Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[otherego]

Thank you fir this nice guide i followed to replace nginx reverse proxy. i left my
 nexcloud server untouched.
After following the guide, i've got "too many redirects" error.
i've looking around for a possible solution... but i don't understand what is wrong
i'm using cloudflare and this it's apache configuration

Code: [Select]

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName nextcloud.mysite.com
<FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
</VirtualHost>

config.php

Code: [Select]


{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "10.0.0.48",
            "nextcloud.mysite.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.4.1",
        "overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "nextcloud.mysite.com",
        "overwriteprotocol": "https",
        "overwritecondaddr": "^10\\.0\\.0\\.1$",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable",
        "default_phone_region": "IT",
        "app_install_overwrite": [],
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
    }
}



 haproxy.conf

Code: [Select]


global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64188d5dce2390.01132494 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494

# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Nextcloud_backend ()
backend Nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nextcloud_server 10.0.0.48:80 ssl verify none





Your nextcloud server is misconfigured in haproxy, I highly doubt your nextcloud needs SSL ticked. But this might not be the only issue and I won't give support for services I am not using.

after some investigations i realized (by using s simple apache server behind haproxy) that is not nextcloud that gives too many redirects error but the trouble is coming because i'm using cloudflare as dns, by switching ssl to Full (strict) instead of Flexible.

[ckocank]

Thank you. This works like a charm. I only change dns to cloudflare and uncheck SSL for real server of my docker container. Took me a week to set up everything. 

[TheHellSite]

I have followed the guide, and I think to the letter. Everything works on absolutely all services I added, except Portainer. I see on other forums Portainer is a bit choosy when it comes to proxy, but no real solution out there to fix it.

The target of this is to proxy portainer.domain.tld to ip-of-portainer:9000 (portainer docs say to route proxy to 9000, the non ssl port, not 9443, the ssl port), but I have tried both. Same result.

The error is: ERR_HTTP2_SERVER_REFUSED_STREAM - I was thinking it could e the HTTP2 option in 1_HTTPS_frontend, so I tried to uncheck it to try. It then give the error: ERR_EMPTY_RESPONSE

This is the corresponding log in debug mode:

With HTTP2 unchecked:

Code: [Select]

2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.850] 0_SNI_frontend SSL_backend/SSL_server 1/0/11 506 -- 1/1/4/0/0 0/0
2023-03-24T16:58:08 Informational haproxy 10.0.1.100:65204 [24/Mar/2023:16:58:08.856] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/5/0/0 0/0 "GET / HTTP/1.1"
With HTTP2 checked:

2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.608] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/10/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"   
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.604] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/9/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"   
2023-03-24T16:59:29   Informational   haproxy   10.0.1.100:65272 [24/Mar/2023:16:59:29.602] 1_HTTPS_frontend~ SSL_backend/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 2/1/8/0/0 0/0 "GET https://portainer.domain.tld/ HTTP/2.0"

Here is the full config export:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
    total-max-size 4
    max-age 60
    process-vary off

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options
    option tcplog

# Frontend: 1_HTTP_frontend (Listening on 10.0.1.15:80)
frontend 1_HTTP_frontend
    bind 10.0.1.15:80 name 10.0.1.15:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6418a05ee27409.36162049 ssl_fc

    # ACTION: HTTP_to_HTTPS_rule
    http-request redirect scheme https code 301 if !acl_6418a05ee27409.36162049

# Frontend: 1_HTTPS_frontend (Listening on 10.0.1.15:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 10.0.1.15:443 name 10.0.1.15:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets strict-sni ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6418a3dac5bd67.76211333.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_SUBNET_conditions
    acl acl_6418cb7541c572.65233357 src 10.0.1.0/24 10.0.3.0/24 10.0.4.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418cadaadbdd1.17042036.txt,SSL_backend)] if acl_6418cb7541c572.65233357
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6418a10a9104c5.33815067.txt,SSL_backend)]

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 10.0.1.15 send-proxy-v2 check-send-proxy

# Backend: Dashboard_backend ()
backend Dashboard_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Dashboard_server 10.0.3.4:3000

# Backend: Radarr_backend ()
backend Radarr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Radarr_server 10.0.3.6:7878

