Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[moophy]

Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:

Code Select Expand

# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

Code Select Expand

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

logs from HAproxy when trying an external connection for nextcloud:

Code Select Expand

2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake

logs from HAproxy when trying an external connection for truenas:

Code Select Expand

2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"


Interesting that the Truenas call seems to be going to nextcloud?

Unbound DNS: Overides

   truenas.mydomain     dedyn.io   A (IPv4 address)   10.1.1.1            
   nextcloud.mydomain   dedyn.io   A (IPv4 address)   10.1.1.1       

Firewall rules:

HAProxy_ports (80, 443) allowed to WAN address

I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you

[sc00by]

Good morning,

I am having some challenge with getting HAproxy to handle internal requests.  I am not using unbound for DNS since I have active directory deployed.  I did try using unbound with overrides.  Externally, HAproxy is working, can access plex from the office and able to access a web page.

I've gone through the tutorial a few times and am assuming that something is missed.

The goal is to use HAProxy internally and externally to encrypt traffic with a real cert.  I'd appreciate any help or shove back to what was missed in the tutorial.

Code Select Expand



Config:

Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     1000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 1000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6468020a093145.77501579 src 192.168.1.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: PLEX_backend ()
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PLEX_server 192.168.1.62:32400 ssl verify none

# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server remote_dc02_server 192.168.1.6:443 ssl verify none

# Backend: BMC_backend (bmc test)
backend BMC_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BMC_server 192.168.1.35 ssl verify none



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED






[TheHellSite]

Good morning,

I am having some challenge with getting HAproxy to handle internal requests.  I am not using unbound for DNS since I have active directory deployed.  I did try using unbound with overrides.  Externally, HAproxy is working, can access plex from the office and able to access a web page.

I've gone through the tutorial a few times and am assuming that something is missed.

The goal is to use HAProxy internally and externally to encrypt traffic with a real cert.  I'd appreciate any help or shove back to what was missed in the tutorial.

Code Select Expand



Config:

Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     1000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 1000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6468020a093145.77501579 src 192.168.1.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: PLEX_backend ()
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PLEX_server 192.168.1.62:32400 ssl verify none

# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server remote_dc02_server 192.168.1.6:443 ssl verify none

# Backend: BMC_backend (bmc test)
backend BMC_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BMC_server 192.168.1.35 ssl verify none



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED






First off, you did not provide any sort of error code or error description. Just some "it is not working, help help"...

Sorry, but this is also out of scope of this tutorial.
The DNS override is most likely your issue! Since you are not using Unbound, you are on your own here.

[TheHellSite]

Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:

Code Select Expand

# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

Code Select Expand

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

logs from HAproxy when trying an external connection for nextcloud:

Code Select Expand

2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake

logs from HAproxy when trying an external connection for truenas:

Code Select Expand

2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"


Interesting that the Truenas call seems to be going to nextcloud?

Unbound DNS: Overides

   truenas.mydomain     dedyn.io   A (IPv4 address)   10.1.1.1            
   nextcloud.mydomain   dedyn.io   A (IPv4 address)   10.1.1.1       

Firewall rules:

HAProxy_ports (80, 443) allowed to WAN address

I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you

Please also provide the complete current haproxy config.

[sc00by]

Good morning,

I am having some challenge with getting HAproxy to handle internal requests.  I am not using unbound for DNS since I have active directory deployed.  I did try using unbound with overrides.  Externally, HAproxy is working, can access plex from the office and able to access a web page.

I've gone through the tutorial a few times and am assuming that something is missed.

The goal is to use HAProxy internally and externally to encrypt traffic with a real cert.  I'd appreciate any help or shove back to what was missed in the tutorial.

Code Select Expand



Config:

Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     1000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 1000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6468020a093145.77501579 src 192.168.1.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: PLEX_backend ()
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server PLEX_server 192.168.1.62:32400 ssl verify none

# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server remote_dc02_server 192.168.1.6:443 ssl verify none

# Backend: BMC_backend (bmc test)
backend BMC_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BMC_server 192.168.1.35 ssl verify none



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED






First off, you did not provide any sort of error code or error description. Just some "it is not working, help help"...

Sorry, but this is also out of scope of this tutorial.
The DNS override is most likely your issue! Since you are not using Unbound, you are on your own here.

