Yes, this shows me your haproxy export, but it doesn't tell me wether this is working for you like intended or not.Also why do you have a "NoSSL_condition" and why did you link it to the serviceX_rules of the HTTP_frontend?Remove it, this is totally unecessary and I never said that you need this.
## Automatically generated configuration.# Do not edit this file manually.#global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 4 hard-stop-after 60s no strict-limits maxconn 10000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log 0.0.0.0 local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 5000# autogenerated entries for ACLs# autogenerated entries for config in backends/frontends# autogenerated entries for stats# Frontend: SNI_frontend ()frontend SNI_frontend bind 0.0.0.0:443 name 0.0.0.0:443 mode tcp # logging options option tcplog # ACL: TCP_SSL_condition acl acl_644c56b6785678.47181279 req.ssl_hello_type 1 # ACL: TCP_server1_condition acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com # ACL: TCP_server2_condition acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com # ACTION: TCP_RequestInspectDelay_rule # NOTE: actions with no ACLs/conditions will always match tcp-request inspect-delay 5s # ACTION: TCP_RequestContentAccept_rule tcp-request content accept if acl_644c56b6785678.47181279 # ACTION: TCP_SERVICE1_rule use_backend TCP_SERVICE1_backend if acl_644c5700ee7657.09485748 # ACTION: TCP_SERVICE2_rule use_backend TCP_SERVICE2_backend if acl_644c5719768e71.87060950# Frontend: HTTP_frontend ()frontend HTTP_frontend bind 0.0.0.0:80 name 0.0.0.0:80 mode tcp # logging options option tcplog # ACL: http_server1_condition acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1.com # ACL: http_server2_condition acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2.com # ACTION: http_server1_rule use_backend TCP_SERVICE1_backend if acl_6457247ca14984.71641345 # ACTION: http_server2_rule use_backend TCP_SERVICE2_backend if acl_64572496aeac32.73416688# Backend: TCP_SERVICE1_backend ()backend TCP_SERVICE1_backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server TCP_SERVICE1_server 192.168.1.234 # Backend: TCP_SERVICE2_backend ()backend TCP_SERVICE2_backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server TCP_SERVICE2_server 192.168.1.231 # statistics are DISABLED
Hello sir,Attached is my DDNS configuration.I think I understand what you are saying a little bit. So what I configured is right but you afraid my DDNS doesn't push the right update to my desec domain correct? I think i did it right since I have username is my domain name i.e. "example.com" password is my token. then hostname is just my domain name which is "example.com" correct? or do you want me to have it at *.example.com?The weird thing is everything were working well. It just suddenly doesn't resolve if i just type in example.com. I have to use mysubdomain.example.com to get it working.
Is Http frontend working? I believe so, hard for me to confirm. Nothing is really using the http traffic (don't get mad, yes I requested it, hear me out). So I used it very briefly to set up that website that uses the install script on port 80 initially. And during the setup, I saw in the Counters area of HAproxy that traffic went through the http frontend. So that confirms that port 80 is working I think, and the site got successfully set up.
I still stand by my opinion that port 80 is not necessary at all. But since you never posted/linked that super duper script that would require port 80 this will forever be a myth to me.
I did link it!here it is:https://v4-docs.chevereto.com/guides/docker/#create-https-proxyThat's the page with the installation instructions. The port 80 is used for the place where i linked or the next command after. I think it is used where I linked which sets up nginx.
but for another domain2.com, I'd like to use traefik as the reverse proxy. So then, again, I'd need port 80 443 for both servers. Some reverse proxy software work better with certain apps.
503 Service UnavailableNo server is available to handle this request
## Automatically generated configuration.# Do not edit this file manually.#global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 2 hard-stop-after 60s no strict-limits maxconn 100 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc# Frontend: test_http (Test http)frontend test_http bind 192.168.1.1:80 name 192.168.1.1:80 mode http option http-keep-alive default_backend example_backend # logging options # ACL: kanboard_c acl acl_6452ce5a700492.11355253 hdr(host) -i test.example.com # ACTION: kanboard_r use_backend test_backend if acl_6452ce5a700492.11355253# Backend: test_backend (example pool)backend example_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server s1_server 192.168.2.1:80 proto h2# statistics are DISABLED
503 Service UnavailableDear all,at the moment I have my webserver onine with portforwarding and before move on with HAProxy I'm thinking to test it setting it up locally. To keep also setting simple and possibly easier I'm considering reverse proxy of port 80 only for test.example.comIn other terms (IP as reference):LAN (192.168.1.0/24, LAN Address 192.168.1.1)--> |HAProxy| --> DMZ (webserver 192.168.2.0/24, server, 192.168.2.2)The only achievement I reached so far when I try to browse test.example.com isQuote503 Service UnavailableNo server is available to handle this requestthis is haproxy setup:Quote## Automatically generated configuration.# Do not edit this file manually.#global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 2 hard-stop-after 60s no strict-limits maxconn 100 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc# Frontend: test_http (Test http)frontend test_http bind 192.168.1.1:80 name 192.168.1.1:80 mode http option http-keep-alive default_backend example_backend # logging options # ACL: kanboard_c acl acl_6452ce5a700492.11355253 hdr(host) -i test.example.com # ACTION: kanboard_r use_backend test_backend if acl_6452ce5a700492.11355253# Backend: test_backend (example pool)backend example_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server s1_server 192.168.2.1:80 proto h2# statistics are DISABLEDAny hint?Next step will be using SSL. the webapplication have individual SSL certificae which I think I can import in opnsense to set up HTTPS redirection. This will be next gig I've flattened HAProxy few times and reset but I always end up with error 503 I checked the firewall LAN -> DMZ and I don't see anything blocking the connection..Thanks and please let me know if I can provide more informationcheers
I hope you don't take any offense from my writing, I don't mean to judge how you do your things.I just think your current setup is... a bit clumsy.Nonetheless I am glad that everything is working now how you wanted it to.