# Backend: Router_backend ()
backend Router_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Router_server 10.0.1.1:8443

# Backend: Nzbget_backend ()
backend Nzbget_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nzbget_server 10.0.3.7:6789

# Backend: Nas_backend ()
backend Nas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nas_server 10.0.1.10:5000

# Backend: Jackett_backend ()
backend Jackett_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jackett_server 10.0.3.8:9117

# Backend: Sonarr_backend ()
backend Sonarr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Sonarr_server 10.0.3.5:8989

# Backend: Portainer_backend ()
backend Portainer_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Portainer_server 10.0.3.3:9000 send-proxy-v2 check-send-proxy

# Backend: Plex_backend ()
backend Plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Plex_server 10.0.1.10:32400

# Backend: Overseerr_backend ()
backend Overseerr_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Overseerr_server 10.0.3.10:5055

# Backend: Tautulli_backend ()
backend Tautulli_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Tautulli_server 10.0.3.9:8181

# Backend: Download_backend ()
backend Download_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Download_server 10.0.1.10:8000

# Backend: Nzb_backend ()
backend Nzb_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Nzb_server 10.0.3.11:8080



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED


As I already said multiple times my tutorial is meant to get the overall setup running.
Your problem is basically off-topic. Since you are having trouble with a specific service you are better off asking in the respective forum/community. HAProxy isn't the issue here since all your other services are working.

Also, I would never ever expose something like Portainer using a reverse proxy, this is one of the dumbest things you could ever do!
With that beeing said, my guess would be that Portainer is simply blocking connections coming from a proxy (in this case HAProxy). If you are lucky there is an option to set a trusted proxy in Portainer, but I highly doubt this.

That is all you are going to get from me here - no support for service specific issues from my side and in this topic.

[TheHellSite]

Hello,
thanks for this great guide. I am trying to get a connection to a Jellyfin server working and at first glance the proxy works but for whatever reason it loads extremely slow or does not load at all (probably due to timeout). In the firewall logs I can see that the ports are not being blocked and Jellyfin is being accessed by the correct port coming from the interface gateway. Is this correct behaviour or should it come from the proxyserver IP?

Here is my full HAProxy config. I have checked it multiple times and I think it is set up correctly. The only difference is that I haven't checked the SSL mark for the real server Jellyfin since I have not set up a certificate on it yet but maybe I have just overlooked something.

The server is on it's own vlan maybe this causes issues too.

Code: [Select]

#
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_Backend
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
    bind 127.1.0.1:80 name 127.1.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    maxconn 10

    # logging options
    # ACL: NoSSL_condition
    acl acl_641d7e3e6bda64.61444458 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_641d7e3e6bda64.61444458

# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
    bind 127.1.0.1:443 name 127.1.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/641d813861abd5.14037775.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option log-separate-errors
    option httplog
    option socket-stats

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/641d81c0801b87.43530099.txt)]

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.1.0.1 send-proxy-v2 check-send-proxy

# Backend: Jellyfin_Backend ()
backend Jellyfin_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Jellyfin_Server 10.0.0.2:8096



# statistics are DISABLED


In the logs I see some errors when trying to access Jellyfin:

Code: [Select]

