503 error with HAProxy

NasKar · Sep 22, 2024, 5:14 PM

I trying to run my nextcloud server with HAproxy. I've setup the backend and frontend and cloudflare for my dns. I get a valid certificate but with a 503 error. I'm not sure what's wrong.
Setup: Cloudflare has an A record with my WAN IP and CNAME with cloud and mydomain.
Nextcloud is running on a truenas core server at ip 192.168.5.81
PFSense has ports 80 and 443 forwarded to 192.168.5.1 ( the IP of my PFSense)

![HA-000308.jpg]

viragomann · Sep 22, 2024, 5:14 PM

@NasKar said in 503 error with HAProxy:

Nextcloud is running on a truenas core server at ip 192.168.5.81
PFSense has ports 80 and 443 forwarded to 192.168.5.1 ( the IP of my PFSense)

From where?
Which pfSense IP is this? WAN, LAN, other?

Which interface is the truenas connected to?

NasKar · Sep 22, 2024, 6:14 PM

@viragomann The IP of my pfsense is on the LAN 192.168.5.1. All the LAN devices are on the same subnet 192.168.5.0/24 including the TrueNAS (IP 192.168.5.48). Then nexcloud server is on 192.168.5.81.

viragomann · Sep 22, 2024, 6:24 PM

@NasKar said in 503 error with HAProxy:

The IP of my pfsense is on the LAN 192.168.5.1.

But the HAproxy frontend is listening on the WAN address.
If you forward port 443 to the LAN address you have to set the frontend to listen on it as well. Or just remove the forwarding if its on pfSense itself.

NasKar · Sep 22, 2024, 7:12 PM

@viragomann Change the frontend to the LAN and it works. Thanks you so much.

If I disable the port forwarding rules for 80 and 443 and set the frontend back to WAN it doesn't work. Is it possible to have port forwarding disabled and still access the nextcloud server from the internet?

viragomann · Oct 6, 2024, 2:16 AM

@NasKar
Remember to add a firewall rule allowing access to the WAN address on port 80 and 443.

The port forwarding might have created an associated rule for you, which is the default setting.

NasKar · Oct 6, 2024, 2:16 AM

@viragomann Sorry for the delay. I've been watching a lot of you tube videos and website but still no success.
I get a valid ssl when going to cloud.mydomain.com when not on my LAN
I've added a host override to point cloud.mydomain.com to the ip of my pfsense (192.168.5.1)
I've eliminated the Port forwarding rules and have a rule for 443 and 80 on WAN that sends all the traffic to this firewall.
When I go to cloud.mydomain.com on my LAN I get a valid SSL certificate but the 503 error still.

I thought the host override would allow me to access the site on the LAN.

viragomann · Oct 7, 2024, 4:47 PM

@NasKar said in 503 error with HAProxy:

I've added a host override to point cloud.mydomain.com to the ip of my pfsense (192.168.5.1)
I thought the host override would allow me to access the site on the LAN.

You have also to configure the frontend to listen on the LAN IP.

In the frontend External address section just hit the copy button at the right and change the listening address to LAN address on the next page. Then you frontend should listen on both, WAN and LAN address.

NasKar · Oct 8, 2024, 7:02 PM

@viragomann Do I have to port forward ports 80 & 443 to the IP of my pfsense or just create a WAN RULE ?

viragomann · Oct 8, 2024, 7:13 PM

@NasKar
The computer, which you to access your web server via the HAproxy is connected to the LAN interface.

I've added a host override to point cloud.mydomain.com to the ip of my pfsense (192.168.5.1)

The DNS host override resolves to the pfSense LAN IP.
So if you call the host name in your browser the access goes to the LAN IP of pfSense on port 443 or 80.
Hence, you need a rule on LAN allowing this.
If you still didn't change the default allow any to any rule on LAN there is nothing to, however.

The HAproxy frontend has to listen on both, WAN and LAN addresses.

NasKar · Oct 8, 2024, 11:58 PM

@viragomann
Thanks so much for your help. I finally got it working with WAN and LAN