Using HAproxy for reverse proxy with / in the backend



  • Long time lurker first time poster

    I have recently been able to set up a reverse proxy using HA proxy in my pfsense firewall and most sites work correct but seeing as my knowledge is limited to home learning (homelab) I am struggling with getting certain virtual servers access on my webmin server. for instance, I have a virtual server for email running on 192.168.0.20 and then Roundcube script installed to access the email on 192.168.0.20/roundcube, I would like to access the Roundcube site externally. but when i try to reach mail.mydomain.com/roundcube it just takes me to the 192.168.0.20 address and not the /roundcube address, how would I go about solving this issue. as I tried adding in HA proxy the / adress but it is invalid and I figured as much but was worth a try. is there another way to reach the /roundcube address through HAproxy



  • @Evertvh
    So visiting https://192.168.0.20/roundcube works locally?
    What haproxy configuration have you made can you share haproxy.cfg from bottom of settings tab?
    Also im not sure what you mean by visiting mail.yourdomain brings you to 0.20 .. is the browser receiving a redirect from the round-cube server? Why is it sending that?



  • @Evertvh said in Using HAproxy for reverse proxy with / in the backend:

    e 192.168.0.

    Sorry let me see if I can clarify a bit better.

    I am running Virtualmin host on 192.168.1.20 and have set up a virtual server on the same IP called remote-entry and set up a mail server for that so that I can use my own private mail server and webserver. But since I have a nextcloud instance using the 80 and 443 ports, I started looking into reverse proxy. I have a bit of knowledge with Nginx but tried HAproxy within pfsense. Now my issue is that locally I can access 192.168.1.20/roundcube to access my mail server and from there I can send and receive emails. but I would like to access these emails from the outside via mail.remote-entry.tld. So i started with setting up my backend so that i can reach virtualmin through vip.remote-entry.tld and that works, but what I cant setup is reaching roundcube. becuase in the backend if I had 192.168.1.20/roundcube it gives me an error. so how would I solve this? Below is config file (everything is basicly the same except the names have been changed) Also note that you will not see in backend anything for roundcube because i cant create it. and that i use a VIP for the haproxy and NAT as it works best me for now

    gid			80
    nbproc			1
    nbthread			1
    hard-stop-after		15m
    chroot				/tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param	2048
    server-state-file /tmp/haproxy_server_state
    

    listen HAProxyLocalStats
    bind 127.0.0.1:444 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend HTTP_80
    bind 192.168.1.5:80 name 192.168.1.5:80
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    http-request redirect scheme https

    frontend HTTPS_443
    bind 192.168.1.5:443 name 192.168.1.5:443 ssl crt-list /var/etc/haproxy/HTTPS_443.crt_list
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    acl freenas var(txn.txnhost) -m beg -i ns.remote-entry.tld
    acl cloud var(txn.txnhost) -m beg -i cloud.remote-entry.tld
    acl cloud2 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
    acl cloud3 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
    acl cloud4 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
    acl cloud5 var(txn.txnhost) -m beg -i cloud.otherdomain.tld
    acl vip var(txn.txnhost) -m str -i vip.remote-entry.tld
    acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^([^.]*).remote-entry.tld(:([0-9]){1,5})?$
    acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain1.tld(:([0-9]){1,5})?$
    acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain2.tld(:([0-9]){1,5})?$
    acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain3.tld(:([0-9]){1,5})?$
    acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud\vip.remote-entry.tld(:([0-9]){1,5})?$
    acl aclcrt_HTTPS_443 var(txn.txnhost) -m reg -i ^cloud.otherdomain.tld(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend Cloud_ipvANY if cloud1 aclcrt_HTTPS_443
    use_backend Cloud_ipvANY if cloud2 aclcrt_HTTPS_443
    use_backend Cloud_ipvANY if cloud3 aclcrt_HTTPS_443
    use_backend Cloud_ipvANY if cloud4 aclcrt_HTTPS_443
    use_backend Cloud_ipvANY if cloud5 aclcrt_HTTPS_443
    use_backend webmin_ipvANY if vip aclcrt_HTTPS_443

    backend Cloud_ipvANY
    mode http
    id 104
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server cloud 192.168.1.XX:443 id 105 ssl check inter 1000 verify none crt /var/etc/haproxy/server_clientcert_5eac2ed517b6d.pem

    backend vip_ipvANY
    mode http
    id 102
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server webmin 192.168.1.20:10000 id 103 ssl check inter 1000 verify none



  • @Evertvh said in Using HAproxy for reverse proxy with / in the backend:

    in the backend if I had 192.168.1.20/roundcube it gives me an error

    Yes a 'server' is defined by a IP:Port combination.. That does not include a url path..
    So if you just add a backend for server: 192.168.1.20:443 or is it :80 ? anyhow whatever port its using.. How far does that make it work for you then?
    You could add a acl that checks for the mail domain and forward traffic to the roundcube backend then right?..
    Do 'stats' then show the server as 'UP' ?
    What happens if you then visit 'https://mail.remote-entry.tld/roundcube' ?



  • @PiBa said in Using HAproxy for reverse proxy with / in the backend:

    acl that chec

    Yea that part I understand that its IP:port and that /roundcube is a url.

    yes server shows as up under stats

    if i do go and say https://mail.remote-entry.tld/roundcube I get a Server does not exist return. because technically it the correct path for round cube is https://remote-entry.tld/roundcube

    and if i did get https://mail.remote-entry.tld/roundcube working it would defeat the purpose of what i am trying to achieve.

    I tried looking at acl that will look for roundcube but maybe I am misunderstanding how it will work.

    should i do an ACL that looks for roundcube and that points to an acl that works for https://remote-entry.tld/roundcube

    where the https://remote-entry.tld/roundcube acl is just https://mail.remote-entry.tld and that points to the backend of
    https://192.168.1.20.

    Maybe I am making a mountian of a molehill and would be better served using Nginx as a reverse proxy



  • @Evertvh said in Using HAproxy for reverse proxy with / in the backend:

    if i do go and say https://mail.remote-entry.tld/roundcube I get a Server does not exist return. because technically it the correct path for round cube is https://remote-entry.tld/roundcube

    'Who' is saying the server doesn't exist.? I presume you have got the proper DNS records in place to point to haproxy?

    Your first post you wrote "but when i try to reach mail.mydomain.com/roundcube it just takes me to the 192.168.0.20" sounds like you actually did get a response.? (no idea if that was with http or https though.. as you seem to forget to actually specify these details which might actually matter..)

    @Evertvh said in Using HAproxy for reverse proxy with / in the backend:

    if i did get https://mail.remote-entry.tld/roundcube working it would defeat the purpose of what i am trying to achieve.

    What are you trying to achieve?

    • what is the desired url to visit in a browser?
    • what have you configured? (show the current config?)
    • what is the current effect
    • what have you checked and what do you expect might need to change?
    • is a request from the browser send to the 'correct' webserver currently already? but its virtual-servers configuration just doesn't recognize the proper website to reply for? if so perhaps a simple set-header command with the actual domain would suffice?

    Anyhow i'm struggling parsing your reply and thoughts mixed together with a seemingly large lack of understanding..


Log in to reply