Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy Vaultwarden Reverse proxy Help

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chrisnz
      last edited by

      Hi,
      I've a running Vaultwarden Docker on a Proxmox VM. I used to use NGINX Reverse Proxy Manager but it was unreliable and stopped working every now and then. Now I would like to replace it with HAProxy to make my Vaultwarden available for Apps and web access from WAN.

      I've a Cloudflare managed domain "vault.mydomain.nz" which is pointing to my IP.

      I have setup the ACME cert. alt text
      My Vaultwarden installation ports are mapped like this:
      3012 > 3012
      7010 > 443
      7011 > 80
      alt text

      pfSense's web admin ports are neither 80 nor 443.

      I've a firewall rule forwarding 443 traffic from WAN:
      alt text

      I've added a DNS resolver entry to be able to access vault.mydomain.co.nz from my LAN.
      alt text

      Vaultwarden is running and can be reached by typing in the IP in the browser (e.g. https://192.168.1.30:7011).

      I followed this guide from Dani Garcia (HAProxy inside pfSense section) but it's not working for me. No error but not loading anything in the browser. (I did not add the ACL to exclude the /admin page).

      It's probably a small misconfiguration but I have no idea...

      This is my haproxy.cfg:

      # Automaticaly generated, dont edit manually.
# Generated on: 2024-01-26 11:44
global
	maxconn			30
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Domain
	bind			125.236.123.123:443 name 125.236.123.123:443   ssl crt-list /var/etc/haproxy/Domain.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			ACL00	var(txn.txnhost) -m str -i mydomain.nz
	acl			ACL00	var(txn.txnpath) -m beg -i /random-unused
	acl			ACL01	var(txn.txnhost) -m str -i vault.mydomain.nz
	acl			aclcrt_Domain	var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomain\.nz(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	http-request set-var(txn.txnpath) path
	http-request allow  if  ACL01 aclcrt_Domain
	http-request deny   if  !ACL00 aclcrt_Domain

frontend Vaultwarden
	bind			125.236.123.123:3112 name 125.236.123.123:3112   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			ACL1	var(txn.txnpath) -m beg -i /notifications/hub
	acl			ACL2	var(txn.txnpath) -m beg /notifications/hub/negotiate
	acl			ACL3	var(txn.txnpath) -m beg -i /notifications/hub
	acl			ACL4	var(txn.txnpath) -m beg -i /notifications/hub/negotiate
	http-request set-var(txn.txnpath) path
	use_backend Vaultwarden_ipvANY  if  !ACL1 
	use_backend Vaultwarden_ipvANY  if  !ACL2 
	use_backend Vaultwarden-Notifications_ipvANY  if  ACL3 
	use_backend Vaultwarden-Notifications_ipvANY  if  !ACL4 

backend Vaultwarden_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			Vaultwarden 192.168.1.30:7011 id 101  

backend Vaultwarden-Notifications_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			Vaultwarden-Notifications 192.168.1.30:3012 id 103
      C V 2 Replies Last reply Reply Quote 0
      • C
        Chrisnz @Chrisnz
        last edited by

        I forgot to mention, I'm on pfSense Plus 23.09-RELEASE and haproxy 0.63_1

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @Chrisnz
          last edited by

          @Chrisnz said in HAProxy Vaultwarden Reverse proxy Help:

          I've a firewall rule forwarding 443 traffic from WAN:

          This rule allows access to pfSense from WAN on any port. So it also allows access to the webConfigurator, which is pretty dangerous.

          For the HAproxy configuration, maybe you can give information about what to intend to achieve. Would be helpful to elaborate a proper set up.

          What I noticed:
          Your Domain frontend has neither a use-backend action nor a default backend.
          In the Vaultwarden frontend the ACLs 1 and 3 are identical, so one is superfluous.

          C 1 Reply Last reply Reply Quote 0
          • C
            Chrisnz @viragomann
            last edited by

            @viragomann Thanks for your reply. The firewall is just open for testing right now, Later it will be limited to the ports that the Vaultwarden Docker container uses (3012 for Websocket, 7010 for internal 443 and 7011 for internal 80).

            The domain frontend only has actions fot http requests to allow or deny. I basically followed the Dani Garcia setup linked above since it's my first time with HAProxy. The Dani Garcia setup seem s to be working for others so I'm wondering where I did wrong, maybe I misunderstood the ports to be used or put the wrong IP in the wrong place...or else, I just can't figure it out...most likely because I don't know HAProxy at all.

            The Vaultwarden frontend ACL1 and 3 are almost identical except the "Not option" which is yes in ACL1 and no in ACL3

            The goal is to have my locally hosted Vaultwarden accessible at vault.mydomain.nz from WAN. (browser plugins, phone apps etc.)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.