HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https

ducati57

@johnpoz
Good morning,

I just made the modification, it's gone.

However still no local LAN access via HTTPS from an external url

johnpoz

@ducati57 said in HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https:

However still no local LAN access via HTTPS from an external url

did you create you host overrides??

Are you clients pointing to pfsense for dns?

Do a simple dns query from a client - did it resolve your fqdn to pfsense wan IP? Vs the public.. Maybe your browser is using doh for dns? Vs pointing to pfsense IP for it.

ducati57

@johnpoz Yes, here is the conf for "Host Overrides"

Yes, here is my PC (wifi) where it is visible in DNS (Pfsense) in 192.168.1.1

johnpoz

@ducati57 so your nslookup for dom.namedomaine.ovh returns 192.168.1.21

do your nslookup dom.namedomaine.ovh

What does it reply with - if that works and your still going to the public in your browser - you sure your browser isn't using doh vs your local dns.

And that is not the right override anyway - if you want it to bounce off pfsense wan IP running haproxy, then it should be to pfsense wan IP.. Not the actual host IP the site is running on.

ducati57

@johnpoz said in HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https:

do your nslookup dom.namedomaine.ovh

A test from my laptop :

A direct test of the VM on my ESXI :

johnpoz

@ducati57 then it should be hitting your haproxy - look in the haproxy logs.. Do you have some rule on pfsense lan that would prevent that? Like are you doing policy routing.

Also again is your browser using doh.. Many browsers love to default that with no mention of it to the user..

Look in your browsers dns cache to validate it resolved to your wan IP where haproxy is listening..

For example in firefox you can go here to view the cache
about:networking#dns

ducati57

@johnpoz

Pour cette section je peux laisser ainsi ou dois-je mettre LAN et localhost ?

I just rebooted Pfsense, cleaned the browser caches on my phone and laptop, as well as a reboot.
I can now connect locally via the external address! :)
Thanks a lot for the help !!

Concerning the 2nd subject with my Dahua VMS (NVR) also any idea?

johnpoz

@ducati57 said in HA Proxy / Acme Lets encrypt : LAN access problem from inside with external url https:

Concerning the 2nd subject with my Dahua VMS (NVR) also any idea?

I don't know what that is - or how it suppose to work. You want to run that through your haproxy as well? If its not truely https then haproxy might not work but you could use tcp mode in haproxy maybe?

Does that work if you turn off the rfc1918 block like you were doing before with these other vms?

ducati57

@johnpoz
Last question regarding problem 1, could you confirm that I do not have to make any modifications to this issue in the DNS RESOLVER?

==================

Concerning problem 2, this is a VM dedicated to recording video streams from different cameras.
The VM uses a logger which broadcasts via port 37777.

It is possible to connect to the recorder (VM) via an application uses IP or URL, Port, login, password.

And yes I want to encapsulate the service (port37777) in https ideally.
So I'm thinking of testing TCP in HA proxy....

johnpoz

@ducati57 to your ALL for outgoing - this is just the default. You prob have no use for your other interfaces for "outgoing" Do you have other downstream DNS that is only available via your lan side interfaces?? That you want to do say a domain override with?

I have my outgoing set to localhost.. This can remove some issues where unbound trying to bind to interfaces like a vpn or other interface that might not be up when unbound starts.

While "all" is a good default setting to make sure it just works.. If your looking to tweak your settings and get specific setup for your specific network needs.. You could adjust for your needs.

This is my setup

But your "needs" or wants might be different for your specific network.

ducati57

@johnpoz

I will leave it on All for "Outgoing Network Interfaces" and if necessary I will change it in the future.

/////////////////////////////////////////////////

Concerning problem 2, this is a VM dedicated to recording video streams from different cameras.
The VM uses a logger which broadcasts via port 37777.

It is possible to connect to the recorder (VM) via an application uses IP or URL, Port, login, password.

And yes I want to encapsulate the service (port37777) in https ideally.
So I'm thinking of testing TCP in HA proxy....

ducati57

@ducati57 ?