Unable to add PPA to Ubuntu server when connected to HAProxy.

PiBa · Apr 24, 2020, 5:17 PM

@strongthany
Sorry but im not following..

Your sending a request to haproxy for a server it doesn't have configured.?? I'm missing something in my (mental) picture here.. Perhaps you can draw a little picture (doesnt need to be nice), about what ip's all the mentioned servers and pfSense use and from where to where you want the connection to work.?

Perhaps you can try and disable the 'transparent-client-ip' feature on any 'involved' server.?. if one is.. it causes reply packets to not get routed for that server:port combination..

strongthany · Apr 24, 2020, 7:49 PM

I have a server called Landscape that lives in my LAN. As shown in the config I posted, there is not a back-end for Landscape on the HAProxy config. I want to install Landscape on the server called Landscape. I cannot do so because HAProxy is filtering traffic coming into my network. HAProxy is filtering traffic coming into my network by routing things over http to https. When I try to install Landscape on the server called Landscape it fails to do so. It fails to do so because HAProxy moves the http traffic to https. I want to tell HAProxy not to filter that traffic Landscape.

How do I achieve this? Which of these options would be a better course of action, and how would I preform the one you deem better:

Exclude the server called Landscape from having it's traffic filtered

or

have the address for where I install Landscape from excluded form being filtered

Does this make sense?

PiBa · Apr 24, 2020, 9:45 PM

@strongthany
Either i'm totally not understanding your setup or the road we are on is totally unrelated to the problems your experiencing..

It seems to me that you have a new 'Landscape server' on which you want to install some software with 'apt', from a repository on 'the internet'..
This should have nothing to do with haproxy.. As the launchpad servers are not going to connect to your public ip where haproxy is listening, and you do not have the landscape server or dns records configured to point to your own wan-ip/haproxy-ip..
As such traffic should have absolutlely nothing to do with haproxy and also not with a pfSense-webgui certificate..
So it seems to me like your either running a other forward-proxy like squid, which could be filtering traffic, or something like snort/pfBlocker assuming the issue lies in a package... haproxy normally is not involved in traffic going from the LAN to the-internet.

But now i think its most likely that there is a wrong port-forward rule in the pfSense nat rules. Can you check/disable those.? Haproxy is listening on the wan-ip already, so doesnt need any nat rules.. only a firewallrule to allow traffic from clients on the internet to the wan-ip.

strongthany · Apr 25, 2020, 9:37 PM

I have no NAT rules. After spending some time talking to some people on the Ubuntu IRC forum I'm not so sure it's even HAProxy anymore.

When I run wget -qSO /dev/null http://ppa.launchpad.net/wireguard/wireguard/ubuntu 2>&1 | less from a device connected to my network I always get the following:

  HTTP/1.1 301 Moved Permanently
  Server: nginx
  Date: Fri, 24 Apr 2020 22:13:04 GMT
  Content-Type: text/html
  Content-Length: 162
  Connection: keep-alive
  Location: https://ppa.launchpad.net/wireguard/wireguard/ubuntu
  X-Frame-Options: SAMEORIGIN

Running the same command outside the network gets a 200 code from an apache server. Someone noted that the reason I'm seeing nginx is because of this note. However I have no idea why I'm not able to get out and to be quite honest I'm losing my mind over this.

PiBa · Apr 25, 2020, 9:37 PM

@strongthany
If that 'note' applies to your situation that would mean you have configured a services/captive-portal.? Do you have that.?

strongthany · Apr 26, 2020, 7:26 PM

@PiBa No captive portal, only thing that would be intercepting traffic like that would be the reverse proxy which I've shown by disabling it that is not the issue. Would there be something else in the way that would be breaking the connection?

PiBa · Apr 27, 2020, 2:59 PM

@strongthany
Can you show the output of these commands (maybe replace your public ip, if it shows up..)?:

pfctl -sn
ipfw show

strongthany · Apr 27, 2020, 8:37 PM

I have ran the command(doing remote cli, pfctl -sn didn't work but ipfw show did) and got the following:

00010    487555     70366491 fwd 127.0.0.1 tcp from 10.10.10.251 443 to any in recv re0
00011    651701    255737457 fwd 127.0.0.1 tcp from 10.10.10.250 443 to any in recv re0
65535 254477642 172839414961 allow ip from any to any

Not sure what this means..

PiBa · Apr 28, 2020, 5:51 PM

@strongthany
Traffic from the webserver running at '10.10.10.251 443' is redirected to pfSense's localhost, no matter where the client-return-address was, but this should not affect outgoing https requests from such a server. As they would target google:443 for example, but come from that server on a random client-port.. And certainly shouldn't affect traffic from a other new server..

I'm running out of ideas what to check without some 'hands on' checking.. But i think we are active in different time-zones.. 'CET-evenings'..

strongthany · Apr 28, 2020, 8:51 PM

@PiBa said in Unable to add PPA to Ubuntu server when connected to HAProxy.:

I'm running out of ideas what to check without some 'hands on' checking.. But i think we are active in different time-zones.. 'CET-evenings'..

That's okay, I understand. I think I'm going to make a new question in a different topic that might have more folks who can help. I really appreciate you helping me out here.