Accessing from LAN



  • Fairly new to HAProxy

    I have HAProxy configured for a nextcloud docker instance running on port 8080, with an internal IP (http only)

    i've setup the backend and frontend. pfsense is setup with commercial SSL wildcard Cert

    I able to reach the nextcloud instance from the external network using the FQDN (https).

    I cant however reach the same from within the LAN with the FQDN over https. I'm only able to access the nextcloud with the internal ip:8080

    Any ideas what i'm doing wrong?

    I have an entry for the nextcloud instance in the DNS Resolver too. I'm able to ping the FQDN from the network & it resolves correctly to the internal IP

    here's my haproxy.cfg

    global
    
    maxconn 1000
    
    log /var/run/log syslog debug
    
    stats socket /tmp/haproxy.socket level admin expose-fd listeners
    
    uid 80
    
    gid 80
    
    nbproc 1
    
    nbthread 1
    
    hard-stop-after 15m
    
    chroot /tmp/haproxy_chroot
    
    daemon
    
    tune.ssl.default-dh-param 2048
    
    log-send-hostname HaproxyMasterNode
    
    server-state-file /tmp/haproxy_server_state
    
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    
    
    
    listen HAProxyLocalStats
    
    bind 127.0.0.1:2200 name localstats
    
    mode http
    
    stats enable
    
    stats refresh 10
    
    stats admin if TRUE
    
    stats show-legends
    
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    
    timeout client 5000
    
    timeout connect 5000
    
    timeout server 5000
    
    
    
    frontend Frontend-1-HTTPS
    
    bind 195.1.1.1:443 name 195.1.1.1:443 ssl crt-list /var/etc/haproxy/Frontend-1-HTTPS.crt_list
    
    mode http
    
    log global
    
    option http-keep-alive
    
    option forwardfor
    
    acl https ssl_fc
    
    http-request set-header X-Forwarded-Proto http if !https
    
    http-request set-header X-Forwarded-Proto https if https
    
    timeout client 30000
    
    acl nextcloud var(txn.txnhost) -m str -i nextcloud.foo.com
    
    acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^([^\.]*)\.foo\.com(:([0-9]){1,5})?$
    
    acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^foo\.com(:([0-9]){1,5})?$
    
    http-request set-var(txn.txnhost) hdr(host)
    
    use_backend nextcloud_ipvANY if nextcloud aclcrt_Frontend-1-HTTPS
    
    
    
    backend nextcloud_ipvANY
    
    mode http
    
    id 100
    
    log global
    
    errorfile 503 /var/etc/haproxy/errorfile_nextcloud_ipvANY_503_Maintenance
    
    timeout connect 30000
    
    timeout server 30000
    
    retries 3
    
    server nextcloud 192.168.1.92:8080 id 101
    


  • most likely you haven't set up a frontend listner on your internal network.



  • @Mats thank you

    sorry, i'm a complete newbie to this. However i added these 2 FE entries. this is the revised haproxy.cfg
    did this & it still doesnt work. do i need to listen on port 8080

    global
            maxconn                 1000
            log                     /var/run/log    syslog  debug
            stats socket /tmp/haproxy.socket level admin  expose-fd listeners
            uid                     80
            gid                     80
            nbproc                  1
            nbthread                        1
            hard-stop-after         15m
            chroot                          /tmp/haproxy_chroot
            daemon
            tune.ssl.default-dh-param       2048
            log-send-hostname               HaproxyMasterNode
            server-state-file /tmp/haproxy_server_state
            ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    
    listen HAProxyLocalStats
            bind 127.0.0.1:2200 name localstats
            mode http
            stats enable
            stats refresh 10
            stats admin if TRUE
            stats show-legends
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    
    frontend Frontend-1-HTTPS
            bind                    ExternalIP:443 name ExternalIP:443   ssl crt-list /var/etc/haproxy/Frontend-1-HTTPS.crt_list
            mode                    http
            log                     global
            option                  http-keep-alive
            option                  forwardfor
            acl https ssl_fc
            http-request set-header         X-Forwarded-Proto http if !https
            http-request set-header         X-Forwarded-Proto https if https
            timeout client          30000
            acl                     nextcloud       var(txn.txnhost) -m str -i nextcloud.foo.com
            acl                     aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^([^\.]*)\.foo\.com(:([0-9]){1,5})?$
            acl                     aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^foo\.com(:([0-9]){1,5})?$
            http-request set-var(txn.txnhost) hdr(host)
            use_backend nextcloud_ipvANY  if  nextcloud aclcrt_Frontend-1-HTTPS
    
    frontend Frontend-Internal
            bind                    192.168.1.1:80 name 192.168.1.1:80
            mode                    http
            log                     global
            option                  http-keep-alive
            option                  forwardfor
            acl https ssl_fc
            http-request set-header         X-Forwarded-Proto http if !https
            http-request set-header         X-Forwarded-Proto https if https
            timeout client          30000
            acl                     nextcloud       var(txn.txnhost) -m str -i nextcloud.foo.com
            http-request set-var(txn.txnhost) hdr(host)
            http-request redirect scheme https  if  nextcloud
    
    frontend Frontend-1-HTTP
            bind                    ExternalIP:80 name ExternalIP:80
            mode                    http
            log                     global
            option                  http-keep-alive
            option                  forwardfor
            acl https ssl_fc
            http-request set-header         X-Forwarded-Proto http if !https
            http-request set-header         X-Forwarded-Proto https if https
            timeout client          30000
            acl                     nextcloud       var(txn.txnhost) -m str -i nextcloud.foo.com
            http-request set-var(txn.txnhost) hdr(host)
            http-request redirect scheme https  if  nextcloud
    
    backend nextcloud_ipvANY
            mode                    http
            id                      100
            log                     global
            errorfile                       503 /var/etc/haproxy/errorfile_nextcloud_ipvANY_503_Maintenance
            timeout connect         30000
            timeout server          30000
            retries                 3
            server                  nextcloud 192.168.1.92:8080 id 101
    
    

    Here's what my FrontEnd & Backend look like
    alt text

    alt text



  • Sorry. I missed that you said FQDN from the inside.
    You want to do https://FQDN and end up on your nextcloud server:8080?
    That makes it a little more complex but it is still doable.

    For this to work we must send the https traffic to HAproxy so that it can forward it to the nextcloud box.

    The first challenge is that your FQDN points to the nextcloud server.
    The second challenge is that port 443 on your PFSense box hopefully is in use for the web interface already.
    The third challenge is to make HA proxy forward as it should

    In this case I would start with fixing a "free" 443 port. My preferred way to do that is to use a virtual ip. It gives us a new IP that you can point a FQDN against and since it's a different IP - port 443 is unused

    You create a virtual ip under firewall/virtual ip.
    Use type ip alias and provide an unused ip address (192.168.1.2 might be good in your case) /32 will be the right mask in this case

    With that done we can now focus on getting HA proxy to forward the traffic. For that a frontend that listens on the virtual ip(192.168.1.2):443 is required. Create that and connect it to the nextcloud backend

    The next step is to create a firewall rule that allows traffic from the internal network to the virtual ip:443 (it will not work without it and yes - I have missed that rule more than once)

    The last step is making it reachable on FQDN. The quick fix is to change the internal DNS so that the FQDN points to the virtual ip

    In theory this should do the trick - it's what I'm doing in a similar scenario



  • thanks a ton

    It worked..

    the only downside is that i run nextcloud without any ssl certs inside the docker container (insecure mode) and when i access it i get these errors

    There are some warnings regarding your setup.

    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    
    Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
    Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

Log in to reply