HAProxy proxies hosts unreachable
-
# Automaticaly generated, dont edit manually. # Generated on: 2024-09-04 07:16 global maxconn 1000 log /var/run/log local0 info stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 4096 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 resolvers globalresolvers nameserver Cloudflare 1.1.1.1:53 resolve_retries 3 timeout retry 1s timeout resolve 10s frontend Https_Frontends bind 10.0.1.254:443 name 10.0.1.254:443 ssl crt-list /var/etc/haproxy/Https_Frontends.crt_list bind 10.0.2.254:443 name 10.0.2.254:443 ssl crt-list /var/etc/haproxy/Https_Frontends.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 4 timeout client 30000 acl pfsense var(txn.txnhost) -m str -i router.home.DOMAIN.com acl mgmt_ips_only src 10.0.1.0/24 acl Truenas var(txn.txnhost) -m str -i truenas.home.DOMAIN.com acl omada var(txn.txnhost) -m str -i omada.home.DOMAIN.com acl HAOS var(txn.txnhost) -m str -i haos.home.DOMAIN.com acl Kuma var(txn.txnhost) -m str -i kuma.home.DOMAIN.com acl aclcrt_Https_Frontends var(txn.txnhost) -m reg -i ^([^\.]*)\.home\.DOMAIN\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend pfsense_ipvANY if pfsense mgmt_ips_only aclcrt_Https_Frontends use_backend truenas_ipvANY if Truenas aclcrt_Https_Frontends use_backend Omada_ctrler_ipvANY if omada aclcrt_Https_Frontends use_backend HAOS_ipvANY if HAOS aclcrt_Https_Frontends use_backend UptimeKuma_ipvANY if Kuma aclcrt_Https_Frontends backend pfsense_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server pfsense 10.0.1.254:10443 id 101 ssl check inter 1000 verify none resolvers globalresolvers backend truenas_ipvANY mode http id 102 log global option log-health-checks timeout connect 30000 timeout server 30000 retries 5 load-server-state-from-file global server truenas 10.0.1.33:3443 id 103 ssl check inter 1000 verify none resolvers globalresolvers backend Omada_ctrler_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server Omada_ctrler 10.0.1.11:8043 id 105 ssl check inter 1000 verify none resolvers globalresolvers backend HAOS_ipvANY mode http id 106 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server Homeassistant 10.0.1.88:8123 id 107 check inter 1000 resolvers globalresolvers backend UptimeKuma_ipvANY mode http id 108 log global http-check send meth OPTIONS timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global option httpchk server Kuma 172.16.20.10:3001 id 109 check inter 1000 resolvers globalresolvers -
@digimd
You have only one frontend, which is listening on port 443.
Maybe I'm not clear, what you intend. Accessing the same hosts with and without SSL? Or redirecting non-SSL to SSL? -
@viragomann I have one frontend that handles the ACLs. I am accessing backends with https with unsigned cert and one http. They belong to different services. I intend to access my self-hosted services with proper ssl without opening a WAN port.
-
@digimd
And which host is not accessible? -
@viragomann all are unreachable except for router which points to my pfsense.
-
@digimd
Try to remove the checks at
"Add ACL for certificate CommonName"
"Add ACL for certificate Subject Alternative Names"
in the frontend settings.For testing the connection you can also state a default backend and see if you can access it.
If this works, the rules are not applied. -
@viragomann I removed the checks when present and it made no difference. I sat a default backend other than router, and no change either.
I am considering to move to self hosted reverse proxy and get done.
-
@digimd
You said, you get just a time out, when you try to access a page.
If the request hits HAproxy it will give any respond, however. So I suspect, that there is something else wrong.Ensure that the host name resolves properly to the IP, which HAproxy is listening on.
-
@viragomann I am not sure what type of error. Essentially page is unreachable, without error code. I am remoting now through tailscale on pfsense and I get this which is likely a dns or firewall rule.
ERR_CONNECTION_REFUSEDI changed listening IPs to 0.0.0.0:443 and no change. Could this be a firewall rule issue?!
-
@digimd
It could maybe a reject rule, giving this error. However, do you have any?If I got you correct, you want to access the sites only from inside the network?
-
@viragomann Yes, I meant to keep all ssl access local. I have the listening interfaces allowed to access all target destinations. I am just throwing the idea although I don't think it's the issue. Thank you for following through.