• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ACME/HAproxy settings for Domoticz client not working

Scheduled Pinned Locked Moved Cache/Proxy
9 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gschmidt
    last edited by gschmidt Mar 10, 2021, 10:27 PM Mar 10, 2021, 10:26 PM

    Hi,

    I have a problem to open Domoticz (domoticz webbased application) secure and encrypted outside the WAN with ACME/HAproxy. It gets a connection error.

    First additional info:
    I have Domoticz running for 3 years now on an RPi (OS: Raspbian Buster). By default it can be accessed with HTTP (8080) and HTTPS (443), but I only access it outside the WAN with HTTPS to control my domotica devices. I also have a paid service for Domoticz which also needs WAN access.

    It is already encrypted for 3 years on the client side with letsencrypt. Letsencrypt-auto and certbot-auto are used to create and renew the certificate for my domain: xxxxxx.duckdns.org
    In the Domoticz folder a PEM file is located.

    What is my goal
    My goal is to create a secured encrypted connection and handle the ssl offloading for Domoticz only at the frontend of HAproxy. If this is working, the certificate at the Client side can be removed (to ensure the encrypted connection during configuration).

    What steps did I perform

    1. I have created a letsencrypt certificate with ACME for xxxxxx.duckdns.org
      According to the log, the certificate is successfully issued/renewed (I double checked this with renewing the certificate, below is the last row of the log)
    update cert![Wed Mar 10 21:26:01 CET 2021] Reload success
    

    This certificate has a different CA and Key values then the PEM on the client side

    1. Configured the HAproxy settings page:
      Maximum connections 1000 (pfSense runs on a mini-pc with i3Intel chip with 4 cores and 4gb internal memory)
      Internal Stats Port: 2200
      SSL DH Parameter is 2048

    2. Configured Backend settings are quite default:
      0d03e7e7-c25a-4346-aff1-d8c8f0136eb1-image.png
      All "advanced server settings" fields are left blank
      Health check set to None
      Rest of the fields are the default settings

    3. Configured Frontend settings
      4b2e4925-ea3a-4a1a-b8cb-cb751bed0055-image.png
      32fb3c01-013c-4703-a3ed-e0435d052d56-image.png131f285b-ddb1-4a89-9dfb-176e09f1bfb2-image.png 7c7baf0f-54d3-467c-b760-46a0ab6880fc-image.png 33753d0f-654c-4142-ace2-ba20df1cbeda-image.png
      The rest of the fields are left default

    Result:
    In order to check if this works I needed to remove the PEM file in the Domoticz directory of the Rpi.

    After I restarted Domoticz, I get the following error (in DuckDuckGo browser of my Phone not connected to the home network):
    net::ERR_CONNECTION_REFUSED

    I can see in the Stats page that the Frontend gets requests.
    0a5c3ba7-c219-4a3f-a987-a955684dbd04-image.png

    Note: when I move back the PEM file to the original location the encryption works normal again

    What I am I doing wrong?

    P 1 Reply Last reply Mar 10, 2021, 11:19 PM Reply Quote 0
    • P
      PiBa @gschmidt
      last edited by PiBa Mar 11, 2021, 8:21 PM Mar 10, 2021, 11:19 PM

      @gschmidt
      The Stats frontend gets 8 requests, the domoticz frontend got 0 in the screenshot above.. So that would mean haproxy didnt get any requests on :443 sofar.. Might be firewall rules or a old NAT rule diverting traffic elsewhere..

      Also if the server is listening on :443 that probably uses a certificate, and as such haproxy must also re-encrypt the offloaded frontend connection before passing it further to that server. Or perhaps configure haproxy to connect to that 8080 port.? As for healthchecks they are nice to see if the server turns 'green' according to haproxy.. And if not if you have a possible L4 L6 or L7 issue there.. Though yes it can also hinder things if the request haproxy makes for the check isnt using the domain / method / sni the webserver expects. That can usually be added in the config though..

      G 2 Replies Last reply Mar 11, 2021, 9:08 PM Reply Quote 0
      • G
        gschmidt @PiBa
        last edited by Mar 11, 2021, 9:08 PM

        @piba

        So several possibilities which may cause HAproxy not working properly. You did not mention anything about the settings/backend/frontend configuration I shared. Does this mean that my configuration seems to be Ok?

        If it appears to be, let’s start with the first possible cause you mentioned...NAT rules.
        In my old setup I obviously had to port forward 443 to the domoticz client. I have disabled this rule after I created the 80 and 443 rules for HAproxy.

        Can disabled rules cause this issue?