Shoot.  I thought I put a note in there about logs... :-[

Outside of the informational log, there is nothing logged.  In the informational, I see connections originating from the outside.  Nothing for hitting this particular internal IP/host, no error.  Logs accessed from Services/HAProxy/Logs, enabled all.  Nothing here is pertinent near as I can tell.  When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.

When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads.  This works from inside/outside.  My other external service also works inside/outside.  An override with plex

I created a backend, server, and map file for internal services.

I've tried with and without unbound.  With and without overrides.  Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert.  This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.

What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.

So, AD DNS is not in the picture, in this context, I am in the same spot.

I'll take another stroll through the tutorial.

[moophy]

Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:

Code Select Expand

# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

Code Select Expand

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

logs from HAproxy when trying an external connection for nextcloud:

Code Select Expand

2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake

logs from HAproxy when trying an external connection for truenas:

Code Select Expand

2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"


Interesting that the Truenas call seems to be going to nextcloud?

Unbound DNS: Overides

   truenas.mydomain     dedyn.io   A (IPv4 address)   10.1.1.1            
   nextcloud.mydomain   dedyn.io   A (IPv4 address)   10.1.1.1       

Firewall rules:

HAProxy_ports (80, 443) allowed to WAN address

I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you

Please also provide the complete current haproxy config.

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: 0_SNI_frontend (listening on 80 and 443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend testssl

    # logging options

# Frontend: 1_HTTP_frontend (listening on localhost:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6451d6d41f14e3.72189927 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6451d6d41f14e3.72189927

# Frontend: 1_HTTPS_frontend (listening on localhost:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6451dd0fe21db7.63563341.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option httplog
    # ACL: cardav-endpoint
    acl acl_6461de0380c7b3.75062629 path /.well-known/carddav
    # ACL: caldav-endpoint
    acl acl_6461dde5d15634.54704624 path /.well-known/caldav
    # ACL: nc_nodeinfo
    acl acl_6466fe1b2e8ff2.47035478 path /.well-known/nodeinfo
    # ACL: nc_webfinger
    acl acl_6466fe303acb97.89104263 path /.well-known/webfinger
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6451d1c3d510f5.88841915 src 10.1.1.0/24 192.168.0.0/24

    # ACTION: cardav-endpoint
    http-request redirect code 301 location /remote.php/dav if acl_6461de0380c7b3.75062629
    # ACTION: caldav-endpoint
    http-request redirect code 301 location /remote.php/dav if acl_6461dde5d15634.54704624
    # ACTION: nc_nodeinfo
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe1b2e8ff2.47035478
    # ACTION: nc_webfinger
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe303acb97.89104263
    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d0414cb7f2.59080919.txt)] if acl_6451d1c3d510f5.88841915
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d7a6418a58.11785496.txt)]

# Backend: truenas_backend (NAS backend)
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server truenas 10.1.1.73 ssl verify none

# Backend: iprox_backend ()
backend iprox_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server iprox 10.1.1.101:8006 ssl verify none

# Backend: mbfirewall_backend ()
backend mbfirewall_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server mbfirewall 127.0.0.1:55443 ssl verify none

# Backend: autgtp_backend ()
backend autgtp_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server autgtp 10.1.1.113:7070

# Backend: portainer_backend (portainer backend)
backend portainer_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server portainer 10.1.1.59:9443 ssl alpn h2,http/1.1 verify none

# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server nextcloud 10.1.1.59:11000

# Backend: idrac_backend ()
backend idrac_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server idrac 192.168.0.120 ssl verify none

# Backend: testssl (test1)
backend testssl
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server testSSL 127.4.4.3 send-proxy-v2 check-send-proxy

# statistics are DISABLE

[TheHellSite]

Shoot.  I thought I put a note in there about logs... :-[

Outside of the informational log, there is nothing logged.  In the informational, I see connections originating from the outside.  Nothing for hitting this particular internal IP/host, no error.  Logs accessed from Services/HAProxy/Logs, enabled all.  Nothing here is pertinent near as I can tell.  When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.

When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads.  This works from inside/outside.  My other external service also works inside/outside.  An override with plex

I created a backend, server, and map file for internal services.