2023-05-08T23:00:55-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:52.860] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3032/-1/-1/3035 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/favicon.ico HTTP/2.0"2023-05-08T23:00:52-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:49.702] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3045/-1/-1/3048 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/ HTTP/2.0"
global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 4 hard-stop-after 60s no strict-limits maxconn 10000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 5000# autogenerated entries for ACLs# autogenerated entries for config in backends/frontends# autogenerated entries for stats# Frontend: 0_SNI_frontend (Listening on port 80, 443)frontend 0_SNI_frontend bind 0.0.0.0:443 name 0.0.0.0:443 bind 0.0.0.0:80 name 0.0.0.0:80 mode tcp default_backend SSL_backend # logging options option tcplog# Frontend: 1_HTTP_frontend (Listening on :80)frontend 1_HTTP_frontend bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy mode http option http-keep-alive option forwardfor # logging options option httplog # ACL: NoSSL_condition acl acl_645996ff1a8d85.67011734 ssl_fc # ACTION: HTTPtoHTTPS_rule http-request redirect scheme https code 301 if !acl_645996ff1a8d85.67011734# Frontend: 1_HTTPS_frontend (Listening on localhost:443)frontend 1_HTTPS_frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64599b1898e146.09447169.certlist mode http option http-keep-alive option forwardfor timeout client 15m # logging options option httplog # ACTION: PUBLIC_DOMAINS_rule # NOTE: actions with no ACLs/conditions will always match use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645997471e1f42.25745091.txt)] # Backend: acme_challenge_backend (Added by ACME Client plugin)backend acme_challenge_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server acme_challenge_host 127.0.0.1:43580 # Backend: SSL_backend ()backend SSL_backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy# Backend: PLEX_backend ()backend PLEX_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server PLEX_server 192.168.0.197:32400 ssl verify none# Backend: VTT_backend ()backend VTT_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server FoundryVTT_server 192.168.0.197:30000 ssl verify none# Backend: Homeassistant_backend ()backend Homeassistant_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server Homeassistant_server 192.168.0.196:8123 ssl verify none
I had this working before, but I accidentialy hosed the install and didn't have my config back up. (Lesson learned).Now the issue I'm having is getting a 503 no matter what I've tried so far. Not sure where the issue is.For example, trying to hit my domain vtt.*.com I get the correct cert to the browser, but still a 503, and here's all I see in the haproxy log.Code: [Select]2023-05-08T23:00:55-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:52.860] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3032/-1/-1/3035 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/favicon.ico HTTP/2.0"2023-05-08T23:00:52-05:00 Informational haproxy 192.168.0.198:60994 [08/May/2023:23:00:49.702] 1_HTTPS_frontend~ VTT_backend/FoundryVTT_server 0/3045/-1/-1/3048 503 217 - - SC-- 2/1/0/0/3 0/0 "GET https://vtt.*.com/ HTTP/2.0"Here's the haproxy config. I hope you can help me see what I'm not seeing.Code: [Select]global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 4 hard-stop-after 60s no strict-limits maxconn 10000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 5000# autogenerated entries for ACLs# autogenerated entries for config in backends/frontends# autogenerated entries for stats# Frontend: 0_SNI_frontend (Listening on port 80, 443)frontend 0_SNI_frontend bind 0.0.0.0:443 name 0.0.0.0:443 bind 0.0.0.0:80 name 0.0.0.0:80 mode tcp default_backend SSL_backend # logging options option tcplog# Frontend: 1_HTTP_frontend (Listening on :80)frontend 1_HTTP_frontend bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy mode http option http-keep-alive option forwardfor # logging options option httplog # ACL: NoSSL_condition acl acl_645996ff1a8d85.67011734 ssl_fc # ACTION: HTTPtoHTTPS_rule http-request redirect scheme https code 301 if !acl_645996ff1a8d85.67011734# Frontend: 1_HTTPS_frontend (Listening on localhost:443)frontend 1_HTTPS_frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64599b1898e146.09447169.certlist mode http option http-keep-alive option forwardfor timeout client 15m # logging options option httplog # ACTION: PUBLIC_DOMAINS_rule # NOTE: actions with no ACLs/conditions will always match use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645997471e1f42.25745091.txt)] # Backend: acme_challenge_backend (Added by ACME Client plugin)backend acme_challenge_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server acme_challenge_host 127.0.0.1:43580 # Backend: SSL_backend ()backend SSL_backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy# Backend: PLEX_backend ()backend PLEX_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server PLEX_server 192.168.0.197:32400 ssl verify none# Backend: VTT_backend ()backend VTT_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server FoundryVTT_server 192.168.0.197:30000 ssl verify none# Backend: Homeassistant_backend ()backend Homeassistant_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server Homeassistant_server 192.168.0.196:8123 ssl verify none
Honestly please just follow my tutorial. I will not provide support for something else here.If you want to do it your way then just ask in the appropriate forum.But I will say if you keep on testing your way you will need much more time.If it is not working with my way you can simply disable the WAN firewall rule and re-enable the NAT portforward.This way you can also test this.
Informational haproxy public_IP:9911 [09/May/2023:17:25:07.299] 2_HTTPS_frontend/127.4.4.3:443: SSL handshake failure