Spilt DNS to a local webserver with a port number

CloudNode

@viragomann
Thank you.. Not sure if it is correct but I created a VIP alias and then did a host override of one of my DNS names to that VIP and then in my HA Proxy, I listened for that VIP on my front end and then that translated to my web server. Sooo this works great and all but there is something about this setup that my web server is not happy about as I cannot use the fqdn in scripts as it says it cannot validate the cert and or notifications don't work.

Yet if I don't do any overrides and goes via cloud flare, then hits the same spot (ha proxy) all works ok. It's odd because via Lan ams wan I am hitting ha proxy. Just with Lan, I am first hitting the host over ride.

johnpoz

@iptvcld if your goal is to go to http or https://something.whatever.tld and get directed to some port other than 80 or 443 for http/https

That has zero to do with dns.. And setting up some vip to use for haproxy just so your not resolving something.whatever.tld to your wan is just complicating it even more..

Haproxy can for sure send your traffic to a port other than the standard 80/443 for http/https. If that is your goal. And can either offload the https or not..

There are a couple of ways to skin this cat.. The easiest is just use the port in your bookmark.. I don't grasp the issue with going to https://something.whatever.tld:8443 vs say https://something.whatever.tld - its a one time set your bookmark and be done with it..

If that is what you do, then sure something.whatever.tld, can resolve to the local IP vs public - this is where host override makes sense.

But to be honest why exactly can what your running on just no listen on 443 or 80? Using a nonstandard port for a service is a complication.. Why are you not just using standard http/https ports for what your hosting? Since its internal - you should have no issues with multiple services listening on the same port because you have the vast amount of IPs to use that is rfc1918.. If your box wants to run multiple things on the same port - just add more IPs to that box to listen on..

Other way to skin this cat while host override pointing to the local IP is listen on the standard port, and give you a redirection to the correct port with a simple meta refresh that gets served up on the standard port that directs the client to the url with the port in it.

But if your using haproxy anyway - to allow external traffic from the internet into your service. Then just hit the fqdn that resolves to your wan IP from internal box, and you will be proxied to your internal IP and port.

I do this for service I run that listens on 5055, it is just a docker - difficult to change that port or setup ssl on it.. So I just do both on haproxy where haproxy listens for the traffic on my wan - it sees the https request comes in (doesn't matter if from wan or internal IP), does the ssl offload on haproxy and send the traffic (non ssl) to my backend.

So in my browser on my network I can just https://mycustom.domain.tld that resolves to my pfsense wan IP - and get my local resource. This kills 2 birds with 1 stone sort of setup. No need for any vip here.. To be used in some host override.

I get easy use of acme certs to use for my fqdn, don't have to setup https on my service and also get redirection from standard ports to the odd port the service is using.

CloudNode

@johnpoz

Thank you for the reply! my goal is to be able to get my internal services such as home assistant, blue iris, etc but a DNS name thats on cloud flare. I know i can just bookmark the IP:port in my browsers but i am trying to make to all work via fqdn that offloads https via HA Prox. I currently have HA Prox working and yes, i have it listening on my WAN port for the dns names that come in and it hits my services ok. Issue is that my cloudfalre is routing somewhere to the USA then back to Canada to get to my services so the ping lag is large around 80ms (this shows the signs when viewing my security cams).

I then created a VIP and used host over ride to output that IP when i go to one of my FQDN (internally) and then HA Proxy looks for that VIP via the front end and is able to offload the SSL and take me to the service. This works great as when i am internal, i am hitting the server with 1ms ping and external it goes to cloudlfare. Issue is that home assistant and blueiris dont like that extra hop from the host dns then to HA prox. Not everything works.. If i just leave the host overide and allow HA proxy to resolve it from the wan, all works.. but that is slow as again cloud flare is not serving local for me.

Been trying a bunch of things to see how i can get this going while keeping the SSL offload internal.

johnpoz

@iptvcld said in Spilt DNS to a local webserver with a port number:

cloudfalre is routing somewhere to the USA then back to Canada to get to my services so the ping lag is large around 80ms (this shows the signs when viewing my security cams).

