Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy Port 80 Only for Let's Encrypt

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Brailyn
      last edited by

      Hello,

      I setup HAProxy to manage traffic from one public IP to multiple server backends quite a while back…and it has been working excellent ever since.

      One thing that has become an issue is Let's Encrypt requests on port 80. This would be servers using http-01 method of authentication.

      I have HAProxy redirecting http requests to https port 443 using port 80. Only requests that are not matched in the front end port 80 rule are redirected.

      Is there something I can add to this frontend that would accommodate only requests that begin with http://url/.well-known/acme-challenge/*... to not be redirected?

      To get around this, I've just been giving my backend servers a direct public IP every time they won't renew behind the HAProxy.

      Here is my config:

      # Automaticaly generated, dont edit manually.
      # Generated on: 2018-04-04 19:46
      global
      	maxconn			100
      	log			/var/run/log	local0	info
      	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
      	gid			80
      	nbproc			1
      	nbthread			1
      	hard-stop-after		15m
      	chroot				/tmp/haproxy_chroot
      	daemon
      	server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
      	bind 127.0.0.1:444 name localstats
      	mode http
      	stats enable
      	stats admin if TRUE
      	stats uri /haproxy/haproxy_stats.php?haproxystats=1
      	timeout client 5000
      	timeout connect 5000
      	timeout server 5000
      
      frontend Frontend2-SNI
      	bind			public-ip:443 name public-ip:443   
      	mode			tcp
      	log			global
      	maxconn			20
      	timeout client		30000
      	tcp-request inspect-delay	5s
      	acl			ucrmsni1	req.ssl_sni -i ucrm.url.root
      	acl			unmssni1	req.ssl_sni -i unms.url.root
      	acl			nextcloudsni1	req.ssl_sni -i nextcloud.url.root
      	acl			portfoliosni1	req.ssl_sni -i url.root
      	acl			dsmsni1	req.ssl_sni -i dsm.url.root
      	tcp-request content accept if { req.ssl_hello_type 1 }
      
      	use_backend ucrm_https_ipv4  if  ucrmsni1 
      	use_backend unms_https_ipv4  if  unmssni1 
      	use_backend nextcloud_https_ipv4  if  nextcloudsni1 
      	use_backend portfolio_https_ipv4  if  portfoliosni1 
      	use_backend dsm_https_ipv4  if  dsmsni1 
      	default_backend Frontend3offload_https_ipv4
      
      frontend Frontend1-http
      	bind			public-ip:80 name public-ip:80   
      	mode			http
      	log			global
      	option			http-keep-alive
      	maxconn			20
      	timeout client		30000
      	acl			trechACL	hdr_sub(host) -i www.url2.root
      	acl			httpRedirectACL	hdr_sub(host) -i www.url2.root
      	http-request redirect scheme https  if  !httpRedirectACL 
      	use_backend trech_http_ipvANY  if  trechACL 
      
      backend ucrm_https_ipv4
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk OPTIONS / 
      	server			ucrm 10.0.0.5:443 check-ssl check inter 1000  weight 1 verify none 
      
      backend unms_https_ipv4
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk HEAD / 
      	server			unms 10.0.0.13:443 check-ssl check inter 1000  weight 1 verify none 
      
      backend nextcloud_https_ipv4
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			nextcloud 10.0.0.14:443 check-ssl check inter 1000  weight 1 verify none 
      
      backend portfolio_https_ipv4
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			portfolio 10.0.0.45:443 check-ssl check inter 1000  weight 1 verify none 
      
      backend dsm_https_ipv4
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      
      backend Frontend3offload_https_ipv4
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      
      backend trech_http_ipvANY
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			trech 10.0.0.50:80 check inter 1000  weight 1
      
      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Perhaps you could add a acl? 'Path starts with' : '/.well-known…..'

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.