HAproxy Routing Assistance - External Resolution Fail and Internal Weirdness
-
Hello,
I figure two fruitless posts on reddit and it's time to come ask the big dogs here at the official watering hole.
I want to use HAproxy so I can give out a URL to my family for Ombi/Plexrequests.
I want the URL to be a sub-domain with the syntax of: request.FQDN.com.
I have my domain registered through Google Domains.
Within Google Domains DNS, I have set request.FQDN.com to WAN.IP.Within pfSense, I have a WAN firewall rule to pass 8080 to self/This Firewall.
I have a front-end configured listening on WAN.IP:8080
With an ACL looking for request.FQDN.com >> Using the Backend of Ombi which is set for LAN.IP:3579.Internally, if I go to request.FQDN.com it loads the pfSense WebUI with a Rebind DNS attack warning.
However, internally, if I go to request.FQDN.com:8080 it redirects to the Ombi/PlexRequests login page as desired.
This was due to my using my cellphone with LTE+Wifi. Using a local-only client, it fails to resolve completely internally.Externally, I only receive "connection refused" messages. I've never gotten it to resolve through HAproxy externally.
Edit: I just tried accessing request.FQDN.com:8080 externally and it redirected properly!~~Despite my dozen other forwarded ports that have been setup for years, I wanted to make sure I knew what I was doing. NAT'ing the direct port to my LAN IP allows for external resolution just fine; but it's ugly since it redirects from request.FQDN.com to WAN.IP:3579 in the address bar. I am, admittedly, being a stickler for the details in not accepting that as a valid option but I'd prefer to rely on the security of HAproxy than some still-in-development login portal.
I've been at this now for over 12 hours…I confirmed with Ombi/PlexRequests developer that, with a sub-domain setup specifically, the Base URL field is not necessary.~~
With this new finding, my question is now: how can I make it so that request.FQDN.com is all that is needed?
request.FQDN.com:8080, while functional, goes against my "easy URL" desire.Please let me know if there is any information or logs that can help (the proverbial) you in helping (the real) me.
-
If you want to just be able to give out host.fqdn.com as the URL you'll need to move the front end to port 80. I would suggest that instead you move it to 443 and use the ACME package to add TLS to your service; users would then have to use https://host.fqdn.com but you'd provide a bit more security if you're using any kind of username / password on ombi.