Accessing from LAN
-
Fairly new to HAProxy
I have HAProxy configured for a nextcloud docker instance running on port 8080, with an internal IP (http only)
i've setup the backend and frontend. pfsense is setup with commercial SSL wildcard Cert
I able to reach the nextcloud instance from the external network using the FQDN (https).
I cant however reach the same from within the LAN with the FQDN over https. I'm only able to access the nextcloud with the internal ip:8080
Any ideas what i'm doing wrong?
I have an entry for the nextcloud instance in the DNS Resolver too. I'm able to ping the FQDN from the network & it resolves correctly to the internal IP
here's my haproxy.cfg
global maxconn 1000 log /var/run/log syslog debug stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HaproxyMasterNode server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Frontend-1-HTTPS bind 195.1.1.1:443 name 195.1.1.1:443 ssl crt-list /var/etc/haproxy/Frontend-1-HTTPS.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl nextcloud var(txn.txnhost) -m str -i nextcloud.foo.com acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^([^\.]*)\.foo\.com(:([0-9]){1,5})?$ acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^foo\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend nextcloud_ipvANY if nextcloud aclcrt_Frontend-1-HTTPS backend nextcloud_ipvANY mode http id 100 log global errorfile 503 /var/etc/haproxy/errorfile_nextcloud_ipvANY_503_Maintenance timeout connect 30000 timeout server 30000 retries 3 server nextcloud 192.168.1.92:8080 id 101 -
most likely you haven't set up a frontend listner on your internal network.
-
@Mats thank you
sorry, i'm a complete newbie to this. However i added these 2 FE entries. this is the revised haproxy.cfg
did this & it still doesnt work. do i need to listen on port 8080global maxconn 1000 log /var/run/log syslog debug stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HaproxyMasterNode server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Frontend-1-HTTPS bind ExternalIP:443 name ExternalIP:443 ssl crt-list /var/etc/haproxy/Frontend-1-HTTPS.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl nextcloud var(txn.txnhost) -m str -i nextcloud.foo.com acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^([^\.]*)\.foo\.com(:([0-9]){1,5})?$ acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^foo\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend nextcloud_ipvANY if nextcloud aclcrt_Frontend-1-HTTPS frontend Frontend-Internal bind 192.168.1.1:80 name 192.168.1.1:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl nextcloud var(txn.txnhost) -m str -i nextcloud.foo.com http-request set-var(txn.txnhost) hdr(host) http-request redirect scheme https if nextcloud frontend Frontend-1-HTTP bind ExternalIP:80 name ExternalIP:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl nextcloud var(txn.txnhost) -m str -i nextcloud.foo.com http-request set-var(txn.txnhost) hdr(host) http-request redirect scheme https if nextcloud backend nextcloud_ipvANY mode http id 100 log global errorfile 503 /var/etc/haproxy/errorfile_nextcloud_ipvANY_503_Maintenance timeout connect 30000 timeout server 30000 retries 3 server nextcloud 192.168.1.92:8080 id 101Here's what my FrontEnd & Backend look like
-
Sorry. I missed that you said FQDN from the inside.
You want to do https://FQDN and end up on your nextcloud server:8080?
That makes it a little more complex but it is still doable.For this to work we must send the https traffic to HAproxy so that it can forward it to the nextcloud box.
The first challenge is that your FQDN points to the nextcloud server.
The second challenge is that port 443 on your PFSense box hopefully is in use for the web interface already.
The third challenge is to make HA proxy forward as it shouldIn this case I would start with fixing a "free" 443 port. My preferred way to do that is to use a virtual ip. It gives us a new IP that you can point a FQDN against and since it's a different IP - port 443 is unused
You create a virtual ip under firewall/virtual ip.
Use type ip alias and provide an unused ip address (192.168.1.2 might be good in your case) /32 will be the right mask in this caseWith that done we can now focus on getting HA proxy to forward the traffic. For that a frontend that listens on the virtual ip(192.168.1.2):443 is required. Create that and connect it to the nextcloud backend
The next step is to create a firewall rule that allows traffic from the internal network to the virtual ip:443 (it will not work without it and yes - I have missed that rule more than once)
The last step is making it reachable on FQDN. The quick fix is to change the internal DNS so that the FQDN points to the virtual ip
In theory this should do the trick - it's what I'm doing in a similar scenario
-
thanks a ton
It worked..
the only downside is that i run nextcloud without any ssl certs inside the docker container (insecure mode) and when i access it i get these errors
There are some warnings regarding your setup.
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗. Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation. Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.