• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Accessing from LAN

Scheduled Pinned Locked Moved Cache/Proxy
5 Posts 2 Posters 670 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yodaphone
    last edited by yodaphone Feb 18, 2020, 9:37 PM Feb 18, 2020, 9:36 PM

    Fairly new to HAProxy

    I have HAProxy configured for a nextcloud docker instance running on port 8080, with an internal IP (http only)

    i've setup the backend and frontend. pfsense is setup with commercial SSL wildcard Cert

    I able to reach the nextcloud instance from the external network using the FQDN (https).

    I cant however reach the same from within the LAN with the FQDN over https. I'm only able to access the nextcloud with the internal ip:8080

    Any ideas what i'm doing wrong?

    I have an entry for the nextcloud instance in the DNS Resolver too. I'm able to ping the FQDN from the network & it resolves correctly to the internal IP

    here's my haproxy.cfg

    global
    
    maxconn 1000
    
    log /var/run/log syslog debug
    
    stats socket /tmp/haproxy.socket level admin expose-fd listeners
    
    uid 80
    
    gid 80
    
    nbproc 1
    
    nbthread 1
    
    hard-stop-after 15m
    
    chroot /tmp/haproxy_chroot
    
    daemon
    
    tune.ssl.default-dh-param 2048
    
    log-send-hostname HaproxyMasterNode
    
    server-state-file /tmp/haproxy_server_state
    
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    
    
    
    listen HAProxyLocalStats
    
    bind 127.0.0.1:2200 name localstats
    
    mode http
    
    stats enable
    
    stats refresh 10
    
    stats admin if TRUE
    
    stats show-legends
    
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    
    timeout client 5000
    
    timeout connect 5000
    
    timeout server 5000
    
    
    
    frontend Frontend-1-HTTPS
    
    bind 195.1.1.1:443 name 195.1.1.1:443 ssl crt-list /var/etc/haproxy/Frontend-1-HTTPS.crt_list
    
    mode http
    
    log global
    
    option http-keep-alive
    
    option forwardfor
    
    acl https ssl_fc
    
    http-request set-header X-Forwarded-Proto http if !https
    
    http-request set-header X-Forwarded-Proto https if https
    
    timeout client 30000
    
    acl nextcloud var(txn.txnhost) -m str -i nextcloud.foo.com
    
    acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^([^\.]*)\.foo\.com(:([0-9]){1,5})?$
    
    acl aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^foo\.com(:([0-9]){1,5})?$
    
    http-request set-var(txn.txnhost) hdr(host)
    
    use_backend nextcloud_ipvANY if nextcloud aclcrt_Frontend-1-HTTPS
    
    
    
    backend nextcloud_ipvANY
    
    mode http
    
    id 100
    
    log global
    
    errorfile 503 /var/etc/haproxy/errorfile_nextcloud_ipvANY_503_Maintenance
    
    timeout connect 30000
    
    timeout server 30000
    
    retries 3
    
    server nextcloud 192.168.1.92:8080 id 101
    
    1 Reply Last reply Reply Quote 0
    • M
      Mats
      last edited by Feb 18, 2020, 9:42 PM

      most likely you haven't set up a frontend listner on your internal network.

      Y 1 Reply Last reply Feb 18, 2020, 9:58 PM Reply Quote 0
      • Y
        yodaphone @Mats
        last edited by yodaphone Feb 18, 2020, 10:03 PM Feb 18, 2020, 9:58 PM

        @Mats thank you

        sorry, i'm a complete newbie to this. However i added these 2 FE entries. this is the revised haproxy.cfg
        did this & it still doesnt work. do i need to listen on port 8080

        global
                maxconn                 1000
                log                     /var/run/log    syslog  debug
                stats socket /tmp/haproxy.socket level admin  expose-fd listeners
                uid                     80
                gid                     80
                nbproc                  1
                nbthread                        1
                hard-stop-after         15m
                chroot                          /tmp/haproxy_chroot
                daemon
                tune.ssl.default-dh-param       2048
                log-send-hostname               HaproxyMasterNode
                server-state-file /tmp/haproxy_server_state
                ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        
        listen HAProxyLocalStats
                bind 127.0.0.1:2200 name localstats
                mode http
                stats enable
                stats refresh 10
                stats admin if TRUE
                stats show-legends
                stats uri /haproxy/haproxy_stats.php?haproxystats=1
                timeout client 5000
                timeout connect 5000
                timeout server 5000
        