2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.814] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69396 -1 0 - - CC-- 2/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Book HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69386 -1 0 - - CC-- 2/1/3/3/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=c5b5a7b14778a8f0c4eb996823229f65 HTTP/2.0"
2023-03-28T07:32:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/69380 -1 0 - - CC-- 2/1/4/4/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=0c41907140d802bb58430fed7e2cd79e HTTP/2.0"
2023-03-28T07:32:35 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:32:05.583] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 245 - - ---- 2/1/5/5/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/System/Endpoint HTTP/2.0"
2023-03-28T07:32:29 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/5/60069 101 392 - - sD-- 2/1/6/6/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.823] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30000/8/30008 200 1154 - - ---- 2/1/7/7/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=3a6e3078ba2b0ad4408f206c9abe65a4 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.811] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/9/30020 200 256 - - ---- 2/1/8/8/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Resume?Limit=12&Recursive=true&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&EnableTotalRecordCount=false&MediaTypes=Audio HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.528] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/2/30005 200 1095 - - ---- 2/1/9/9/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:32:19 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:49.493] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/2/30013 200 1095 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:31:59 Error haproxy xx.xxx.xx.xx:9644 [28/Mar/2023:07:31:29.401] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30003/4/30007 200 1097 - - ---- 2/1/10/10/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/0/4/8566 101 392 - - CD-- 2/1/0/0/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/socket?api_key=67299c39e6ab4eb084116da10f7866b9&deviceId=TW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDEyOyBYUS1BUzUyKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuNTQ4MS4xOTIgTW9iaWxlIFNhZmFyaS81MzcuMzYgT1BSLzc0LjEuMzkyMi43MTE5OXwxNjc5ODA2ODI4MzI2 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/1/1/0 0/0 "POST https://jellyfin.MYDOMAIN.dedyn.io/Sessions/Capabilities/Full HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8566 -1 0 - - CC-- 2/1/2/2/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-28T07:30:44 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:36.432] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/8558 -1 0 - - CC-- 2/1/3/3/0 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/DisplayPreferences/usersettings?userId=0d64d22975ba4cd6a57253d0e138c432&client=emby HTTP/2.0"
2023-03-28T07:30:35 Error haproxy xx.xxx.xx.xx:7837 [28/Mar/2023:07:30:05.079] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/30011/3/30014 302 121 - - ---- 2/1/0/0/1 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/ HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60030 -1 0 - - CC-- 1/1/0/0/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=7a2175bccb1f1a94152cbd2b2bae8f6d HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:30.979] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/-1/-1/60361 -1 0 - - CC-- 1/1/1/1/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432 HTTP/2.0"
2023-03-27T18:30:31 Error haproxy xx.xxx.xx.xx:23349 [27/Mar/2023:18:29:31.309] 1_HTTPS_frontend~ Jellyfin_Backend/Jellyfin_Server 0/0/60021/-1/60030 -1 1220 - - CD-- 1/1/2/2/2 0/0 "GET https://jellyfin.MYDOMAIN.dedyn.io/Users/0d64d22975ba4cd6a57253d0e138c432/Items/Latest?Limit=16&Fields=PrimaryImageAspectRatio%2CBasicSyncInfo%2CPath&ImageTypeLimit=1&EnableImageTypes=Primary%2CBackdrop%2CThumb&ParentId=2c29078a81f6a6f262bb18c85a177434 HTTP/2.0"

Your HAProxy config looks fine.

I am also running Jellyfin and don't have the issues you are describing.
Either your firewall hardware just can't handle that big of a datastream with encryption or something is wrong with your Jellyfin server.

Either way your best bet is to configure and test other local services through HAProxy and see if the error is also present for them.

[brandorf]

Very detailed guide, but I've gone sideways somewhere.

I have two different wildcard certs, and that may be the cause of issues, but here's how I'm setup :

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on port 80, 443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTPS_frontend (Listening on localhost:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64401520bca808.51986799.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/644012fb3e50a8.19725727.txt)]

# Frontend: 1_HTTP_frontend (Listening on localhost:80)
frontend 1_HTTP_frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL
    acl acl_64401278359449.48644659 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64401278359449.48644659

# Backend: PLEX_backend (For Plex Remote Play)
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PLEX_server 192.168.0.197:32400 ssl verify none

# Backend: VTT_backend (Foundry VTT)
backend VTT_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Foundry_VTT 192.168.0.197:30000 ssl verify none

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy



# statistics are DISABLED



Attempting to browse to vtt.brandorf.com just times out.  The odd thing is I'm not getting anything in the haproxy logs.

[omaha2002@gmail.com]

OMG, this fixed it! Now I can reach my addresses even with before problematic peers. Thank you so much @thehellsite and @meyergru!

Root Domains
Now I got another question. Did I understand it right, that the tutorial is only working with subdomains, not with root domains? I think, I would have to setup rules to achieve redirects from example.com to www.example.com right?

You are welcome. Like I (we) said most of the times when there are intermidiate issues with VPN tunnels it is because of MTU/MSS beeing to high resulting in packet fragmentation.

You can also make it work for root domains. Either set the backend you want to be served on the root domain as default backend in the HTTPS_frontend or change your mapfile and write the full FQDN before the backend (so not just the subdomain). The first method works for sure the later I am not entirely sure. But you can also create a redirect condition and rule set and place it before the map file rule.

