[SOLVED] HAProxy works on Port 443 but not on Port 5001

[Lowrider614]

Hello,
I seem to lost here.

I am running a Synology NAS whiches web interface is to be reached via HTTPS on port 5001. LAN access works fine.

If I set up HAProxy Public Service to listen on port 443 with the respective certificate (SSL offloading) and forward headers, I can reach my Synology NAS.
If I change the listening port to 5001 (that is the only change in the whole setup) I get a "503 Service Unavailable No server is available to handle this request." error.
Incoming firewall rules are defined for port 443 and port 5001 respectively. I just cloned the 443 rule and changed the port.

If listening port is set to 443 and I try to access port 5001, the request times out for HTTP and HTTPS. So nothing else seems listening on that port and protocol. I tried with port 4952 (just to choose another random port) but the result stays the same.

I am missing something for sure, would you point me into the right direction please?

Thanks!
Tim

[meyergru]

Why would you change the HAproxy listening port to 5001? I understand that it is 5001 on the endpoint side, but only because Synology wanted to keep the standard port 443 available.

The whole point of HAproxy in the context of a home setup with NAT is that it can handle name-based requests for multiple endpoints over the same public IP, enabling you to expose your internal services which are likely to not have TLS and have them use a working Letsencrypt certificate for TLS.

It is quite convenient to have these services exposed to browsers over the standard port 443, in order not to have to type the port in the URL as well.

In case you fear that someone could try to scan "standard" ports, look at the certificate and find out the names of your internal services, you can hide them by using a fake "catch-all" certificate - I just asked TheHellSite about that and he has added this to his guide as Part 8: https://forum.opnsense.org/index.php?topic=23339.0

[Lowrider614]

Thanks for your reply!

I know that HAProxy can be used to separate different incoming URLs on Port 443, but the Port 5001 is just a test for others to come.
Synology Apps use different ports for different services and those ports are setup as standard in those apps. Now I could reconfigure them in my own phone, but explain that to my wife, children, housemates etc.
This is why I want other ports than 443 and 80 to work.
The reason I use HAProxy is mainly, that I can maintain all the SSL certificates in one place and do not have to do this at all the different places in my network.

So is using a different port than 443 and 80 possible with HAProxy or do I need a different plugin?
Best regards
Tim

[meyergru]

You can sure do that and I just tried for good measure. I followed TheHellSite's tutorial for HAProxy and just changed three things to my existing HAProxy setup for port 443:

1. I added "0.0.0.0:5001" to Services->HAProxy->Settings->Virtual Services->Public Services->"0_SNI_Frontend"
2. I added "127.0.0.1:5001" to Services->HAProxy->Settings->Virtual Services->Public Services->"1_HTTPS_Frontend"
3. I added port 5001 to the "HAProxy_Ports" firewall alias.

After applying all that, everything worked for both ports 443 and 5001 from the outside, as was to be expected.

[Lowrider614]

I think you have already given me a very good hint where my problem might be. But I don't see my forward, maybe you can help me again.
I guess, the problem arises from the setting "Type" that I am using on my Public Services Frontend.

First of all, I have one Public Service only, as I was just going through one of the numerous online tutorials to setup HAProxy. There SSL on port 443 is used only and one public service seems to be enough.
You seem to have two Public Services. One called 0_SNI_Frontend and one called 1_HTTPS_Frontend. Both are listening on different addresses and I assume, have different Types set as well?

Would you mind explaining that setup a little deeper? I think that is what I will need to achieve my target. Or does the link you provided earlier explain that in detail? Then I will deep dive into that long tutorial.

Thanks a lot!
Tim

[meyergru]

The tutorial explaining all that is here: https://forum.opnsense.org/index.php?topic=23339.0

I think it is quite nice, because it covers many aspects that you would have to handle yourself otherwise, like getting and updating Letsencrypt certificates, allowing multiple backends, mapping using only one central map file, redirecting HTTP traffic to HTTPS (which is why there are multiple public services, apart from the name-based differentiation via SNI).

[Lowrider614]

You have been a great help, thanks again!

What did the trick for my at the moment was to set a default backend. Now it works.
I will test that setup with my other services on different ports and will let you know here if I am succesful or not.

That tutorial is a lot to read and a lot of things won't be necessary for me, but to understand what's possible it will be great study.

Thanks again, I am marking this as topic as solved.