Setting up HA Proxy for Internal Servers
-
I have docker/portainer installed on of my machines at home. It currently has 4 containers: prtainer itself, vaultwarden, nextcloud & docker-mailserver.
This machine will never be exposed to the internet. I'm trying to configure HA Proxy to use it locally. I have a wildcard certificate from LetsEncrypt (*.home.mydomain.com).
Nextcloud listens on port 443.
Vaultwarden listens on port 80 -- but when I try to open it, the browser refuses to load it saying it requires https.
docker-mailserver will need to listen on multiple ports.I setup 2 virtual IPs 10.10.0.12 and 10.10.0.13 for Vaultwarden and Nextcloud respectively. I haven't done anything for the mailserver yet. I added DNS Overrides pointing nc.home.mydomain.com to 10.10.0.13 and pointing vault.home.mydomain.com to 10.10.0.12.
WIthin the HAProxy settings, I made a backend for NC and VW both. Then I made a Frontend for each of them as well.
When I try to browse to vault.home.mydomain.com OR nc.home.mydomain.com, it tells me the connection is not secure AND won't show me anything from the respective GUIs.
I don't know if this is exclusively an HAProxy issue or also related to LetsEncrypt.
Front Ends:
Nextcloud backend (the rest of the backend is all unmodified from OOTB):
Vaultwarden backend (the rest of the backend is all unmodified from OOTB):
When I use the NSLOOKUP tool, nc.home.mydomain.com and vault.home.mydomain.com do both show the correct virtual IPs. LetsEncrypt indicated that it created the certificate with no problems. But here's the certificate parameters showing the domain entry its for:
-
@doni49
Did you also assign the certificate to the frontends?What does the browser show exactly, when you try to access it?
Check if you get the correct certificate. -
@viragomann said in Setting up HA Proxy for Internal Servers:
Did you also assign the certificate to the frontends?
I'll double check when I get home. While I distinctly remember assigning it to one of them (I don't remember now which one), I don't remember one way or the other for the second one.
What does the browser show exactly, when you try to access it?
Check if you get the correct certificate.I looked but it think said there was no certificate. Again I'll look when I get home.
-
@doni49
You have to assign the wildcard certificate to all frontends it is valid for. -
@viragomann said in Setting up HA Proxy for Internal Servers:
You have to assign the wildcard certificate to all frontends it is valid for.
I understood that. My statement was that I was sure I had done so on one but I couldn't remember either way as to whether or not I had done so on the second one. I'm home now and just checked both of them. They both are assigned to use the wildcard cert.
This is the SSL Offloading section of the Nextcloud front end. The Vaultwarden front end looks just like this. I'm pretty sure this is what you were asking about.
-
@viragomann said in Setting up HA Proxy for Internal Servers:
What does the browser show exactly, when you try to access it?
Check if you get the correct certificate.They don't appear to have an issue with the certificate although before I posted they were both saying insecure.
Vaultwarden:
Nextcloud:
-
And if I connect directly to the Vaultwarden server (not via HAProxy), this is what I see. So the server itself is up and running.
-
This is what I see when I try to connect directly the nextcloud instance bypassing haproxy.
-
I don't understand where all the screenshots I added to my replies went -- I they were there. I saw them in the thread when I came back and reviewed it. Then I came back again and noticed they were gone.
But yes, both front ends are configured to use the wildcard certificate (under the offload SSL section).
When I browse to either nc.home.mydomain.com or vault.home.mydomain.com, Edge (on Windows 11) says the site is secure -- although I'm 99% certain that they said unsecure before I posted the first message. But they both give a 503 error "No Server Available". But If I browse to the server's IP address (the one that HAProxy is pointing to) and specify ports 443 and 80 for NC and VW respectively, the pages load fine -- but NC indicates it's not secure. VW loads fine but when I attempt to login, it complains and tells me the browswer requires HTTPS to use this service.
-
@doni49
Sadly all screenshots are lost.If the browser doesn't show a certificate, either HAproxy does not deliver any, because it's not assigned correctly, or you are connected to the wrong host.