HAProxy Vaultwarden Reverse proxy Help
-
Hi,
I've a running Vaultwarden Docker on a Proxmox VM. I used to use NGINX Reverse Proxy Manager but it was unreliable and stopped working every now and then. Now I would like to replace it with HAProxy to make my Vaultwarden available for Apps and web access from WAN.I've a Cloudflare managed domain "vault.mydomain.nz" which is pointing to my IP.
I have setup the ACME cert.
My Vaultwarden installation ports are mapped like this:
3012 > 3012
7010 > 443
7011 > 80
pfSense's web admin ports are neither 80 nor 443.
I've a firewall rule forwarding 443 traffic from WAN:
I've added a DNS resolver entry to be able to access vault.mydomain.co.nz from my LAN.
Vaultwarden is running and can be reached by typing in the IP in the browser (e.g. https://192.168.1.30:7011).
I followed this guide from Dani Garcia (HAProxy inside pfSense section) but it's not working for me. No error but not loading anything in the browser. (I did not add the ACL to exclude the /admin page).
It's probably a small misconfiguration but I have no idea...
This is my haproxy.cfg:
# Automaticaly generated, dont edit manually. # Generated on: 2024-01-26 11:44 global maxconn 30 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Domain bind 125.236.123.123:443 name 125.236.123.123:443 ssl crt-list /var/etc/haproxy/Domain.crt_list mode http log global option http-keep-alive timeout client 30000 acl ACL00 var(txn.txnhost) -m str -i mydomain.nz acl ACL00 var(txn.txnpath) -m beg -i /random-unused acl ACL01 var(txn.txnhost) -m str -i vault.mydomain.nz acl aclcrt_Domain var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomain\.nz(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) http-request set-var(txn.txnpath) path http-request allow if ACL01 aclcrt_Domain http-request deny if !ACL00 aclcrt_Domain frontend Vaultwarden bind 125.236.123.123:3112 name 125.236.123.123:3112 mode http log global option http-keep-alive timeout client 30000 acl ACL1 var(txn.txnpath) -m beg -i /notifications/hub acl ACL2 var(txn.txnpath) -m beg /notifications/hub/negotiate acl ACL3 var(txn.txnpath) -m beg -i /notifications/hub acl ACL4 var(txn.txnpath) -m beg -i /notifications/hub/negotiate http-request set-var(txn.txnpath) path use_backend Vaultwarden_ipvANY if !ACL1 use_backend Vaultwarden_ipvANY if !ACL2 use_backend Vaultwarden-Notifications_ipvANY if ACL3 use_backend Vaultwarden-Notifications_ipvANY if !ACL4 backend Vaultwarden_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server Vaultwarden 192.168.1.30:7011 id 101 backend Vaultwarden-Notifications_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server Vaultwarden-Notifications 192.168.1.30:3012 id 103
-
I forgot to mention, I'm on pfSense Plus 23.09-RELEASE and haproxy 0.63_1
-
@Chrisnz said in HAProxy Vaultwarden Reverse proxy Help:
I've a firewall rule forwarding 443 traffic from WAN:
This rule allows access to pfSense from WAN on any port. So it also allows access to the webConfigurator, which is pretty dangerous.
For the HAproxy configuration, maybe you can give information about what to intend to achieve. Would be helpful to elaborate a proper set up.
What I noticed:
Your Domain frontend has neither a use-backend action nor a default backend.
In the Vaultwarden frontend the ACLs 1 and 3 are identical, so one is superfluous. -
@viragomann Thanks for your reply. The firewall is just open for testing right now, Later it will be limited to the ports that the Vaultwarden Docker container uses (3012 for Websocket, 7010 for internal 443 and 7011 for internal 80).
The domain frontend only has actions fot http requests to allow or deny. I basically followed the Dani Garcia setup linked above since it's my first time with HAProxy. The Dani Garcia setup seem s to be working for others so I'm wondering where I did wrong, maybe I misunderstood the ports to be used or put the wrong IP in the wrong place...or else, I just can't figure it out...most likely because I don't know HAProxy at all.
The Vaultwarden frontend ACL1 and 3 are almost identical except the "Not option" which is yes in ACL1 and no in ACL3
The goal is to have my locally hosted Vaultwarden accessible at vault.mydomain.nz from WAN. (browser plugins, phone apps etc.)