate SmartThings to my Homeassistant, and get a error when trying to validate it.

According to the troubleshooting-guide at https://www.home-assistant.io/integrations/smartthings/#troubleshooting there are some problems doing this with a reverse proxy, and suggest that the cipher suite is too restricted.

Some reverse proxy configuration settings can interfere with communication from SmartThings. For example, TLSv1.3 is not supported. Setting the supported cipher suite too restrictly will prevent handshaking. The following NGINX SSL configuration is known to work:

Code: [Select]

# cert.crt also contains intermediate certificates
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

Could someone help me with the current string and how i can edit it with the suggestion the troubleshooting-guide above. Is it enought to add EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH to the current, or do i need to edit something out as well?

Current:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384


Thanks in advance,

[otherego]

i removed
"overwrite.cli.url"
"overwritehost"
"overwriteprotocol"
"overwritecondaddr"
from my php.conf, but i still have same result

[TheHellSite]

I need some help with ciphers and understanding the part in HTTPS_frontend and what i can change.

Im trying to setup a webhook to integrate SmartThings to my Homeassistant, and get a error when trying to validate it.

According to the troubleshooting-guide at https://www.home-assistant.io/integrations/smartthings/#troubleshooting there are some problems doing this with a reverse proxy, and suggest that the cipher suite is too restricted.

Some reverse proxy configuration settings can interfere with communication from SmartThings. For example, TLSv1.3 is not supported. Setting the supported cipher suite too restrictly will prevent handshaking. The following NGINX SSL configuration is known to work:

Code: [Select]

# cert.crt also contains intermediate certificates
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

Could someone help me with the current string and how i can edit it with the suggestion the troubleshooting-guide above. Is it enought to add EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH to the current, or do i need to edit something out as well?

Current:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384


Thanks in advance,

My provided ciphers are fine! Also TLS_v1.2 is available with my config. If TLS_v1.3 is not available on the client side it will (try) to use TLS_v1.2 instead.
Don't weaken the ciphers there is likely another configuration problem on your side.

If there are no errors in the haproxy log upon connection of the SmartThings client then there is nothing wrong with the haproxy cipher settings.

[Grenen]

My provided ciphers are fine! Also TLS_v1.2 is available with my config. If TLS_v1.3 is not available on the client side it will (try) to use TLS_v1.2 instead.
Don't weaken the ciphers there is likely another configuration problem on your side.

If there are no errors in the haproxy log upon connection of the SmartThings client then there is nothing wrong with the haproxy cipher settings.

I get a handshake failure in the log when trying to establish the webhook:

52.213.77.15:56225 [24/Mar/2023:07:34:18.143] 1_HTTPS_frontend/127.0.0.1:443: SSL handshake failure

The error matches the text in the setup guide for HA+SmartThings "Setting the supported cipher suite too restrictly will prevent handshaking."

Though i dont want too weak cipher, id like to test and add the EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+ED, but i dont understand how to build them in which order.

[TheHellSite]

Just use Mozilla SSL Generator.

But the safest solution is to find out which ciphers are supported by SmartThings and then take the one with the highest cryptographic strength and add it to the end of my cipher list. Cipher suites can be left untouched since they only apply to TLS_v1.3 connections, which seem to be unsupported by SmartThings anyway.

[aleksander.lyse@gmail.com]

I have followed the guide, and I think to the letter. Everything works on absolutely all services I added, except Portainer. I see on other forums Portainer is a bit choosy when it comes to proxy, but no real solution out there to fix it.

The target of this is to proxy portainer.domain.tld to ip-of-portainer:9000 (portainer docs say to route proxy to 9000, the non ssl port, not 9443, the ssl port), but I have tried both. Same result.

The error is: ERR_HTTP2_SERVER_REFUSED_STREAM - I was thinking it could e the HTTP2 option in 1_HTTPS_frontend, so I tried to uncheck it to try. It then give the error: ERR_EMPTY_RESPONSE

This is the corresponding log in debug mode:

With HTTP2 unchecked:

Code: [Select]

2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.850] 0_SNI_frontend SSL_backend/SSL_server 1/0/11 506 -- 1/1/4/0/0 0/0
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.856] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/5/0/0 0/0 "GET / HTTP/1.1"
With HTTP2 checked:

2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.608] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/10/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"   
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.604] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/9/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"   
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.602] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/8/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"

Here is the full config export:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
    total-max-size 4
    max-age 60
    process-vary off

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options
    option tcplog

# Frontend: 1_HTTP_frontend (Listening on 10.0.1.15:80)
frontend 1_HTTP_frontend
    bind 10.0.1.15:80 name 10.0.1.15:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6418a05ee27409.36162049 ssl_fc