        frontend Frontend-1-HTTPS
                bind                    ExternalIP:443 name ExternalIP:443   ssl crt-list /var/etc/haproxy/Frontend-1-HTTPS.crt_list
                mode                    http
                log                     global
                option                  http-keep-alive
                option                  forwardfor
                acl https ssl_fc
                http-request set-header         X-Forwarded-Proto http if !https
                http-request set-header         X-Forwarded-Proto https if https
                timeout client          30000
                acl                     nextcloud       var(txn.txnhost) -m str -i nextcloud.foo.com
                acl                     aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^([^\.]*)\.foo\.com(:([0-9]){1,5})?$
                acl                     aclcrt_Frontend-1-HTTPS var(txn.txnhost) -m reg -i ^foo\.com(:([0-9]){1,5})?$
                http-request set-var(txn.txnhost) hdr(host)
                use_backend nextcloud_ipvANY  if  nextcloud aclcrt_Frontend-1-HTTPS
        
        frontend Frontend-Internal
                bind                    192.168.1.1:80 name 192.168.1.1:80
                mode                    http
                log                     global
                option                  http-keep-alive
                option                  forwardfor
                acl https ssl_fc
                http-request set-header         X-Forwarded-Proto http if !https
                http-request set-header         X-Forwarded-Proto https if https
                timeout client          30000
                acl                     nextcloud       var(txn.txnhost) -m str -i nextcloud.foo.com
                http-request set-var(txn.txnhost) hdr(host)
                http-request redirect scheme https  if  nextcloud
        
        frontend Frontend-1-HTTP
                bind                    ExternalIP:80 name ExternalIP:80
                mode                    http
                log                     global
                option                  http-keep-alive
                option                  forwardfor
                acl https ssl_fc
                http-request set-header         X-Forwarded-Proto http if !https
                http-request set-header         X-Forwarded-Proto https if https
                timeout client          30000
                acl                     nextcloud       var(txn.txnhost) -m str -i nextcloud.foo.com
                http-request set-var(txn.txnhost) hdr(host)
                http-request redirect scheme https  if  nextcloud
        
        backend nextcloud_ipvANY
                mode                    http
                id                      100
                log                     global
                errorfile                       503 /var/etc/haproxy/errorfile_nextcloud_ipvANY_503_Maintenance
                timeout connect         30000
                timeout server          30000
                retries                 3
                server                  nextcloud 192.168.1.92:8080 id 101
        
        

        Here's what my FrontEnd & Backend look like
        alt text

        alt text

        1 Reply Last reply Reply Quote 0
        • M
          Mats
          last edited by Feb 20, 2020, 8:18 PM

          Sorry. I missed that you said FQDN from the inside.
          You want to do https://FQDN and end up on your nextcloud server:8080?
          That makes it a little more complex but it is still doable.

          For this to work we must send the https traffic to HAproxy so that it can forward it to the nextcloud box.

          The first challenge is that your FQDN points to the nextcloud server.
          The second challenge is that port 443 on your PFSense box hopefully is in use for the web interface already.
          The third challenge is to make HA proxy forward as it should

          In this case I would start with fixing a "free" 443 port. My preferred way to do that is to use a virtual ip. It gives us a new IP that you can point a FQDN against and since it's a different IP - port 443 is unused

          You create a virtual ip under firewall/virtual ip.
          Use type ip alias and provide an unused ip address (192.168.1.2 might be good in your case) /32 will be the right mask in this case

          With that done we can now focus on getting HA proxy to forward the traffic. For that a frontend that listens on the virtual ip(192.168.1.2):443 is required. Create that and connect it to the nextcloud backend

          The next step is to create a firewall rule that allows traffic from the internal network to the virtual ip:443 (it will not work without it and yes - I have missed that rule more than once)

          The last step is making it reachable on FQDN. The quick fix is to change the internal DNS so that the FQDN points to the virtual ip

          In theory this should do the trick - it's what I'm doing in a similar scenario

          1 Reply Last reply Reply Quote 0
          • Y
            yodaphone
            last edited by yodaphone Feb 20, 2020, 11:36 PM Feb 20, 2020, 10:41 PM

            thanks a ton

            It worked..

            the only downside is that i run nextcloud without any ssl certs inside the docker container (insecure mode) and when i access it i get these errors

            There are some warnings regarding your setup.

            The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
            
            Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
            Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.
            
            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received