I've tried with and without unbound.  With and without overrides.  Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert.  This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.

What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.

So, AD DNS is not in the picture, in this context, I am in the same spot.

I'll take another stroll through the tutorial.

Sorry I still don't know what your issue is exactly now?
Your text is very confusing to read.

What I took from it is that the internal and external accesses are working but it is not presenting a trusted cert?

[TheHellSite]

Nextcloud was the only service i was making publicly available. I moved one of my internal services out from local subdomain to public and no i cannot reach it externally. app files:

Code Select Expand

# local access only subdomains
iprox iprox_backend
autgtp autgtp_backend
portainer portainer_backend

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

Code Select Expand

#public access subdomains
nextcloud nextcloud_backend
truenas truenas_backend

logs from HAproxy when trying an external connection for nextcloud:

Code Select Expand

2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake

logs from HAproxy when trying an external connection for truenas:

Code Select Expand

2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 0_SNI_frontend SSL_backend/SSL_server 1/0/0 0 -- 3/2/1/1/0 0/0
2023-05-23T12:47:31 Informational haproxy 10.1.1.59:46236 [23/May/2023:12:47:31.646] 1_HTTPS_frontend/127.0.0.1:443: Connection closed during SSL handshake
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.718] 0_SNI_frontend SSL_backend/SSL_server 1/0/254 5920 -- 3/2/1/1/0 0/0
2023-05-23T12:47:05 Informational haproxy 10.1.1.59:46936 [23/May/2023:12:47:05.740] 1_HTTPS_frontend~ nextcloud_backend/nextcloud 0/0/1/229/230 304 1194 - - ---- 4/2/0/0/0 0/0 "GET /apps/richdocuments/settings/fonts.json HTTP/1.1"


Interesting that the Truenas call seems to be going to nextcloud?

Unbound DNS: Overides

   truenas.mydomain     dedyn.io   A (IPv4 address)   10.1.1.1            
   nextcloud.mydomain   dedyn.io   A (IPv4 address)   10.1.1.1       

Firewall rules:

HAProxy_ports (80, 443) allowed to WAN address

I don't see any deny results in firewall log. Let me know what other logs or config would be useful. Thank you

Please also provide the complete current haproxy config.

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: 0_SNI_frontend (listening on 80 and 443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend testssl

    # logging options

# Frontend: 1_HTTP_frontend (listening on localhost:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6451d6d41f14e3.72189927 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6451d6d41f14e3.72189927

# Frontend: 1_HTTPS_frontend (listening on localhost:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6451dd0fe21db7.63563341.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option httplog
    # ACL: cardav-endpoint
    acl acl_6461de0380c7b3.75062629 path /.well-known/carddav
    # ACL: caldav-endpoint
    acl acl_6461dde5d15634.54704624 path /.well-known/caldav
    # ACL: nc_nodeinfo
    acl acl_6466fe1b2e8ff2.47035478 path /.well-known/nodeinfo
    # ACL: nc_webfinger
    acl acl_6466fe303acb97.89104263 path /.well-known/webfinger
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6451d1c3d510f5.88841915 src 10.1.1.0/24 192.168.0.0/24

    # ACTION: cardav-endpoint
    http-request redirect code 301 location /remote.php/dav if acl_6461de0380c7b3.75062629
    # ACTION: caldav-endpoint
    http-request redirect code 301 location /remote.php/dav if acl_6461dde5d15634.54704624
    # ACTION: nc_nodeinfo
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe1b2e8ff2.47035478
    # ACTION: nc_webfinger
    http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_6466fe303acb97.89104263
    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d0414cb7f2.59080919.txt)] if acl_6451d1c3d510f5.88841915
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6451d7a6418a58.11785496.txt)]

# Backend: truenas_backend (NAS backend)
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server truenas 10.1.1.73 ssl verify none

# Backend: iprox_backend ()
backend iprox_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server iprox 10.1.1.101:8006 ssl verify none

# Backend: mbfirewall_backend ()
backend mbfirewall_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server mbfirewall 127.0.0.1:55443 ssl verify none

# Backend: autgtp_backend ()
backend autgtp_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server autgtp 10.1.1.113:7070