    # ACTION: HTTP_to_HTTPS_rule
    http-request redirect scheme https code 301 if !acl_6418a05ee27409.36162049

# Frontend: 1_HTTPS_frontend (Listening on 10.0.1.15:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 10.0.1.15:443 name 10.0.1.15:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6418a3dac5bd67.76211333.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_SUBNET_conditions
    acl acl_6418cb7541c572.65233357 src 10.0.1.0/24 10.0.3.0/24 10.0.4.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418cadaadbdd1.17042036.txt,SSL_backend)] if acl_6418cb7541c572.65233357
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418a10a9104c5.33815067.txt,SSL_backend)]

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 10.0.1.15 send-proxy-v2 check-send-proxy

# Backend: Dashboard_backend ()
backend Dashboard_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Dashboard_server 10.0.3.4:3000

# Backend: Radarr_backend ()
backend Radarr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Radarr_server 10.0.3.6:7878

# Backend: Router_backend ()
backend Router_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Router_server 10.0.1.1:8443

# Backend: Nzbget_backend ()
backend Nzbget_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nzbget_server 10.0.3.7:6789

# Backend: Nas_backend ()
backend Nas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nas_server 10.0.1.10:5000

# Backend: Jackett_backend ()
backend Jackett_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jackett_server 10.0.3.8:9117

# Backend: Sonarr_backend ()
backend Sonarr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Sonarr_server 10.0.3.5:8989

# Backend: Portainer_backend ()
backend Portainer_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Portainer_server 10.0.3.3:9000 send-proxy-v2 check-send-proxy

# Backend: Plex_backend ()
backend Plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Plex_server 10.0.1.10:32400

# Backend: Overseerr_backend ()
backend Overseerr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Overseerr_server 10.0.3.10:5055

# Backend: Tautulli_backend ()
backend Tautulli_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Tautulli_server 10.0.3.9:8181

# Backend: Download_backend ()
backend Download_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Download_server 10.0.1.10:8000

# Backend: Nzb_backend ()
backend Nzb_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nzb_server 10.0.3.11:8080



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED


[DoomSalamander]

Hello,
thanks for this great guide. I am trying to get a connection to a Jellyfin server working and at first glance the proxy works but for whatever reason it loads extremely slow or does not load at all (probably due to timeout). In the firewall logs I can see that the ports are not being blocked and Jellyfin is being accessed by the correct port coming from the interface gateway. Is this correct behaviour or should it come from the proxyserver IP?

Here is my full HAProxy config. I have checked it multiple times and I think it is set up correctly. The only difference is that I haven't checked the SSL mark for the real server Jellyfin since I have not set up a certificate on it yet but maybe I have just overlooked something.

The server is on it's own vlan maybe this causes issues too.

Code: [Select]

#
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
    bind 127.1.0.1:80 name 127.1.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    maxconn 10

    # logging options
    # ACL: NoSSL_condition
    acl acl_641d7e3e6bda64.61444458 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_641d7e3e6bda64.61444458

# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
    bind 127.1.0.1:443 name 127.1.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/641d813861abd5.14037775.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option log-separate-errors
    option httplog
    option socket-stats

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/641d81c0801b87.43530099.txt)]

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.1.0.1 send-proxy-v2 check-send-proxy

# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jellyfin_Server 10.0.0.2:8096



# statistics are DISABLED


In the logs I see some errors when trying to access Jellyfin:

Code: [Select]

2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.814] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69396 -1 0 - - CC-- 2/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Book HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/3/3/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=c5b5a7b14778a8f0c4eb996823229f65 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69380 -1 0 - - CC-- 2/1/4/4/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=0c41907140d802bb58430fed7e2cd79e HTTP/2.0"
2023-03-28T07:32:35 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:32:05.583] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 245 - - ---- 2/1/5/5/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/System/Endpoint HTTP/2.0"
2023-03-28T07:32:29 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/5/60069 101 392 - - sD-- 2/1/6/6/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30000/8/30008 200 1154 - - ---- 2/1/7/7/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=3a6e3078ba2b0ad4408f206c9abe65a4 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.811] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/9/30020 200 256 - - ---- 2/1/8/8/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Audio HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.528] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/2/30005 200 1095 - - ---- 2/1/9/9/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.493] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/2/30013 200 1095 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:31:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 1097 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/0/4/8566 101 392 - - CD-- 2/1/0/0/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/1/1/0 0/0 "POST https://jellyfin.MYDOMAIN.dedyn.io/Sessions/Capabilities/Full HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/2/2/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8558 -1 0 - - CC-- 2/1/3/3/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/DisplayPreferences/usersettings?userId=0d64d22975ba4cd6a57253d0e138c432&client=emby HTTP/2.0"
2023-03-28T07:30:35 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:05.079] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/3/30014 302 121 - - ---- 2/1/0/0/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/ HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60030 -1 0 - - CC-- 1/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:30.979] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60361 -1 0 - - CC-- 1/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/60021/-1/60030 -1 1220 - - CD-- 1/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"