Unable to add PPA to Ubuntu server when connected to HAProxy.
-
@strongthany
Sorry but im not following..Your sending a request to haproxy for a server it doesn't have configured.?? I'm missing something in my (mental) picture here.. Perhaps you can draw a little picture (doesnt need to be nice), about what ip's all the mentioned servers and pfSense use and from where to where you want the connection to work.?
Perhaps you can try and disable the 'transparent-client-ip' feature on any 'involved' server.?. if one is.. it causes reply packets to not get routed for that server:port combination..
-
I have a server called Landscape that lives in my LAN. As shown in the config I posted, there is not a back-end for Landscape on the HAProxy config. I want to install Landscape on the server called Landscape. I cannot do so because HAProxy is filtering traffic coming into my network. HAProxy is filtering traffic coming into my network by routing things over http to https. When I try to install Landscape on the server called Landscape it fails to do so. It fails to do so because HAProxy moves the http traffic to https. I want to tell HAProxy not to filter that traffic Landscape.
How do I achieve this? Which of these options would be a better course of action, and how would I preform the one you deem better:
- Exclude the server called Landscape from having it's traffic filtered
or
- have the address for where I install Landscape from excluded form being filtered
Does this make sense?
-
@strongthany
Either i'm totally not understanding your setup or the road we are on is totally unrelated to the problems your experiencing..It seems to me that you have a new 'Landscape server' on which you want to install some software with 'apt', from a repository on 'the internet'..
This should have nothing to do with haproxy.. As the launchpad servers are not going to connect to your public ip where haproxy is listening, and you do not have the landscape server or dns records configured to point to your own wan-ip/haproxy-ip..
As such traffic should have absolutlely nothing to do with haproxy and also not with a pfSense-webgui certificate..
So it seems to me like your either running a other forward-proxy like squid, which could be filtering traffic, or something like snort/pfBlocker assuming the issue lies in a package... haproxy normally is not involved in traffic going from the LAN to the-internet.But now i think its most likely that there is a wrong port-forward rule in the pfSense nat rules. Can you check/disable those.? Haproxy is listening on the wan-ip already, so doesnt need any nat rules.. only a firewallrule to allow traffic from clients on the internet to the wan-ip.
-
I have no NAT rules. After spending some time talking to some people on the Ubuntu IRC forum I'm not so sure it's even HAProxy anymore.
When I run
wget -qSO /dev/null http://ppa.launchpad.net/wireguard/wireguard/ubuntu 2>&1 | less
from a device connected to my network I always get the following:HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 24 Apr 2020 22:13:04 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://ppa.launchpad.net/wireguard/wireguard/ubuntu X-Frame-Options: SAMEORIGIN
Running the same command outside the network gets a 200 code from an apache server. Someone noted that the reason I'm seeing nginx is because of this note. However I have no idea why I'm not able to get out and to be quite honest I'm losing my mind over this.
-
@strongthany
If that 'note' applies to your situation that would mean you have configured a services/captive-portal.? Do you have that.? -
@PiBa No captive portal, only thing that would be intercepting traffic like that would be the reverse proxy which I've shown by disabling it that is not the issue. Would there be something else in the way that would be breaking the connection?
-
@strongthany
Can you show the output of these commands (maybe replace your public ip, if it shows up..)?:pfctl -sn ipfw show
-
I have ran the command(doing remote cli, pfctl -sn didn't work but ipfw show did) and got the following:
00010 487555 70366491 fwd 127.0.0.1 tcp from 10.10.10.251 443 to any in recv re0 00011 651701 255737457 fwd 127.0.0.1 tcp from 10.10.10.250 443 to any in recv re0 65535 254477642 172839414961 allow ip from any to any
Not sure what this means..
-
@strongthany
Traffic from the webserver running at '10.10.10.251 443' is redirected to pfSense's localhost, no matter where the client-return-address was, but this should not affect outgoing https requests from such a server. As they would target google:443 for example, but come from that server on a random client-port.. And certainly shouldn't affect traffic from a other new server..I'm running out of ideas what to check without some 'hands on' checking.. But i think we are active in different time-zones.. 'CET-evenings'..
-
@PiBa said in Unable to add PPA to Ubuntu server when connected to HAProxy.:
I'm running out of ideas what to check without some 'hands on' checking.. But i think we are active in different time-zones.. 'CET-evenings'..
That's okay, I understand. I think I'm going to make a new question in a different topic that might have more folks who can help. I really appreciate you helping me out here.