Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Onlyoffice behind HAproxy (pfsense) for SSL offloading

    Scheduled Pinned Locked Moved
    Cache/Proxy
    1
    1
    448
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maturola
      last edited by maturola

      I am trying to add Onlyoffice to my Nextcloud installation by using HA proxy (on my PFsense box) for SSL offloading. I have all my other services set this way and I don't have any of my services expose to the outside, just internal LAN access.

      I'm running Onlyoffice in a Docker container as described on their documentation, I can access the server at http://<ipaddress>:port where I am currently using port 6850 in the outside mapped to 80 inside the container.

      So far, everything works ok, now to integrate with Nextcloud It need to be over https, so I tried to do the HA reserve proxy for SSL offloading like I have all other services (nextcloud, pfsense, bookstack, XEN orchestra), however I get 503 Service Unavailable.

      Reading at the documentation it seen like some custom ACL and Http header forwarding is needing for onlyoffice. It took me a while (as on this post Re: HAProxy: Use UNLESS condition instead of default IF ) to figure how to change the If to unless on the ACL but I did it.

      So now I have those ACLs added to the HAproxy config but I'm still getting 503 error.

      any clues or ideas are appreciated.

      wondering if OP got this working and maybe can share his/her configuration.

      This is what my backend looks on the haproxy config

      frontend MatuteHome
        bind                    0.0.0.0:443 name 0.0.0.0:443   ssl crt-list /var/etc/haproxy/MatuteHome.crt_list
        mode                    http
        log                     global
        option                  http-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http-request set-header         X-Forwarded-Proto http if !https
        http-request set-header         X-Forwarded-Proto https if https
        timeout client          30000
        acl                     onlyoffice      var(txn.txnhost) -m str -i onlyoffice
        acl                     aclcrt_MatuteHome       var(txn.txnhost) -m reg -i ^([^\.]*)\.matute\.us(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        use_backend onlyoffice_ipvANY  if  onlyoffice aclcrt_MatuteHome

backend onlyoffice_ipvANY
        mode                    http
        id                      115
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        load-server-state-from-file     global
        acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
        acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
        http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
        http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
        server                  onlyoffice 192.168.10.168:6850 id 109 ssl check-ssl  verify none
      1 Reply Last reply Reply Quote 0
      • First post
        Last post