The second method with adding the full FQDN before the backend to the mapfile works too, I tested it and now have two root domain services working beside all the subdomains.

Like this:
#public access subdomains
plex.xxxxxxx.nl            PLEX_backend
kuma.xxxxxxx.nl          KUMA_backend
#public access rootdomain 1
xxxxxxxxxx.nl              CYBERSAFETY_backend
#public access roodomain 2
xxxxxxxxxx.eu             EURO_backend

[TheHellSite]

Very detailed guide, but I've gone sideways somewhere.

I have two different wildcard certs, and that may be the cause of issues, but here's how I'm setup :

Attempting to browse to vtt.domain.tld just times out.  The odd thing is I'm not getting anything in the haproxy logs.

If I where you, I would immidiately remove any sensitive information (domain name, ...) from your post.

1. Your HAProxy config looks fine.

2. You can have as many correct or incorrect certificates in your frontends as you like. The connection will still be established. You will just get a certificate warning or the client will refuse to connect if it is a very badly misconfigured certificate.

3. Just think about... What could be the reasons that you don't even see any connection attempts in the HAProxy logs? That is simple troubleshooting right here!

At this point there are only two possibilities:
a) the traffic is not even reaching HAProxy (firewall issue)
b) HAProxy is not running (unlikely since your config looks fine and you probably didn't get any errors while saving the configuration)

[opnuser1]

Hello, I am very happy to have found this thread as I couldn't find much about all the HAproxy options in the Opnsense gui.  I plan to study this thread and learn how it all works.  I wanted to first introduce myself and show what I am trying to do.  Previously, I spend a coupe of weeks trying to configure HAproxy with moderate success.  But stumped in a couple of important areas.

Before I enabled HAproxy, I only had one domain, which i used a wildcard cert with cloudflare to host my internal services.  I use the swag reverse proxy, and it's all very easy.  In Opnsense, I just forward port 80,443 to the swag server. 

However, now I need another server to have open access to port 80,443 just like the swag server.  However, this seems easier said than done.  So I am trying HAproxy to accomplish this. 

The attached diagram shows what I am trying to do.

I will share my export soon as I troubleshoot this.  Basically, I have set up the real servers, backend pools, public services, conditions and rules.  I am using TCP mode for everything since the servers handle all the cert stuff themselves.  As I said, this is not working perfectly, only partially now.  I can't seem to figure out how to route the ports properly to the two servers in a clean way that makes sense.  All requests seem to go to only one server, again I will share the export and be more specific soon here.

I hope I am not overcomplicating my setup here.  If I could simply forward the ports to multiple places without HAproxy, i would do that instead.  This is a lot of configuring for what I am trying to do.  But if this is the proper way, i will go through with it.  Thanks.

[TheHellSite]

However, now I need another server to have open access to port 80,443 just like the swag server.  However, this seems easier said than done.  So I am trying HAproxy to accomplish this.
[...]
I hope I am not overcomplicating my setup here.  If I could simply forward the ports to multiple places without HAproxy, i would do that instead.  This is a lot of configuring for what I am trying to do.  But if this is the proper way, i will go through with it.  Thanks.

With plain port forwards this is not possible as you can only forward a port once. So unless you have two public IPs this will not work.
You will have to use HAProxy in TCP mode to redirect to your SWAG proxy and to your NGINX proxy.

I hope I am not overcomplicating my setup here.
[...]
But if this is the proper way, i will go through with it.

In my opinion you are doing exactly this and I have to say you are doing it very good.

But if this is the proper way, i will go through with it.

Again, I really don't think this is the proper way unless you have a good reason for choosing this route.

I mean HAProxy (probably also NGINX and SWAG) support multiple domains including individual certs. Hell even subdomain specific certs.

So If I may ask: Why you don't you just use HAProxy for all this (reverse proxy, SSL, ...)? Is there any specific reason why you would want to start maintaining three reverse proxies in your network?




But to answer your question... Please try the following:
It should work for the first service but I am unsure about the second one.

You will obviously need to disable/delete your port forwarding rule and replace it with the WAN rule of part 4 of my tutorial. So just follow my guide below.

