haproxy - not working

TMG

# Automaticaly generated, dont edit manually.
# Generated on: 2023-12-14 20:12
global
	maxconn			100031
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 10
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend xxxxxx-Server
	bind			192.168.1.1:443 name 192.168.1.1:443   ssl crt-list /var/etc/haproxy/xxxxxx-Server.crt_list  
	mode			http
	log			global
	option			socket-stats
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			vaultwarden	var(txn.txnhost) -m beg -i xxxxxx.home64.de
	acl			unifi	var(txn.txnhost) -m beg -i xxxxxx.duckdns.org
	acl			aclcrt_xxxxxx-Server	var(txn.txnhost) -m reg -i ^xxxxxx\.home64\.de(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend vaultwarden_ipvANY  if  vaultwarden aclcrt_xxxxxx-Server
	use_backend unifi_ipvANY  if  unifi aclcrt_xxxxxx-Server

frontend HAProxy_stats_ssl_frontend
	bind			192.168.1.1:444 name 192.168.1.1:444   ssl crt-list /var/etc/haproxy/HAProxy_stats_ssl_frontend.crt_list  
	mode			http
	log			global
	timeout client		30000
	default_backend HAProxy_stats_ssl_backend_ipvANY

backend vaultwarden_ipvANY
	mode			http
	id			100
	log			global
	cookie  nocache
	stats			enable
	stats			uri /
	stats			realm .
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			vaultwarden 192.168.1.231:8000 id 101 ssl  verify none crt /var/etc/haproxy/server_clientcert_657b0f05e4047.pem 

backend unifi_ipvANY
	mode			http
	id			102
	log			global
	stats			enable
	stats			uri /
	stats			realm .
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			unifi 192.168.1.221:8443 id 101 ssl  verify none crt /var/etc/haproxy/server_clientcert_657b0f05e4047.pem 

backend HAProxy_stats_ssl_backend_ipvANY
	mode			http
	id			105
	log			global
	stats			enable
	stats			uri /
	stats			realm .
	stats			refresh 10
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global

tomuser@MacBook-Pro ~ % dig @8.8.8.8 xxxxxx.home64.de

; <<>> DiG 9.10.6 <<>> @8.8.8.8 xxxxxx.home64.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 532
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xxxxxx.home64.de.		IN	A

;; ANSWER SECTION:
xxxxxx.home64.de.	60	IN	A	77.23.205.1

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 14 20:56:55 CET 2023
;; MSG SIZE  rcvd: 60

VioletDragon

@TMG said in haproxy - not working:

UDM

UDM is a Dream Machine by Ubiquti. I would suggest having pfSense handling DNS as it will add more complexity to the solution.

DynDNS is Dynamic DNS.

VIP can be any IP as it's Virtual,.

For SSL in Haproxy, the Certificate is mapped by the Frontend.

TMG

@VioletDragon

Nothing needs to go in here?

I still don't understand the connection between the VIP and the DynDns domain xxxxx.home64.de?
How exactly this plays together.... I have been looking all day
for a video or a configuration guide for my configuration.

Do you mean these here, no??

How and where exactly does the VIP come into play?

TMG

VioletDragon

@TMG Create a A Record that points to WAN.

Under DNS Resolver -> Host Overrides. Create a Host & Domain Name, Add the IP of the VIP.

Frontend of Haproxy needs two Entries One for Port 80 and another Port 443. Both needs the IP of VIP you created which comes under Listen address for both.

For the SSL Certificate you specify it under Certificate. Make sure that the type is configured as http/https offloading.

TMG

@VioletDragon

Port 443/80 here in Haproxy-config. ??

VioletDragon

@TMG No. You need two frontends, one for Port 80 & Port 443.

Listen address needs to be set to the VIP.

Screenshot from 2023-12-14 21-28-19.png

TMG

@VioletDragon
Good morning. I can only say thank you again and again for your efforts.
Must here in the dnsresolver/host_overrides also the created VIP purely

VioletDragon

@TMG Good morning, yes the IP is the VIP.

Depending on your OS, you can test by using Dig in Linux / macOS or nslookup in Windows.

Regards

TMG

@VioletDragon
It's never happened to me before that I can't solve a problem for days. I can't get it to work?
dig always points to the public IP address.
Can you do me a big favor and take a look at the
pdf with the screenshots to see if you notice anything where I'm
am wrong ... or if something important is missing.
... thanks thanks thanks
I just realized I can't attach a pdf?

TMG

Here is a dropbox link
pfsense_screenshots

If you don't want that, please let me know. Maybe we can find another way.

VioletDragon

@TMG Attach Screenshots of DNS Resolver. Screenshots in pdf are small, Also attach screenshots of System -> General Setup & System -> Advanced -> Admin Access.

Regards

TMG

@VioletDragon
I hope it´s bigger and you can read it

pfsense_2