HAProxy proxies hosts unreachable
-
@digimd said in HAProxy proxies hosts unreachable:
No wan ports opened.
This would be necessary for ACME to work, I think.
The rest are "unreachable".
No error page from HAproxy?
This would let me think, that it isn't listening on the requested port.Is HAproxy listening on multiple IPs, one for each backend, or a single IP?
How did you configure it? -
@viragomann ACME works fine through Cloudflare DNS challenge. I followed Tom Lawrence videos to set this up. HAProxy stats tab shows all backend as Green; hence available. I am listening on my managent vlan where I also have my pfsense interface listening on. I am using 443 as the listening port. Happy to share screen shots if needed.
I am not sure what I am missing.
-
@digimd
So you have a single frontend or one primary + shared ones and HAproxy has to distinguish, how to forward. How is this done?
Via SNI? This would only work for https.Otherwise post the config from the bottom of the HAproxy general settings.
-
# Automaticaly generated, dont edit manually. # Generated on: 2024-09-04 07:16 global maxconn 1000 log /var/run/log local0 info stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 4096 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 resolvers globalresolvers nameserver Cloudflare 1.1.1.1:53 resolve_retries 3 timeout retry 1s timeout resolve 10s frontend Https_Frontends bind 10.0.1.254:443 name 10.0.1.254:443 ssl crt-list /var/etc/haproxy/Https_Frontends.crt_list bind 10.0.2.254:443 name 10.0.2.254:443 ssl crt-list /var/etc/haproxy/Https_Frontends.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 4 timeout client 30000 acl pfsense var(txn.txnhost) -m str -i router.home.DOMAIN.com acl mgmt_ips_only src 10.0.1.0/24 acl Truenas var(txn.txnhost) -m str -i truenas.home.DOMAIN.com acl omada var(txn.txnhost) -m str -i omada.home.DOMAIN.com acl HAOS var(txn.txnhost) -m str -i haos.home.DOMAIN.com acl Kuma var(txn.txnhost) -m str -i kuma.home.DOMAIN.com acl aclcrt_Https_Frontends var(txn.txnhost) -m reg -i ^([^\.]*)\.home\.DOMAIN\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend pfsense_ipvANY if pfsense mgmt_ips_only aclcrt_Https_Frontends use_backend truenas_ipvANY if Truenas aclcrt_Https_Frontends use_backend Omada_ctrler_ipvANY if omada aclcrt_Https_Frontends use_backend HAOS_ipvANY if HAOS aclcrt_Https_Frontends use_backend UptimeKuma_ipvANY if Kuma aclcrt_Https_Frontends backend pfsense_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server pfsense 10.0.1.254:10443 id 101 ssl check inter 1000 verify none resolvers globalresolvers backend truenas_ipvANY mode http id 102 log global option log-health-checks timeout connect 30000 timeout server 30000 retries 5 load-server-state-from-file global server truenas 10.0.1.33:3443 id 103 ssl check inter 1000 verify none resolvers globalresolvers backend Omada_ctrler_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server Omada_ctrler 10.0.1.11:8043 id 105 ssl check inter 1000 verify none resolvers globalresolvers backend HAOS_ipvANY mode http id 106 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server Homeassistant 10.0.1.88:8123 id 107 check inter 1000 resolvers globalresolvers backend UptimeKuma_ipvANY mode http id 108 log global http-check send meth OPTIONS timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global option httpchk server Kuma 172.16.20.10:3001 id 109 check inter 1000 resolvers globalresolvers
-
@digimd
You have only one frontend, which is listening on port 443.
Maybe I'm not clear, what you intend. Accessing the same hosts with and without SSL? Or redirecting non-SSL to SSL? -
@viragomann I have one frontend that handles the ACLs. I am accessing backends with https with unsigned cert and one http. They belong to different services. I intend to access my self-hosted services with proper ssl without opening a WAN port.
-
@digimd
And which host is not accessible? -
@viragomann all are unreachable except for router which points to my pfsense.
-
@digimd
Try to remove the checks at
"Add ACL for certificate CommonName"
"Add ACL for certificate Subject Alternative Names"
in the frontend settings.For testing the connection you can also state a default backend and see if you can access it.
If this works, the rules are not applied. -
@viragomann I removed the checks when present and it made no difference. I sat a default backend other than router, and no change either.
I am considering to move to self hosted reverse proxy and get done.
-
@digimd
You said, you get just a time out, when you try to access a page.
If the request hits HAproxy it will give any respond, however. So I suspect, that there is something else wrong.Ensure that the host name resolves properly to the IP, which HAproxy is listening on.
-
@viragomann I am not sure what type of error. Essentially page is unreachable, without error code. I am remoting now through tailscale on pfsense and I get this which is likely a dns or firewall rule.
ERR_CONNECTION_REFUSED
I changed listening IPs to 0.0.0.0:443 and no change. Could this be a firewall rule issue?!
-
@digimd
It could maybe a reject rule, giving this error. However, do you have any?If I got you correct, you want to access the sites only from inside the network?
-
@viragomann Yes, I meant to keep all ssl access local. I have the listening interfaces allowed to access all target destinations. I am just throwing the idea although I don't think it's the issue. Thank you for following through.