HAProxy proxies hosts unreachable

digimd · Sep 4, 2024, 1:33 PM

I have acme certificates setup for my domain name. I setup front and backends. I setup few hosts. I am only able to resolve the pfsense ssl frontend. The rest are "unreachable". I am have local dns entries in my dns resolver. No wan ports opened.

How can I troubleshoot this?

viragomann · Sep 4, 2024, 7:09 PM

@digimd said in HAProxy proxies hosts unreachable:

No wan ports opened.

This would be necessary for ACME to work, I think.

The rest are "unreachable".

No error page from HAproxy?
This would let me think, that it isn't listening on the requested port.

Is HAproxy listening on multiple IPs, one for each backend, or a single IP?
How did you configure it?

digimd · Sep 4, 2024, 7:29 PM

@viragomann ACME works fine through Cloudflare DNS challenge. I followed Tom Lawrence videos to set this up. HAProxy stats tab shows all backend as Green; hence available. I am listening on my managent vlan where I also have my pfsense interface listening on. I am using 443 as the listening port. Happy to share screen shots if needed.

I am not sure what I am missing.

viragomann · Sep 4, 2024, 8:21 PM

@digimd
So you have a single frontend or one primary + shared ones and HAproxy has to distinguish, how to forward. How is this done?
Via SNI? This would only work for https.

Otherwise post the config from the bottom of the HAproxy general settings.

digimd · Sep 4, 2024, 8:31 PM

@viragomann

# Automaticaly generated, dont edit manually.
# Generated on: 2024-09-04 07:16
global
	maxconn			1000
	log			/var/run/log	local0	info
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	4096
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

resolvers globalresolvers
	nameserver Cloudflare 1.1.1.1:53
	resolve_retries 3
	timeout retry 1s
	timeout resolve 10s

frontend Https_Frontends
	bind			10.0.1.254:443 name 10.0.1.254:443   ssl crt-list /var/etc/haproxy/Https_Frontends.crt_list  
	bind			10.0.2.254:443 name 10.0.2.254:443   ssl crt-list /var/etc/haproxy/Https_Frontends.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	maxconn			4
	timeout client		30000
	acl			pfsense	var(txn.txnhost) -m str -i router.home.DOMAIN.com
	acl			mgmt_ips_only	src 10.0.1.0/24
	acl			Truenas	var(txn.txnhost) -m str -i truenas.home.DOMAIN.com
	acl			omada	var(txn.txnhost) -m str -i omada.home.DOMAIN.com
	acl			HAOS	var(txn.txnhost) -m str -i haos.home.DOMAIN.com
	acl			Kuma	var(txn.txnhost) -m str -i kuma.home.DOMAIN.com
	acl			aclcrt_Https_Frontends	var(txn.txnhost) -m reg -i ^([^\.]*)\.home\.DOMAIN\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend pfsense_ipvANY  if  pfsense mgmt_ips_only  aclcrt_Https_Frontends
	use_backend truenas_ipvANY  if  Truenas aclcrt_Https_Frontends
	use_backend Omada_ctrler_ipvANY  if  omada aclcrt_Https_Frontends
	use_backend HAOS_ipvANY  if  HAOS aclcrt_Https_Frontends
	use_backend UptimeKuma_ipvANY  if  Kuma aclcrt_Https_Frontends

backend pfsense_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			pfsense 10.0.1.254:10443 id 101 ssl check inter 1000  verify none resolvers globalresolvers 

backend truenas_ipvANY
	mode			http
	id			102
	log			global
	option			log-health-checks
	timeout connect		30000
	timeout server		30000
	retries			5
	load-server-state-from-file	global
	server			truenas 10.0.1.33:3443 id 103 ssl check inter 1000  verify none resolvers globalresolvers 

backend Omada_ctrler_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			Omada_ctrler 10.0.1.11:8043 id 105 ssl check inter 1000  verify none resolvers globalresolvers 

backend HAOS_ipvANY
	mode			http
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			Homeassistant 10.0.1.88:8123 id 107 check inter 1000  resolvers globalresolvers 

backend UptimeKuma_ipvANY
	mode			http
	id			108
	log			global
	http-check		send meth OPTIONS
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	option			httpchk
	server			Kuma 172.16.20.10:3001 id 109 check inter 1000  resolvers globalresolvers

viragomann · Sep 4, 2024, 8:42 PM

@digimd
You have only one frontend, which is listening on port 443.
Maybe I'm not clear, what you intend. Accessing the same hosts with and without SSL? Or redirecting non-SSL to SSL?

digimd · Sep 4, 2024, 9:36 PM

@viragomann I have one frontend that handles the ACLs. I am accessing backends with https with unsigned cert and one http. They belong to different services. I intend to access my self-hosted services with proper ssl without opening a WAN port.

viragomann · Sep 4, 2024, 9:59 PM

@digimd
And which host is not accessible?

digimd · Sep 4, 2024, 10:07 PM

@viragomann all are unreachable except for router which points to my pfsense.

viragomann · Sep 5, 2024, 4:39 PM

@digimd
Try to remove the checks at
"Add ACL for certificate CommonName"
"Add ACL for certificate Subject Alternative Names"
in the frontend settings.

For testing the connection you can also state a default backend and see if you can access it.
If this works, the rules are not applied.

digimd · Sep 5, 2024, 4:39 PM

@viragomann I removed the checks when present and it made no difference. I sat a default backend other than router, and no change either.

I am considering to move to self hosted reverse proxy and get done.

viragomann · Sep 5, 2024, 5:06 PM

@digimd
You said, you get just a time out, when you try to access a page.
If the request hits HAproxy it will give any respond, however. So I suspect, that there is something else wrong.

Ensure that the host name resolves properly to the IP, which HAproxy is listening on.

digimd · Sep 5, 2024, 5:15 PM

@viragomann I am not sure what type of error. Essentially page is unreachable, without error code. I am remoting now through tailscale on pfsense and I get this which is likely a dns or firewall rule.

ERR_CONNECTION_REFUSED

I changed listening IPs to 0.0.0.0:443 and no change. Could this be a firewall rule issue?!

viragomann · Sep 5, 2024, 5:57 PM

@digimd
It could maybe a reject rule, giving this error. However, do you have any?

If I got you correct, you want to access the sites only from inside the network?

digimd · Sep 5, 2024, 6:03 PM

@viragomann Yes, I meant to keep all ssl access local. I have the listening interfaces allowed to access all target destinations. I am just throwing the idea although I don't think it's the issue. Thank you for following through.