HAproxy Routing Assistance - External Resolution Fail and Internal Weirdness
I figure two fruitless posts on reddit and it's time to come ask the big dogs here at the official watering hole.
I want to use HAproxy so I can give out a URL to my family for Ombi/Plexrequests.
I want the URL to be a sub-domain with the syntax of: request.FQDN.com.
I have my domain registered through Google Domains.
Within Google Domains DNS, I have set request.FQDN.com to WAN.IP.
Within pfSense, I have a WAN firewall rule to pass 8080 to self/This Firewall.
I have a front-end configured listening on WAN.IP:8080
With an ACL looking for request.FQDN.com >> Using the Backend of Ombi which is set for LAN.IP:3579.
Internally, if I go to request.FQDN.com it loads the pfSense WebUI with a Rebind DNS attack warning.
However, internally, if I go to request.FQDN.com:8080 it redirects to the Ombi/PlexRequests login page as desired.
This was due to my using my cellphone with LTE+Wifi. Using a local-only client, it fails to resolve completely internally.
Externally, I only receive "connection refused" messages. I've never gotten it to resolve through HAproxy externally.
Edit: I just tried accessing request.FQDN.com:8080 externally and it redirected properly!
~~Despite my dozen other forwarded ports that have been setup for years, I wanted to make sure I knew what I was doing. NAT'ing the direct port to my LAN IP allows for external resolution just fine; but it's ugly since it redirects from request.FQDN.com to WAN.IP:3579 in the address bar. I am, admittedly, being a stickler for the details in not accepting that as a valid option but I'd prefer to rely on the security of HAproxy than some still-in-development login portal.
I've been at this now for over 12 hours…I confirmed with Ombi/PlexRequests developer that, with a sub-domain setup specifically, the Base URL field is not necessary.~~
With this new finding, my question is now: how can I make it so that request.FQDN.com is all that is needed?
request.FQDN.com:8080, while functional, goes against my "easy URL" desire.
Please let me know if there is any information or logs that can help (the proverbial) you in helping (the real) me.
If you want to just be able to give out host.fqdn.com as the URL you'll need to move the front end to port 80. I would suggest that instead you move it to 443 and use the ACME package to add TLS to your service; users would then have to use https://host.fqdn.com but you'd provide a bit more security if you're using any kind of username / password on ombi.