        P 1 Reply Last reply Mar 11, 2021, 10:22 PM Reply Quote 0
        • G
          gschmidt @PiBa
          last edited by gschmidt Mar 11, 2021, 10:24 PM Mar 11, 2021, 10:00 PM

          @piba

          I think I know where it goes wrong! but not solved yet

          3 years ago, In my old (encrypted) situation I port fowarded 443 from WAN to the Domoticz host (I also port forwarded the HTTP port 9090 to 80 for renewal of the domoticz certificate, which I only enable for renewal )

          Note: default domoticz http port 8080 I mentioned earlier, I also changed (3 years ago) to 9090

          b6497f47-dbd8-4688-aff3-533d547436bd-image.png

          in Firewall/Rules/WAN these port forwards were added to the Rules

          When I yesterday disabled this port forward 443 in Firewall/Rules/WAN, I didn't realised that in Firewall/NAT/Port Forward this still was enabled!
          After disabeling this in Firewall/NAT/Port Forward, the Rule was also disabled.

          When I look now at the statspage I see some action:
          31e6c335-83c2-4442-9779-1cf8300a953e-image.png

          However when I open my xxxxx.duckdns.org from outside WAN I get the following error: 502 Bad Gateway, the server returned an invalid or incomplete response.

          What may cause this error?

          When I followed the tutorial I had to create 2 firewall rules:
          create firewall rule
          Now create two firewall rules (Firewall / Rules /WAN). It is open TCP-ports 80 and 443 through WAN interface for opening our HAProxy to the external world.

          Is this correct?

          [Update]

          If I set in the Backend health check to HTTP, I get this statspage:
          260987c7-a5b0-45e6-a6d0-fbcce347e66a-image.png

          And when I open the duckdns page it returns this Error:
          503 No server is available to handle this request

          1 Reply Last reply Reply Quote 0
          • P
            PiBa @gschmidt
            last edited by Mar 11, 2021, 10:22 PM

            @gschmidt said in ACME/HAproxy settings for Domoticz client not working:

            You did not mention anything about the settings/backend/frontend configuration I shared. Does this mean that my configuration seems to be Ok?

            I did mention the server configuration which i think is wrong (in the backend config page). Either you should check the "Encrypt(SSL)" checkbox or change the 443 port there to 9090.

            G 1 Reply Last reply Mar 11, 2021, 10:30 PM Reply Quote 0
            • G
              gschmidt @PiBa
              last edited by gschmidt Mar 11, 2021, 10:33 PM Mar 11, 2021, 10:30 PM

              @piba

              I changed 443 to 9090...I and now I got logged in!

              49266e0d-4311-4898-869d-76633bc91f63-image.png

              Why is 443 not working then?

              [update]
              check the "Encrypt(SSL)" with 443 is alo working by the way

              P 1 Reply Last reply Mar 11, 2021, 10:37 PM Reply Quote 0
              • P
                PiBa @gschmidt
                last edited by PiBa Mar 11, 2021, 10:42 PM Mar 11, 2021, 10:37 PM

                @gschmidt said in ACME/HAproxy settings for Domoticz client not working:

                Why is 443 not working then?

                Haproxy 'offloads'/decrypts the https traffic on the frontend so it is 'plain http' when passing through haproxy's rules/memory.

                Then it sends the traffic to the backend and to the configured server on the configured port. If you configure it to send to :443 it will happily do that, but it will send it as 'plain http' to the webserver. Which expects 'https' traffic on that port so denies the plain request..

                So to make sure haproxy sends 'https' to the server you must check the 'encrypt(ssl)' checkbox on the backend/server config.
                c43ce29b-1f9b-4150-a2a1-9d471eaef033-image.png

                G 2 Replies Last reply Mar 11, 2021, 10:48 PM Reply Quote 0
                • G
                  gschmidt @PiBa
                  last edited by gschmidt Mar 11, 2021, 10:49 PM Mar 11, 2021, 10:48 PM

                  @PiBa

                  I get it now!

                  I already figured out that if I delete the (old) PEM file in the domoticz folder,
                  I can't use setting: check the "Encrypt(SSL)" with 443

                  So the 9090 setting is exactly what I had in mind
                  Now I can delete the PEM file on the domoticz host and ACME/HAproxy is dealing with the secured encryption of the Domoticz host

                  Thanx for the help man!

                  1 Reply Last reply Reply Quote 0
                  • G
                    gschmidt @PiBa
                    last edited by May 7, 2021, 4:08 PM

                    @piba

                    I have a question about the 503 error page.

                    If somebody is accessing my WAN IP adress (e.g. https://67.46.29.83:443) instead of my domain name, HAproxy shows a 503 error page, Is this normal behaviour of HAproxy?

                    If so, this is nice because I want to block access to WAN ip, but is it also possible to modify the header and content of the 503 page?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received