# Backend: portainer_backend (portainer backend)
backend portainer_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server portainer 10.1.1.59:9443 ssl alpn h2,http/1.1 verify none

# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server nextcloud 10.1.1.59:11000

# Backend: idrac_backend ()
backend idrac_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    timeout tunnel 3600s
    http-reuse safe
    server idrac 192.168.0.120 ssl verify none

# Backend: testssl (test1)
backend testssl
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server testSSL 127.4.4.3 send-proxy-v2 check-send-proxy

# statistics are DISABLE

What you should do first now is to remove those extra rules for nextcloud from the HTTPS_frontend. I think you also said they didn't fix anything and I already said that they shouldn't actually be necessary afaik.
Leave only the local and public subdomains mapfile rules on it, in that order!

Now reboot your OPNsense, sometimes this can also fix strange issues.

Then please tell me the URL (replace your real domain with just domain.com) on which you are trying to access nextcloud and truenas.

External Access
truenas.domain.com --> error/result: ?
nextcloud.domain.com --> error/result: ?

Internal Access
truenas.domain.com --> error/result: ?
nextcloud.domain.com --> error/result: ?

Also nslookup or ping those URLs from an internal device to verify that the DNS override is working!

Is 10.1.1.1 the OPNsense interface IP of the network the local clients are trying to access those URLs from?

[sc00by]

Shoot.  I thought I put a note in there about logs... :-[

Outside of the informational log, there is nothing logged.  In the informational, I see connections originating from the outside.  Nothing for hitting this particular internal IP/host, no error.  Logs accessed from Services/HAProxy/Logs, enabled all.  Nothing here is pertinent near as I can tell.  When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.

When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads.  This works from inside/outside.  My other external service also works inside/outside.  An override with plex

I created a backend, server, and map file for internal services.

I've tried with and without unbound.  With and without overrides.  Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert.  This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.

What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.

So, AD DNS is not in the picture, in this context, I am in the same spot.

I'll take another stroll through the tutorial.

Sorry I still don't know what your issue is exactly now?
Your text is very confusing to read.

What I took from it is that the internal and external accesses are working but it is not presenting a trusted cert?

External works perfect inside and outside.  Get a lets encrypt cert.  We're happy, nothing to do.

Internally?  I get a self signed cert, nothing is logged in HAProxy.

I went through the tutorial again last night.  Step 7.2 for the FQDN rule...I see you have a domain value, but I am unable to save this condition because my domain is not a valid ipv4 address?

I can plug in 'my.test.com', it will accept and tests out OK.  If I use 'lan.scobar.pw', it will not accept the value, gives error below.  Outside of informational log, nothing is recorded.

[NOTICE] (67194) : haproxy version is 2.6.13-234aa6d
[NOTICE] (67194) : path to executable is /usr/local/sbin/haproxy
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:73] : error detected while parsing ACL 'acl_64685bef85c4e2.08714329' : 'lan.scobar.pw' is not a valid IPv4 or IPv6 address.
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:78] : error detected while parsing switching rule : no such ACL : 'acl_64685bef85c4e2.08714329'.
[ALERT] (67194) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (67194) : config : Fatal errors found in configuration.

[TheHellSite]

Shoot.  I thought I put a note in there about logs... :-[

Outside of the informational log, there is nothing logged.  In the informational, I see connections originating from the outside.  Nothing for hitting this particular internal IP/host, no error.  Logs accessed from Services/HAProxy/Logs, enabled all.  Nothing here is pertinent near as I can tell.  When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.

When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads.  This works from inside/outside.  My other external service also works inside/outside.  An override with plex

I created a backend, server, and map file for internal services.

I've tried with and without unbound.  With and without overrides.  Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert.  This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.

What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.

So, AD DNS is not in the picture, in this context, I am in the same spot.

I'll take another stroll through the tutorial.

Sorry I still don't know what your issue is exactly now?
Your text is very confusing to read.

What I took from it is that the internal and external accesses are working but it is not presenting a trusted cert?

External works perfect inside and outside.  Get a lets encrypt cert.  We're happy, nothing to do.

Internally?  I get a self signed cert, nothing is logged in HAProxy.

I went through the tutorial again last night.  Step 7.2 for the FQDN rule...I see you have a domain value, but I am unable to save this condition because my domain is not a valid ipv4 address?

