Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using HAproxy for internal web servers

    Scheduled Pinned Locked Moved Cache/Proxy
    7 Posts 4 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m0nKeY
      last edited by

      Hi,

      I'm currently configuring HAproxy to provide more than one web server with one domain and one external ip address.

      After a some tries I configured HAproxy to forward requests to my Gitlab server. HAproxy is very nice together with the ACME package, because I don't need to request certs on every server separately.

      I want to use the same mechanism for my internal web server, i.e. the my proxmox server web-gui. At my first try, I just copied the WAN frontend configurations and changed the Listen Address from WAN to LAN. Which did not work out. Instead I was unable to reach any web interface on my local network, including pfsense itself.

      I read various threads here and on reddit, but found no solution. Can someone help me out a little bit?

      Greetings
      m0nKeY

      1 Reply Last reply Reply Quote 0
      • AstraeaA
        Astraea
        last edited by

        What I have done is have external accessible domains resolve using my configured DNS servers. For internal domains, I add a host override in pfSense that points to the reverse proxy and I also have various deny and allow entries in the Ngnix configuration file to limit who can connect to what service.

        Originally I had 2 separate reverse proxy servers but I am working on merging them to 1 and using rules to limit access to the internal and external sites as appropriate.

        1 Reply Last reply Reply Quote 0
        • M
          m0nKeY
          last edited by

          Thanks for you replay. Did you configure your reverse proxy to listen to the the LAN interface? In my case, the reverse proxy is pfSense itself.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I made an RFC1918 VIP on localhost.

            HAproxy binds to that.

            I port forward WAN to that.

            I have split DNS inside pointing to the inside VIP address.

            Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane).

            It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works.

            The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            C 1 Reply Last reply Reply Quote 0
            • AstraeaA
              Astraea
              last edited by

              my pfSense install forwards ports 80 and 443 to the reverse proxy for external domains and internal is handled through DNS host overrides.

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @Astraea
                last edited by

                @Astraea For me, that requires I maintain the certificates on HAProxy and the web servers themselves. That's why I tell HAproxy to listen on an internal VIP and use that for my DNS host overrides. Inside and outside connections go to the same frontend but without crud like NAT reflection.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • C
                  cybis @Derelict
                  last edited by cybis

                  @derelict thanks a lot for providing insights on your setup! I'd be interested in setting up something similar and have a couple of question I was hoping you could help answer.

                  I made an RFC1918 VIP on localhost.

                  Unfortunately it's this very first point I already don't understand 😁 If my understanding of the documentation is correct then an IP Alias (VIP) is simply an additional IP address one can assign to an interface, right? If so, what is the purpose of assigning it to localhost? So that it is reachable from each of the local interfaces/networks?

                  HAproxy binds to that.

                  Why not binding it to the WAN interface/address?

                  I port forward WAN to that.

                  I guess that's necessary because the HAProxy is bound to the VIP and not the WAN address?

                  I have split DNS inside pointing to the inside VIP address.

                  What does this mean exactly? Do you have a domain override for your domain(s)? If so, what's the purpose of that? To avoid NAT reflection that you mentioned in your post above?

                  Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane).

                  I use a wildcard certificate and have only a * CNAME and an A DNS record pointing to my WAN address (dynv6.com as dynamic DNS provider). I have the DNS-01 challenge running and the certificate is currently retrieved via a dedicted certbot instance and used on a dedicated nginx instance. However, I'd like to switch to the pfsense HAProxy/ACME setup.

                  It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works.

                  The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months.

                  If I'm not mistaken, I could keep the traffic encrypted even in the backend with my dedicated nginx reverse proxy, right? So HAProxy would do the SSL/TLS offloading and communicate via https with my dedicated nginx reverse proxy (which in turn is proxying to the various docker containers/services I have). The HAProxy would be used also for other various hosts on the network (via host overrides), including the pfsense host itself, in order to get rid of the self-signed certificate warnings. As all the other hosts have https enabled by default, the complete traffic should be encrypted and a valid certificate should be proviced by the HAProxy. Or am I missing something here? 🤔

                  The only thing that might need further consideration is limiting access to the internal hosts, i.e. they should not be reachable from outside. I guess that's what the HAProxy access lists are for?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.