HAProxy multiple subdomains

iruindegi · Nov 25, 2023, 10:30 PM

Hi,

I have configured app1.duckdns.org with DDNS + Let's encrypt + HA Proxy with a Virtual Ip (NAT/Port Foward 443) in my VLAN_40 (192.168.40.10). It works perfect.

Now I need another app2.duckdns.org but this one has to go to my VLAN_30 (192.168.30.10).
I got the DDNS to work without problems.

But I can't get the certificate or the HA Proxy to work.

Besides, having the port foward to a Virtual IP in the VLAN_40... How can I make it work also with the VLAN_30?

Thanks in advance

viragomann · Nov 26, 2023, 1:28 PM

@iruindegi
If you forward traffic from your WAN IP to a device behind pfSense, you bypass HAproxy in fact. So HAproxy can't do anything on this traffic.

iruindegi · Nov 26, 2023, 1:28 PM

@viragomann thx! I understand but whats can I do?

viragomann · Nov 26, 2023, 2:00 PM

@iruindegi
You have to let HAproxy do the forwarding.

Remove the port forwarding rule and add a firewall rule to allow access to the WAN IP on port 80 and 443 (assuming you want to handle web traffic).

Configure both backends in HAproxy and the frontend to read the host headers and forward the traffic accordingly to the desired backend.

iruindegi · Nov 27, 2023, 2:08 PM

@viragomann thx! for yout help. I removed the port foward and tried to do whats you said but I can't... de first domain it working ok but when I try to access to the second I got
503 Service Unavailable
No server is available to handle this request.

Where can I set, as you say, the "host headers" ??

viragomann · Nov 27, 2023, 3:08 PM

@iruindegi
Can you give some more details about what you want to achieve?

Are both services HTTP(S)?
Are both using the same public IP?
Do you have configured the HAproxy backends accordingly?

iruindegi · Nov 27, 2023, 5:40 PM

@viragomann Hi and thank you again!! My goal is to use app1.duckdns.org for Home Assistant and app2.duckdns.org for seafile, both oh them selfhosted on my server. Home Assistant is on VLAN_IOT and the rest of the services will be on my LAN
This is my current config:

Changed my pfsense https por to a diferent one
DDNS app1.duckdns.org and app.duckdns.org. OK.
System / Advanced / Firewall & NAT => Pure NAT
Firewall / NAT -> removed 443 port fowarding to Virtual IP
Firewall / Rules / Wan:

Services / Acme / Certificates:
Services / HAProxy / Frontend: I have one frontend:
Services / HAProxy / Frontend: I have 2 backend (but I have 2 more on mind)

This is the Home Assistant backend:

And this is the SeaFile backend:

Thanks and sorry for the long post...
file:///home/local/PASAIA/iibarguren/Irudiak/Screenshot%202023-11-27%20at%2018-32-03%20suhesia.iruindegi.local%20-%20Services%20HAProxy%20Frontend%20Edit.png

viragomann · Nov 27, 2023, 6:07 PM

@iruindegi
You're missing the certificate for the second host name in the frontend.
You've to state it here

and check "Add ACL for certificate CommonName".

iruindegi · Nov 27, 2023, 10:38 PM

@viragomann Thank you!

I've got it working. I had 2 problems:

From what I have read, duckdns shares the txt file for let's encrypt on all your subdomains, that is the reason why the second SSL certificate Issue never completed.
I have created another subdomain (in one custom domain), created the certificate and selecting it in Additional Certificates everything worked.

Thanks again