Credits: https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958
I have rewritten most of the guide by alh so it is easier to understand and can be fully configured in the HAProxy GUI.

Code: [Select]

The guide below lists only those options that need to be changed, all other options need to be left untouched in their default state.

1. Create the real servers
        1.1 TCP_SERVICE1_server: IP, Port, SSL unticked
        1.2 TCP_SERVICE2_server: IP, Port, SSL unticked

2. Create the backends
        2.1 TCP_SERVICE1_backend
                Mode:    TCP
                Servers: TCP_SERVICE1_server

        2.2 TCP_SERVICE2_backend
                Mode:    TCP
                Servers: TCP_SERVICE2_server

3. Create the conditions
        3.1 TCP_SSL_condition
                Condition type: SSL Hello Type
                SSL Hello Type: 1 - client hello

        3.2 TCP_SERVICE1_condition
                Condition type: SNI TLS extension matches (TCP request content inspection)
                SNI Matches:    service1.domain.tld

        3.3 TCP_SERVICE2_condition
                Condition type: SNI TLS extension matches (TCP request content inspection)
                SNI Matches:    service2.domain.tld

4. Create the rules
        4.1 TCP_RequestInspectDelay_rule
                Select conditions:    Nothing selected
                Execute function:     tcp-request inspect delay
                TCP inspection delay: 5s

        4.2 TCP_RequestContentAccept_rule
                Select conditions:               TCP_SSL_condition
                Logical operator for conditions: none
                Execute function:                tcp-request content accept

        4.3 TCP_SERVICE1_rule
                Select conditions:               TCP_SERVICE1_condition
                Logical operator for conditions: none
                Execute function:                Use specified Backend Pool
                Use backend pool:                TCP_SERVICE1_backend

        4.4 TCP_SERVICE2_rule
                Select conditions:               TCP_SERVICE2_condition
                Logical operator for conditions: none
                Execute function:                Use specified Backend Pool
                Use backend pool:                TCP_SERVICE2_backend

5. Edit the SNI_frontend
   Note: This step assumes that you are not following my whole tutorial.
         However you have to at least finish the following steps of my tutorial:
         - Part 4: everything
         - Part 5: step 1-3 and step 10 (only create the SNI_frontend but without a Default Backend Pool)

         The exact order of the rules below is very important here!
         The "TCP_RequestInspectDelay_rule" always has to be the first rule.
         The "TCP_RequestContentAccept_rule" always has to be the second rule.

        5.1 Add the rules to the SNI_frontend in the following order:
                Select Rules: 1. TCP_RequestInspectDelay_rule
                              2. TCP_RequestContentAccept_rule
                              3. TCP_SERVICE1_rule
                              4. TCP_SERVICE2_rule


[opnuser1]

Oh man, thank you for this.  Thanks for confirming I am on the right track, that is comforting loll.

My reason for doing this is mainly because I tinker around with a lot of selfhosted type services.  And I spend way too much time getting all the network particulars work.  And it's always for the same reason, for one reason or another, I just need a server that has free and open access to port 80 and 443.  Every time.  Now, I usually work around it.  But now I just want to be able to do it once and for all.  it's been bugging me for like 10 years my inability to accomplish this.

So that's why lol.

Ok, I will post more later after I study your tips.  One thing I noticed, I did much of this already but I notice you created more rules than I would have ever thought of like those nothing selected rules.  Anyway, i think the rest made sense but I'll be back.

[TheHellSite]

Oh man, thank you for this.  Thanks for confirming I am on the right track, that is comforting loll.

My reason for doing this is mainly because I tinker around with a lot of selfhosted type services.  And I spend way too much time getting all the network particulars work.  And it's always for the same reason, for one reason or another, I just need a server that has free and open access to port 80 and 443.  Every time.  Now, I usually work around it.  But now I just want to be able to do it once and for all.  it's been bugging me for like 10 years my inability to accomplish this.

So that's why lol.

If you want to set and forget it, then go with one reverse proxy handling port 80+443.
My choice would be HAProxy (or NGINX) on OPNsense directly.

