Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting reversed proxy

    Scheduled Pinned Locked Moved Cache/Proxy
    proxyhaproxy
    39 Posts 3 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PiBa @varazir
      last edited by

      @varazir
      Instead of this

      use_backend Octoprint_ipvANY  if  Octoprint 
      

      make that like:

      use_backend Octoprint_ipvANY  if !{ req.ssl_hello_type 1 } !{ req.len 0 }
      
      1 Reply Last reply Reply Quote 0
      • V
        varazir @PiBa
        last edited by

        @piba 0_1541370885196_155eef30-767b-4017-9b33-344ed7908a83-image.png

        That is from the config file trying to find how to set it in the GUI :P

        P 1 Reply Last reply Reply Quote 0
        • V
          varazir @PiBa
          last edited by

          @piba When it's working it say Layer7 check passed: OK

          1 Reply Last reply Reply Quote 0
          • P
            PiBa @varazir
            last edited by

            @varazir
            You already wrote 'Octoprint' in that same textfield you can put the other acl text..

            As for above maint line it looks like the 'zwave' servername might not resolve DNS easily to a IP? That shouldnt depend on the type of check used anyhow.. Perhaps give it a few seconds more to resolve? And the check again? A L7 check that passes would be good..

            V 2 Replies Last reply Reply Quote 0
            • V
              varazir @PiBa
              last edited by

              @piba Well I have to look at the openVPN tomorrow, getting late.

              Thanks for your help

              1 Reply Last reply Reply Quote 0
              • V
                varazir @PiBa
                last edited by

                @piba

                Where should I place in the GUI this again ? Front or back end ?

                use_backend Octoprint_ipvANY  if !{ req.ssl_hello_type 1 } !{ req.len 0 }
                
                P 1 Reply Last reply Reply Quote 0
                • P
                  PiBa @varazir
                  last edited by PiBa

                  @varazir
                  Where in the gui did you write 'Octoprint'?

                  ( For a Frontend - action ? )

                  --Edit--
                  Though i think i got your backends mixed up.
                  Should use the special acl for the 'openvpn' action acl name.

                  V 1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Word of warning: Make extra sure that you do not expose OctoPrint to the Internet. It is not designed to do that. Keep it locked behind a VPN.

                    Personally, I run haproxy directly on my OctoPrint Pis (and acme.sh to do the certs). It only takes a very small/simple config. Much more secure that way.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      varazir @PiBa
                      last edited by

                      @piba said in Setting reversed proxy:

                      @varazir
                      Where in the gui did you write 'Octoprint'?

                      ( For a Frontend - action ? )

                      Front end but it's OpenVPN that is the issue. It's on the same port on pfSense.

                      Octoprint back/frontend works fine
                      I changed to IP and now the health check works much better.

                      P 1 Reply Last reply Reply Quote 0
                      • V
                        varazir @jimp
                        last edited by

                        @jimp said in Setting reversed proxy:

                        Word of warning: Make extra sure that you do not expose OctoPrint to the Internet. It is not designed to do that. Keep it locked behind a VPN.

                        Personally, I run haproxy directly on my OctoPrint Pis (and acme.sh to do the certs). It only takes a very small/simple config. Much more secure that way.

                        ya I read that.
                        Octopi comes with HAProxy, I have setup a extra authentication. Using acl / http-request auth not sure if it's enoufe or there are other things that is not designed.

                        How can you open port 80/443 to several hosts that using certbot ?

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          If it's protected by at least some kind of auth it may be OK, but I still would prefer to keep it behind a VPN.

                          As for certbot, that would probably just get routed based on the requested hostname. Should work with plain http and some ACLs. I use acme.sh and DNS-01 challenges though, I do not want any inbound web requests hitting my Pis.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          V 1 Reply Last reply Reply Quote 0
                          • P
                            PiBa @varazir
                            last edited by

                            @varazir
                            Yes sorry i mixed up your backends/acls.. Where i wrote octoprint i ment openvpn at least for the last few posts..

                            use_backend Openvpn_ipvANY  if  !{ req.ssl_hello_type 1 } !{ req.len 0 }
                            

                            Anyhow still location to put that is the frontend/action acl-name.

                            V 1 Reply Last reply Reply Quote 1
                            • V
                              varazir @PiBa
                              last edited by

                              @piba said in Setting reversed proxy:

                              @varazir
                              Yes sorry i mixed up your backends/acls.. Where i wrote octoprint i ment openvpn at least for the last few posts..

                              use_backend Openvpn_ipvANY  if  !{ req.ssl_hello_type 1 } !{ req.len 0 }
                              

                              Anyhow still location to put that is the frontend/action acl-name.

                              acl name :) thanks found the field thanks.

                              Now everything works.

                              1 Reply Last reply Reply Quote 0
                              • V
                                varazir @jimp
                                last edited by varazir

                                @jimp said in Setting reversed proxy:

                                If it's protected by at least some kind of auth it may be OK, but I still would prefer to keep it behind a VPN.

                                As for certbot, that would probably just get routed based on the requested hostname. Should work with plain http and some ACLs. I use acme.sh and DNS-01 challenges though, I do not want any inbound web requests hitting my Pis.

                                I'm looking at the script I was using the command line that came with Let's Encrypt and this guide

                                https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04

                                This all started more or less with getting the Lets encrypt not needing to do a portforward each time.

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  If you are going to run all the haproxy bits on pfSense there is a script you can use to hook into the ACME package to handle all of that locally for any hostname.

                                  https://forum.netgate.com/topic/90643/let-s-encypt-support/31

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    varazir @jimp
                                    last edited by varazir

                                    @jimp said in Setting reversed proxy:

                                    If you are going to run all the haproxy bits on pfSense there is a script you can use to hook into the ACME package to handle all of that locally for any hostname.

                                    https://forum.netgate.com/topic/90643/let-s-encypt-support/31

                                    Hmm don't understand what it dose.

                                    So I still run the rewnew/setup on the host on then LAN ?

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      The ACME package on pfSense would handle all of the certs, haproxy on pfSense would offload all SSL tasks from local devices. So for example you'd connect https to the firewall and it would hand off http to the octopi backend.

                                      That may not be exactly what you're after but it would be an easy centralized solution.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      V 1 Reply Last reply Reply Quote 0
                                      • V
                                        varazir @jimp
                                        last edited by varazir

                                        @jimp Hmm sound much easier. Like the idea.
                                        I guess I need to remake the backends on the current setup right ?

                                        I guess that will not work when I use https internal ?

                                        P 1 Reply Last reply Reply Quote 0
                                        • P
                                          PiBa @varazir
                                          last edited by

                                          @varazir
                                          It is possible to keep the webservers the same as they are, HAProxy would need to be reconfigured though to decrypt traffic on a (second) frontend (but not for openvpn), and re-encrypt traffic send to the webserver. Or reconfigure the webservers to accept connections on :80 while 'understanding' that the actual connection from the client is really made over https (so they dont respond with a redirect to https or a absolute link to a http:// resource).. some web-applications are not easily configured to do so though..

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            varazir
                                            last edited by varazir

                                            @jimp @PiBa

                                            How should I change the front/backend when I like to use the ACME pkg for all my certificate ?
                                            When I save the settings in the HAProxy I get this error in the log

                                            Nov 8 21:08:58	php-fpm		haproxy: startup error output!: [info] 311/210858 (82174) : [acme] http-01 plugin v0.1.1
                                            
                                            P 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.