Spilt DNS to a local webserver with a port number
-
@iptvcld said in Spilt DNS to a local webserver with a port number:
cloudfalre is routing somewhere to the USA then back to Canada to get to my services so the ping lag is large around 80ms (this shows the signs when viewing my security cams).
Huh? That has nothing to do with accessing your resources that are local.. Only if cloudflare is doing the proxy aspect of the connection. Which is normally default.
So your problem is you resolve some fqdn, that actually points to cloudflare IP, which then proxies it to your pfsense wan IP.. Which you then haproxy to some internal IP..
-
Correct; i have a FQDN (ha.test.ca) that is hosted on cloudflare and resolves back with a cloudflare proxied IP. This resolves ok to my server from external and also resolves internally using the same fqdn (via the VIP, host over ride and ha prox)
But wondering if there is a better way as my server is not too happy with this method for internal.
When i am internal and try to access ha.test.ca it pings back with the cloudflare IP (if i dont have a host over ride)
-
@iptvcld said in Spilt DNS to a local webserver with a port number:
When i am internal and try to access ha.test.ca it pings back with the cloudflare IP (if i dont have a host over ride)
Yeah - in such setup with that external proxy I can see wanting to use a host override when your internal. But that could/should just point to your pfsense wan IP.. And then your local HAproxy should work how it works from external access.
-
@johnpoz
When i ping my cloudflare domain dns name - goes via 11 hops before it comes back to my WAN ip. Whats why i was looking for a good way to stay internal when on my internal lan using the same fqdn -
@iptvcld said in Spilt DNS to a local webserver with a port number:
as my server is not too happy with this method for internal.
Please explain, what exactly this means.
On public DNS your FQDN resolves to your WAN VIP which HAproxy is listening on. HAproxy does TLS offloading and sends the requests to the webserver. Now you have to configure HAproxy to listen on it's internal interface as well or forward the traffic.
The webserver only listens to its internal IP and isn't aware of the public IP and should respond back to the proxy. If the server have to access himself using its host name, you have to care that he is also resolving to its internal IP.
So not clear, what's making your server unhappy here.
However, you might possibly get issues with that if HAproxy is in tranparent mode. -
@iptvcld said in Spilt DNS to a local webserver with a port number:
When i ping my cloudflare domain dns name - goes via 11 hops before it comes back to my WAN ip. Whats why i was looking for a good way to stay internal when on my internal lan using the same fqdn
Again - this is where you have to use a host override so your cloudflare proxied fqdn resolves to a local IP (this could be your pfsense wan IP).. Which your haproxy will then forward to your internal resources if you wanting it to do the ssl offload and change in port.
-
@johnpoz
For Host Override; how can i get it to return back with the pfsense wan ip? Under IP to return for host there is just an option to key in an IP. -
@iptvcld said in Spilt DNS to a local webserver with a port number:
Under IP to return for host there is just an option to key in an IP.
You don't know what your wan IP is? Yeah you would have to put it in for a host override..
-
@johnpoz
I have my WAN ip, but it is dynamic so i guess this wont work as well.So I can make it work with the host override pointing back to the LAN IP (192.168.2.1) and then in HA Prox; i have it listening to that LAN IP and will reslobe back with the web service. But issue i get with this is when i try to send a curl command for my home assistant; (curl -d "" http://ha.test.ca/api/webhook/UGmwy) - i get this error curl: (60) SSL certificate problem: unable to get local issuer certificate. And if i dont use a host override, then all works but i dont want to use the external cloudflare IP to access my internal things
-
Did a deep dive into this today (haProxy) as i had a feeling i was having ssl cert offloading issues. What i did was deleted my ACME cert under cert manager and then created a new key and re-issued the cert. I then went back to haprox and selected that cert again under the frontend and everything started working!
I have a VIP which i resolve to under host override with my web servers i want to access internally via the fqdn without going cloudflare and having the extra hops while internal. That resolves the VIP and then in HA prox i am listening to my WAN address and now the new VIP address. So when it sees a request coming from internal/external it will resolve the web server..
Thank you for your help today on that..
