Setting reversed proxy

varazir

ok got both of the web servers to work I had to change the Health checking to basic and enable SSL checks

PiBa

@varazir
Though it works its probably better to change health-check's for the webservers back to http, and see what the LastChk column in stats says. Might be a forbidden method, or a authentication required, or it needs a sni indication in the check request, or a host header, or something. That is the thing to change and or fix to make health-checks pass on a webserver.

As for the openvpn connection, i expect it is not actually sending a proper ssl encapsulated request.. As such you might need a 'special' acl where you could put the "!{ req.ssl_hello_type 1 } !{ req.len 0 }" in the acl for that use_backend action that might make it sellect the right backend, and allow it to connect.

Can you share the config as you got it now?

varazir

@piba

I have updated my Git https://gist.github.com/varazir/319b50bef3e4de1284ef52b38aaf5e23
The web2 keeps getting "active or backup DOWN for maintenance (MAINT) "
When I update the setting it works fine for a min or 2.

Not sure where to add "!{ req.ssl_hello_type 1 } !{ req.len 0 }"

I guess there

varazir

I removed the check on web2

PiBa

@varazir
What did stats page LastChk say when it was down? (hover over it with your mouse)

PiBa

@varazir
Instead of this

use_backend Octoprint_ipvANY  if  Octoprint 

make that like:

use_backend Octoprint_ipvANY  if !{ req.ssl_hello_type 1 } !{ req.len 0 }

varazir

@piba

That is from the config file trying to find how to set it in the GUI :P

varazir

@piba When it's working it say Layer7 check passed: OK

PiBa

@varazir
You already wrote 'Octoprint' in that same textfield you can put the other acl text..

As for above maint line it looks like the 'zwave' servername might not resolve DNS easily to a IP? That shouldnt depend on the type of check used anyhow.. Perhaps give it a few seconds more to resolve? And the check again? A L7 check that passes would be good..

varazir

@piba Well I have to look at the openVPN tomorrow, getting late.

Thanks for your help

varazir

@piba

Where should I place in the GUI this again ? Front or back end ?

use_backend Octoprint_ipvANY  if !{ req.ssl_hello_type 1 } !{ req.len 0 }

PiBa

@varazir
Where in the gui did you write 'Octoprint'?

( For a Frontend - action ? )

--Edit--
Though i think i got your backends mixed up.
Should use the special acl for the 'openvpn' action acl name.

jimp

Word of warning: Make extra sure that you do not expose OctoPrint to the Internet. It is not designed to do that. Keep it locked behind a VPN.

Personally, I run haproxy directly on my OctoPrint Pis (and acme.sh to do the certs). It only takes a very small/simple config. Much more secure that way.

varazir

@piba said in Setting reversed proxy:

@varazir
Where in the gui did you write 'Octoprint'?

( For a Frontend - action ? )

Front end but it's OpenVPN that is the issue. It's on the same port on pfSense.

Octoprint back/frontend works fine
I changed to IP and now the health check works much better.

varazir

@jimp said in Setting reversed proxy:

Word of warning: Make extra sure that you do not expose OctoPrint to the Internet. It is not designed to do that. Keep it locked behind a VPN.

Personally, I run haproxy directly on my OctoPrint Pis (and acme.sh to do the certs). It only takes a very small/simple config. Much more secure that way.

ya I read that.
Octopi comes with HAProxy, I have setup a extra authentication. Using acl / http-request auth not sure if it's enoufe or there are other things that is not designed.

How can you open port 80/443 to several hosts that using certbot ?

jimp

If it's protected by at least some kind of auth it may be OK, but I still would prefer to keep it behind a VPN.

As for certbot, that would probably just get routed based on the requested hostname. Should work with plain http and some ACLs. I use acme.sh and DNS-01 challenges though, I do not want any inbound web requests hitting my Pis.

PiBa

@varazir
Yes sorry i mixed up your backends/acls.. Where i wrote octoprint i ment openvpn at least for the last few posts..

use_backend Openvpn_ipvANY  if  !{ req.ssl_hello_type 1 } !{ req.len 0 }

Anyhow still location to put that is the frontend/action acl-name.

varazir

@piba said in Setting reversed proxy:

@varazir
Yes sorry i mixed up your backends/acls.. Where i wrote octoprint i ment openvpn at least for the last few posts..

use_backend Openvpn_ipvANY  if  !{ req.ssl_hello_type 1 } !{ req.len 0 }

Anyhow still location to put that is the frontend/action acl-name.

acl name :) thanks found the field thanks.

Now everything works.

varazir

@jimp said in Setting reversed proxy:

If it's protected by at least some kind of auth it may be OK, but I still would prefer to keep it behind a VPN.

As for certbot, that would probably just get routed based on the requested hostname. Should work with plain http and some ACLs. I use acme.sh and DNS-01 challenges though, I do not want any inbound web requests hitting my Pis.

I'm looking at the script I was using the command line that came with Let's Encrypt and this guide

https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04

This all started more or less with getting the Lets encrypt not needing to do a portforward each time.

jimp

If you are going to run all the haproxy bits on pfSense there is a script you can use to hook into the ACME package to handle all of that locally for any hostname.

https://forum.netgate.com/topic/90643/let-s-encypt-support/31