Using HAproxy for internal web servers



  • Hi,

    I'm currently configuring HAproxy to provide more than one web server with one domain and one external ip address.

    After a some tries I configured HAproxy to forward requests to my Gitlab server. HAproxy is very nice together with the ACME package, because I don't need to request certs on every server separately.

    I want to use the same mechanism for my internal web server, i.e. the my proxmox server web-gui. At my first try, I just copied the WAN frontend configurations and changed the Listen Address from WAN to LAN. Which did not work out. Instead I was unable to reach any web interface on my local network, including pfsense itself.

    I read various threads here and on reddit, but found no solution. Can someone help me out a little bit?

    Greetings
    m0nKeY



  • What I have done is have external accessible domains resolve using my configured DNS servers. For internal domains, I add a host override in pfSense that points to the reverse proxy and I also have various deny and allow entries in the Ngnix configuration file to limit who can connect to what service.

    Originally I had 2 separate reverse proxy servers but I am working on merging them to 1 and using rules to limit access to the internal and external sites as appropriate.



  • Thanks for you replay. Did you configure your reverse proxy to listen to the the LAN interface? In my case, the reverse proxy is pfSense itself.


  • LAYER 8 Netgate

    I made an RFC1918 VIP on localhost.

    HAproxy binds to that.

    I port forward WAN to that.

    I have split DNS inside pointing to the inside VIP address.

    Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane).

    It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works.

    The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months.



  • my pfSense install forwards ports 80 and 443 to the reverse proxy for external domains and internal is handled through DNS host overrides.


  • LAYER 8 Netgate

    @Astraea For me, that requires I maintain the certificates on HAProxy and the web servers themselves. That's why I tell HAproxy to listen on an internal VIP and use that for my DNS host overrides. Inside and outside connections go to the same frontend but without crud like NAT reflection.


Log in to reply