Please help to configure HAProxy to serve certifficate on internal LAN too
-
@ha11oga11o Your next troubleshooting step is to figure out who or what is serving the
192.168.1.214record, and why, and then remove it. -
Yeah, i agree. Something is serving my whole LAN not only 214. Any other server i add to proxy behave totally same.
TBH i have no idea what can serve my LAN in loopback. And i dont dare to experiment with any of setting at General or Advanced because i dont know 80% what they actually do.
But, could this do something like this?
-
@ha11oga11o I suspect your DHCP configuration.
-
Nothing there that i can see. Nothing is added all is actually unticked. Only i tweaked was long time ago to define static pool and thats it.
-
@ha11oga11o What version of pfSense is this system running?
-
2.8.1-RELEASE (amd64)
built on Thu Aug 28 18:09:00 CEST 2025
FreeBSD 15.0-CURRENThaproxy net 0.63_11
Fair question. I did not found it important because one should not seek advices at forums if at least box is not upto date.
-
I changed this from manual to automatic and got different response from dig.
it went from
;; ANSWER SECTION: nextcloud.xxx. 3600 IN A 192.168.1.214 nextcloud.xxx. 3600 IN A 192.168.1.1to
;; ANSWER SECTION: nextcloud.xxx. 3600 IN A 192.168.1.1 nextcloud.xxx. 3600 IN A 192.168.1.214They switched place, but still it redirects same.
-
@ha11oga11o you are prob registering dhcp in unbound. Or you are registering statics if you have a reservation which is why your seeing both.
Look in your unbound settings - do you have this checked?
Is then yeah you would have your host override you created and also the dhcp entry - which is why you would get 2 answers.. And yeah they could flip flop with .1 being first one query, and .214 being first next query, or 3 queries latter etc..
This is one of the perfect examples of why you shouldn't use your pubic domain internally.. Then you never can run into such problems.
I have multiple public domains where I can point records at my public IP.. But I use home.arpa internally.
-
-
@ha11oga11o you can uncheck that - but you would then loose ability to resolve any resources internally unless you create host overrides for them.
Or set reservations for them and register those.
See my edit of previous post - not a fan of using the same domain public and internal if you are going to have stuff on that domain that resolves on the public side - I would suggest you just use say home.arpa as your internal name - then you would never run into such an issue.
-
Mine goal is only to be able to use nextcloud.mydomain.xx both outside and inside LAN.
Outside all works fine. As i understand if im at local LAN with phone we will not be able to resolve nextcloud.mydomain.xx. It will be not reachable?
That is different issue with same outcome then.
We are in need to be able to use it out and in house without VPN fiddling.I did create host override. You can see on posts above. I did place bunch of pictures. Is that what you are talking about?
Thanks!
-
oh yeah, 192.168.1.214 is static bounded with its MAC address.
I untick both DHCP Registration and Static DHCP registration and now dig returns only 192.168.1.1 but i cant access it from LAN anymore. I do have Host override as posted in pics above. But we cannot resolve it anymore.
Is there anything else i need to do so we gain access to nextcloud.mydomain.xx within local LAN?Guys, thank you in advance.
-
@ha11oga11o if you resolve nextcloud.mydomain.xx to your external IP, ie the same one public people do then it would be handled by your haproxy.
Example I have ssl offloading for external users for the public fqdn something.mydomain.tld - this resolves externally to my public IP that hits pfsense wan, this also resolves to my public IP when on my local network, so again haproxy handles the ssl, etc.
But if I wanted or needed to access that directly on my local lan then I use its name.home.arpa:port that the service is on that doesn't do ssl, etc.
What is the point of using the same fqdn internally and externally? What do you think that gets you other than issues?
-
@johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too:
@ha11oga11o if you resolve nextcloud.mydomain.xx to your external IP, ie the same one public people do then it would be handled by your haproxy.
Example I have ssl offloading for external users for the public fqdn something.mydomain.tld - this resolves externally to my public IP that hits pfsense wan, this also resolves to my public IP when on my local network, so again haproxy handles the ssl, etc.
But if I wanted or needed to access that directly on my local lan then I use its name.home.arpa:port that the service is on that doesn't do ssl, etc.
What is the point of using the same fqdn internally and externally? What do you think that gets you other than issues?
On this case problem is that phone nextcloud client hangs when switching out and in. Simply cannot be used when inside LAN. Well, it can be used either out or in. But to switch it it needs to be totally reset and sync.
It remember which connection is allowed, at which cert. And sticks on that. Basically its useless until i sort this out to behave exactly same out and in.I cant believe no one had similar issue at home lab self hosted?? Im sure someone had need to do things like this?
Thank you again.
