• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setting up HA Proxy for Internal Servers

Scheduled Pinned Locked Moved HA/CARP/VIPs
10 Posts 2 Posters 544 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    doni49
    last edited by Apr 29, 2024, 7:36 PM

    I have docker/portainer installed on of my machines at home. It currently has 4 containers: prtainer itself, vaultwarden, nextcloud & docker-mailserver.

    This machine will never be exposed to the internet. I'm trying to configure HA Proxy to use it locally. I have a wildcard certificate from LetsEncrypt (*.home.mydomain.com).

    Nextcloud listens on port 443.
    Vaultwarden listens on port 80 -- but when I try to open it, the browser refuses to load it saying it requires https.
    docker-mailserver will need to listen on multiple ports.

    I setup 2 virtual IPs 10.10.0.12 and 10.10.0.13 for Vaultwarden and Nextcloud respectively. I haven't done anything for the mailserver yet. I added DNS Overrides pointing nc.home.mydomain.com to 10.10.0.13 and pointing vault.home.mydomain.com to 10.10.0.12.

    WIthin the HAProxy settings, I made a backend for NC and VW both. Then I made a Frontend for each of them as well.

    When I try to browse to vault.home.mydomain.com OR nc.home.mydomain.com, it tells me the connection is not secure AND won't show me anything from the respective GUIs.

    I don't know if this is exclusively an HAProxy issue or also related to LetsEncrypt.

    Front Ends:
    06253ab7-b1aa-49ff-8cc4-1db1409c9c16-image.png

    Nextcloud backend (the rest of the backend is all unmodified from OOTB):
    5607e565-9d65-4737-b696-97009cd38d9b-image.png

    Vaultwarden backend (the rest of the backend is all unmodified from OOTB):
    61c48c63-0d85-41d1-bc00-06cb3875cf45-image.png

    When I use the NSLOOKUP tool, nc.home.mydomain.com and vault.home.mydomain.com do both show the correct virtual IPs. LetsEncrypt indicated that it created the certificate with no problems. But here's the certificate parameters showing the domain entry its for:
    81018768-addc-42cb-922f-c13324d24c38-image.png

    V 1 Reply Last reply Apr 29, 2024, 9:29 PM Reply Quote 0
    • V
      viragomann @doni49
      last edited by Apr 29, 2024, 9:29 PM

      @doni49
      Did you also assign the certificate to the frontends?

      What does the browser show exactly, when you try to access it?
      Check if you get the correct certificate.

      D 2 Replies Last reply Apr 29, 2024, 10:09 PM Reply Quote 0
      • D
        doni49 @viragomann
        last edited by doni49 Apr 29, 2024, 10:10 PM Apr 29, 2024, 10:09 PM

        @viragomann said in Setting up HA Proxy for Internal Servers:

        Did you also assign the certificate to the frontends?

        I'll double check when I get home. While I distinctly remember assigning it to one of them (I don't remember now which one), I don't remember one way or the other for the second one.

        What does the browser show exactly, when you try to access it?
        Check if you get the correct certificate.

        I looked but it think said there was no certificate. Again I'll look when I get home.

        V 1 Reply Last reply Apr 29, 2024, 10:15 PM Reply Quote 0
        • V
          viragomann @doni49
          last edited by Apr 29, 2024, 10:15 PM

          @doni49
          You have to assign the wildcard certificate to all frontends it is valid for.

          D 3 Replies Last reply Apr 29, 2024, 11:26 PM Reply Quote 0
          • D
            doni49 @viragomann
            last edited by Apr 29, 2024, 11:26 PM

            @viragomann

            @viragomann said in Setting up HA Proxy for Internal Servers:

            You have to assign the wildcard certificate to all frontends it is valid for.

            I understood that. My statement was that I was sure I had done so on one but I couldn't remember either way as to whether or not I had done so on the second one. I'm home now and just checked both of them. They both are assigned to use the wildcard cert.

            This is the SSL Offloading section of the Nextcloud front end. The Vaultwarden front end looks just like this. I'm pretty sure this is what you were asking about.
            87de8da1-d5cf-4ab1-8f74-1018f3fcf034-image.png

            1 Reply Last reply Reply Quote 0
            • D
              doni49 @viragomann
              last edited by Apr 30, 2024, 12:04 AM

              @viragomann said in Setting up HA Proxy for Internal Servers:

              What does the browser show exactly, when you try to access it?
              Check if you get the correct certificate.

              They don't appear to have an issue with the certificate although before I posted they were both saying insecure.
              08d3f1d5-9929-439c-bac1-ef4491f09436-image.png

              Vaultwarden:
              4d1d47ce-d49c-48a2-a669-63ed7800e775-image.png

              Nextcloud:
              19727b43-7f1d-44ba-9ebf-c7af67dc5745-image.png

              V 1 Reply Last reply Apr 30, 2024, 10:29 AM Reply Quote 0
              • D
                doni49 @viragomann
                last edited by Apr 30, 2024, 12:09 AM

                @viragomann

                And if I connect directly to the Vaultwarden server (not via HAProxy), this is what I see. So the server itself is up and running.

                5d451403-d587-4611-94cd-b363ea84f7bb-image.png

                1 Reply Last reply Reply Quote 0
                • D
                  doni49 @viragomann
                  last edited by Apr 30, 2024, 12:12 AM

                  @viragomann

                  This is what I see when I try to connect directly the nextcloud instance bypassing haproxy.

                  b74b9195-d38f-498f-beb4-0a38c6882b02-image.png

                  D 1 Reply Last reply Apr 30, 2024, 3:14 AM Reply Quote 0
                  • D
                    doni49 @doni49
                    last edited by Apr 30, 2024, 3:14 AM

                    @doni49

                    I don't understand where all the screenshots I added to my replies went -- I they were there. I saw them in the thread when I came back and reviewed it. Then I came back again and noticed they were gone.

                    But yes, both front ends are configured to use the wildcard certificate (under the offload SSL section).

                    When I browse to either nc.home.mydomain.com or vault.home.mydomain.com, Edge (on Windows 11) says the site is secure -- although I'm 99% certain that they said unsecure before I posted the first message. But they both give a 503 error "No Server Available". But If I browse to the server's IP address (the one that HAProxy is pointing to) and specify ports 443 and 80 for NC and VW respectively, the pages load fine -- but NC indicates it's not secure. VW loads fine but when I attempt to login, it complains and tells me the browswer requires HTTPS to use this service.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @doni49
                      last edited by Apr 30, 2024, 10:29 AM

                      @doni49
                      Sadly all screenshots are lost.

                      If the browser doesn't show a certificate, either HAproxy does not deliver any, because it's not assigned correctly, or you are connected to the wrong host.

                      1 Reply Last reply Reply Quote 0
                      1 out of 10
                      • First post
                        1/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received