Using HAproxy for reverse proxy with / in the backend
-
Long time lurker first time poster
I have recently been able to set up a reverse proxy using HA proxy in my pfsense firewall and most sites work correct but seeing as my knowledge is limited to home learning (homelab) I am struggling with getting certain virtual servers access on my webmin server. for instance, I have a virtual server for email running on 192.168.0.20 and then Roundcube script installed to access the email on 192.168.0.20/roundcube, I would like to access the Roundcube site externally. but when i try to reach mail.mydomain.com/roundcube it just takes me to the 192.168.0.20 address and not the /roundcube address, how would I go about solving this issue. as I tried adding in HA proxy the / adress but it is invalid and I figured as much but was worth a try. is there another way to reach the /roundcube address through HAproxy
-
@Evertvh
So visiting https://192.168.0.20/roundcube works locally?
What haproxy configuration have you made can you share haproxy.cfg from bottom of settings tab?
Also im not sure what you mean by visiting mail.yourdomain brings you to 0.20 .. is the browser receiving a redirect from the round-cube server? Why is it sending that? -
@Evertvh said in Using HAproxy for reverse proxy with / in the backend:
e 192.168.0.
Sorry let me see if I can clarify a bit better.
I am running Virtualmin host on 192.168.1.20 and have set up a virtual server on the same IP called remote-entry and set up a mail server for that so that I can use my own private mail server and webserver. But since I have a nextcloud instance using the 80 and 443 ports, I started looking into reverse proxy. I have a bit of knowledge with Nginx but tried HAproxy within pfsense. Now my issue is that locally I can access 192.168.1.20/roundcube to access my mail server and from there I can send and receive emails. but I would like to access these emails from the outside via mail.remote-entry.tld. So i started with setting up my backend so that i can reach virtualmin through vip.remote-entry.tld and that works, but what I cant setup is reaching roundcube. becuase in the backend if I had 192.168.1.20/roundcube it gives me an error. so how would I solve this? Below is config file (everything is basicly the same except the names have been changed) Also note that you will not see in backend anything for roundcube because i cant create it. and that i use a VIP for the haproxy and NAT as it works best me for now
gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_statelisten HAProxyLocalStats
bind 127.0.0.1:444 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000frontend HTTP_80
bind 192.168.1.5:80 name 192.168.1.5:80
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
http-request redirect scheme httpsfrontend HTTPS_443
bind 192.168.1.5:443 name 192.168.1.5:443 ssl crt-list /var/etc/haproxy/HTTPS_443.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl freenas var(txn.txnhost) -m beg -i ns.remote-entry.tld
acl cloud var(txn.txnhost) -m beg -i cloud.remote-entry.tld
acl cloud2 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
acl cloud3 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
acl cloud4 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
acl cloud5 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
acl vip var(txn.txnhost) -m str -i vip.remote-entry.tld
acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^([^.]*).remote-entry.tld(:([0-9]){1,5})?$
acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain1.tld(:([0-9]){1,5})?$
acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain2.tld(:([0-9]){1,5})?$
acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain3.tld(:([0-9]){1,5})?$
acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud\vip.remote-entry.tld(:([0-9]){1,5})?$
acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain.tld(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend Cloud_ipvANY if cloud1 aclcrt_HTTPS_443
use_backend Cloud_ipvANY if cloud2 aclcrt_HTTPS_443
use_backend Cloud_ipvANY if cloud3 aclcrt_HTTPS_443
use_backend Cloud_ipvANY if cloud4 aclcrt_HTTPS_443
use_backend Cloud_ipvANY if cloud5 aclcrt_HTTPS_443
use_backend webmin_ipvANY if vip aclcrt_HTTPS_443backend Cloud_ipvANY
mode http
id 104
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server cloud 192.168.1.XX:443 id 105 ssl check inter 1000 verify none crt /var/etc/haproxy/server_clientcert_5eac2ed517b6d.pembackend vip_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server webmin 192.168.1.20:10000 id 103 ssl check inter 1000 verify none -
@Evertvh said in Using HAproxy for reverse proxy with / in the backend:
in the backend if I had 192.168.1.20/roundcube it gives me an error
Yes a 'server' is defined by a IP:Port combination.. That does not include a url path..
So if you just add a backend for server: 192.168.1.20:443 or is it :80 ? anyhow whatever port its using.. How far does that make it work for you then?
You could add a acl that checks for the mail domain and forward traffic to the roundcube backend then right?..
Do 'stats' then show the server as 'UP' ?
What happens if you then visit 'https://mail.remote-entry.tld/roundcube' ? -
@PiBa said in Using HAproxy for reverse proxy with / in the backend:
acl that chec
Yea that part I understand that its IP:port and that /roundcube is a url.
yes server shows as up under stats
if i do go and say https://mail.remote-entry.tld/roundcube I get a Server does not exist return. because technically it the correct path for round cube is https://remote-entry.tld/roundcube
and if i did get https://mail.remote-entry.tld/roundcube working it would defeat the purpose of what i am trying to achieve.
I tried looking at acl that will look for roundcube but maybe I am misunderstanding how it will work.
should i do an ACL that looks for roundcube and that points to an acl that works for https://remote-entry.tld/roundcube
where the https://remote-entry.tld/roundcube acl is just https://mail.remote-entry.tld and that points to the backend of
https://192.168.1.20.Maybe I am making a mountian of a molehill and would be better served using Nginx as a reverse proxy
-
@Evertvh said in Using HAproxy for reverse proxy with / in the backend:
if i do go and say https://mail.remote-entry.tld/roundcube I get a Server does not exist return. because technically it the correct path for round cube is https://remote-entry.tld/roundcube
'Who' is saying the server doesn't exist.? I presume you have got the proper DNS records in place to point to haproxy?
Your first post you wrote "but when i try to reach mail.mydomain.com/roundcube it just takes me to the 192.168.0.20" sounds like you actually did get a response.? (no idea if that was with http or https though.. as you seem to forget to actually specify these details which might actually matter..)
@Evertvh said in Using HAproxy for reverse proxy with / in the backend:
if i did get https://mail.remote-entry.tld/roundcube working it would defeat the purpose of what i am trying to achieve.
What are you trying to achieve?
- what is the desired url to visit in a browser?
- what have you configured? (show the current config?)
- what is the current effect
- what have you checked and what do you expect might need to change?
- is a request from the browser send to the 'correct' webserver currently already? but its virtual-servers configuration just doesn't recognize the proper website to reply for? if so perhaps a simple set-header command with the actual domain would suffice?
Anyhow i'm struggling parsing your reply and thoughts mixed together with a seemingly large lack of understanding..