I can plug in 'my.test.com', it will accept and tests out OK.  If I use 'lan.scobar.pw', it will not accept the value, gives error below.  Outside of informational log, nothing is recorded.

[NOTICE] (67194) : haproxy version is 2.6.13-234aa6d
[NOTICE] (67194) : path to executable is /usr/local/sbin/haproxy
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:73] : error detected while parsing ACL 'acl_64685bef85c4e2.08714329' : 'lan.scobar.pw' is not a valid IPv4 or IPv6 address.
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:78] : error detected while parsing switching rule : no such ACL : 'acl_64685bef85c4e2.08714329'.
[ALERT] (67194) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (67194) : config : Fatal errors found in configuration.

Sorry but I still can quite follow...
I still don't know what you are trying to achieve here.

Also how can EXTERNAL work from inside and outside?
Per definition external is outside.

Please provide a structured answer. like above: https://forum.opnsense.org/index.php?topic=23339.msg165410#msg165410

[sevet]

I followed this great tutorial and everything in it worked on the first hit!!
Great work, great explanation and details, thanks.

The thing that don't work for me is what is ommited from the latest version of this (as far as i understand)
I want to use the no ssl offloading option, and i can't make it work, i did a map file and rule to map my already SSLed services, i put the rule in the 0_SNI_frontend but no rule i make that is not just selecting my pool catches the host name, its like it doesn't have the url yet to select, if i put a rule to just force my pool it works but then all the none ssl services do not work.

What am i missing, If i put my SSLed services as SSL in the real server and map them as regular servers everything works but then i have double SSL which im trying to avoid.

[mauro]

This is the solution.

4. However, in your scenario you didn't configure your apache real server correctly since you left the port blank and didn't tell haproxy if the real server expects SSL or not.

Hi @TheHellSite,

it took me the long way to figure out my issue was the map file.
At the moment I haven't understood what is the cause but so far I created several conditions and rules working fine. The map file will be the next step but for the moment, after so many efforts, I need to get away from Haproxy a little.

Thanks for your tutorial

[studentpcster]

This tutorial works brilliantly, up until the end of Part 5.
Fully encrypted and secured access to my self hosted servers/services, from external networks.

Part 6 - Access from internal networks in the tutorial, does not work for me.
I have tried both the Split DNS method, as well as the port forwarding with NAT reflection.

If my internet is offline, then DNS resolution to the self hosted servers/services fails. I can only access them via internal IP addresses and ports.

Any pointers would be appreciated. Kind of a noob to reverse proxy setups.

[opnuser1]

Let me know if you choose not to investigate since my configuration was a modification of the tutorial here....

The setup you helped with was working well for a while.  Now, it doesn't seem to be working.  As in, the sites are not accessible externally (i use my cell phone).  but they work fine internally, with both ip addresses and hostnames.  I also tried going back to port forwarding instead of using haproxy (for ports 80,443).  As soon as i turn on port forwarding, the sites start working externally. 


So this tells me something has changed or stopped working in my haproxy config.  but what?  I will post my config below:

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: TCP_server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1
    # ACL: TCP_server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -m sub -i domain2

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: TCP_SERVER1_rule
    use_backend TCP_SERVER1_backend if acl_644c5700ee7657.09485748
    # ACTION: TCP_SERVER2_rule
    use_backend TCP_SERVER2_backend if acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: http_server1_condition
    acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1
    # ACL: http_server2_condition
    acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2

    # ACTION: http_server1_rule
    use_backend TCP_SERVER1_backend if acl_6457247ca14984.71641345
    # ACTION: http_server2_rule
    use_backend TCP_SERVER2_backend if acl_64572496aeac32.73416688

# Backend: TCP_SERVER1_backend ()
backend TCP_SERVER1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server1_server 192.168.1.234

# Backend: TCP_SERVER2_backend ()
backend TCP_SERVER2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server2_server 192.168.1.217

# Backend (DISABLED): TCP_SERVER3_backend ()



# statistics are DISABLED





[opnuser1]

I found the issue for my post above.  I had Upnp plugin installed and enabled.  For whatever reason that messed with my setup.  i disabled it and it works again.