Huh? That has nothing to do with accessing your resources that are local.. Only if cloudflare is doing the proxy aspect of the connection. Which is normally default.

So your problem is you resolve some fqdn, that actually points to cloudflare IP, which then proxies it to your pfsense wan IP.. Which you then haproxy to some internal IP..

CloudNode

@johnpoz

Correct; i have a FQDN (ha.test.ca) that is hosted on cloudflare and resolves back with a cloudflare proxied IP. This resolves ok to my server from external and also resolves internally using the same fqdn (via the VIP, host over ride and ha prox)

But wondering if there is a better way as my server is not too happy with this method for internal.

When i am internal and try to access ha.test.ca it pings back with the cloudflare IP (if i dont have a host over ride)

johnpoz

@iptvcld said in Spilt DNS to a local webserver with a port number:

When i am internal and try to access ha.test.ca it pings back with the cloudflare IP (if i dont have a host over ride)

Yeah - in such setup with that external proxy I can see wanting to use a host override when your internal. But that could/should just point to your pfsense wan IP.. And then your local HAproxy should work how it works from external access.

CloudNode

@johnpoz
When i ping my cloudflare domain dns name - goes via 11 hops before it comes back to my WAN ip. Whats why i was looking for a good way to stay internal when on my internal lan using the same fqdn

viragomann

@iptvcld said in Spilt DNS to a local webserver with a port number:

as my server is not too happy with this method for internal.

Please explain, what exactly this means.

On public DNS your FQDN resolves to your WAN VIP which HAproxy is listening on. HAproxy does TLS offloading and sends the requests to the webserver. Now you have to configure HAproxy to listen on it's internal interface as well or forward the traffic.

The webserver only listens to its internal IP and isn't aware of the public IP and should respond back to the proxy. If the server have to access himself using its host name, you have to care that he is also resolving to its internal IP.
So not clear, what's making your server unhappy here.
However, you might possibly get issues with that if HAproxy is in tranparent mode.

johnpoz

@iptvcld said in Spilt DNS to a local webserver with a port number:

When i ping my cloudflare domain dns name - goes via 11 hops before it comes back to my WAN ip. Whats why i was looking for a good way to stay internal when on my internal lan using the same fqdn

Again - this is where you have to use a host override so your cloudflare proxied fqdn resolves to a local IP (this could be your pfsense wan IP).. Which your haproxy will then forward to your internal resources if you wanting it to do the ssl offload and change in port.

CloudNode

@johnpoz
For Host Override; how can i get it to return back with the pfsense wan ip? Under IP to return for host there is just an option to key in an IP.

johnpoz

@iptvcld said in Spilt DNS to a local webserver with a port number:

Under IP to return for host there is just an option to key in an IP.

You don't know what your wan IP is? Yeah you would have to put it in for a host override..

CloudNode

@johnpoz
I have my WAN ip, but it is dynamic so i guess this wont work as well.

So I can make it work with the host override pointing back to the LAN IP (192.168.2.1) and then in HA Prox; i have it listening to that LAN IP and will reslobe back with the web service. But issue i get with this is when i try to send a curl command for my home assistant; (curl -d "" http://ha.test.ca/api/webhook/UGmwy) - i get this error curl: (60) SSL certificate problem: unable to get local issuer certificate. And if i dont use a host override, then all works but i dont want to use the external cloudflare IP to access my internal things

CloudNode

Did a deep dive into this today (haProxy) as i had a feeling i was having ssl cert offloading issues. What i did was deleted my ACME cert under cert manager and then created a new key and re-issued the cert. I then went back to haprox and selected that cert again under the frontend and everything started working!

I have a VIP which i resolve to under host override with my web servers i want to access internally via the fqdn without going cloudflare and having the extra hops while internal. That resolves the VIP and then in HA prox i am listening to my WAN address and now the new VIP address. So when it sees a request coming from internal/external it will resolve the web server..

Thank you for your help today on that..