Ok, I will post more later after I study your tips.  One thing I noticed, I did much of this already but I notice you created more rules than I would have ever thought of like those nothing selected rules.  Anyway, i think the rest made sense but I'll be back.

Please report back if this worked so I can add it to the tutorial.

[opnuser1]

If you want to set and forget it, then go with one reverse proxy handling port 80+443.
My choice would be HAProxy (or NGINX) on OPNsense directly.

I can do this yes and have considered.  but a couple of questions.  The reason i do this is because some software installers I am using expects fresh server with clear, open access to port 80 443, the way a VPS would from a paid hosting service.  And if it's not exactly like that, then it will get errors, then I have to do a lot of work solving all that.  And some software work better with different reverse proxies for whatever reason.  So if I have haproxy be the main reverse proxy, I still will want swag on a server behind it running yet another reverse proxy for a bunch of services.  This is why i concluded what I really want for ultimate flexibility is simply to forward port 80 and 443 to multiple places in environments with a single IP. 

[opnuser1]

Quick Update, I am following everything and it makes sense.  Except for this part where you say I only have to do steps 1-3 and 10 of part 5.  In the picture of the global preferences, you show using a rule to redirect HTTP to HTTPS.  That was created in earlier steps.  I'm guessing I need to create that rule, is that correct?

Another thing, I am actually trying to do your other steps because I like your idea of the A+ rating.  It seems everything goes well, but when I check the ACME log it is empty.  But if I go next to it for the system log, it says the cert was issued/renewed successfully and all the other things were successfull.

Does it necessarily have to show up in the ACME log?  I double checked my configuration and see no differences from yours.

[TheHellSite]

Quick Update, I am following everything and it makes sense.  Except for this part where you say I only have to do steps 1-3 and 10 of part 5.  In the picture of the global preferences, you show using a rule to redirect HTTP to HTTPS.  That was created in earlier steps.  I'm guessing I need to create that rule, is that correct?

Another thing, I am actually trying to do your other steps because I like your idea of the A+ rating.  It seems everything goes well, but when I check the ACME log it is empty.  But if I go next to it for the system log, it says the cert was issued/renewed successfully and all the other things were successfull.

Does it necessarily have to show up in the ACME log?  I double checked my configuration and see no differences from yours.

You should start reading properly!

Code: [Select]

         - Part 5: step 1-3 and step 10 (only create the SNI_frontend but without a Default Backend Pool)

only create the SNI_frontend

Another thing, I am actually trying to do your other steps because I like your idea of the A+ rating.  It seems everything goes well, but when I check the ACME log it is empty.  But if I go next to it for the system log, it says the cert was issued/renewed successfully and all the other things were successfull.

Does it necessarily have to show up in the ACME log?  I double checked my configuration and see no differences from yours.

If you want the A+ rating you will have to use HAProxy for SSL offloading. But you told me twice now that you don't want to do this but rather keep using your other proxies.
Therefore you will have to configure this in them. --> No help from me here!

If you changed your opinion about that... Then please do me a favour and just follow my tutorial one-by-one.
You will save yourself a lot of trouble.

Also you said earlier that you have services that need port 80... I would really like to know which service requires port 80 on WAN if you can also run it on port 443 with a reverse proxy.

[opnuser1]

If you want the A+ rating you will have to use HAProxy for SSL offloading. But you told me twice now that you don't want to do this but rather keep using your other proxies.
Therefore you will have to configure this in them. --> No help from me here!

If you changed your opinion about that... Then please do me a favour and just follow my tutorial one-by-one.
You will save yourself a lot of trouble.

No!  You are absolutely right, I meant what I said initially.  I just got sidetracked.  Forget all that, I am still trying to do it the original way with the instructions you posted yesterday.

Here are my use cases for port 80 443 on multiple servers.
i run domain1.com and subdomains on one reverse proxy
i would like to run domain2.com on a similar reverse proxy for that
some applications work better on other reverse proxies, I'd like to have that option avaiable.
Some apps, they come with installation scripts.  It assumes you have a domain already pointed to the server with port 80 443 open as it has an nginx install for the domain in the install script.  So it will give errors and PIA to fix without the ports available.  i tried on my system, and it would not work since I am running that reverse proxy on the ports.  Then I tried on a spare Oracle cloud server and it works.