HAProxy not working for 1 site

CreationGuy

I'm successufully using HAProxy for several internally hosted sites/docker sites. I have some in Portainer on 1 server and a few on another server running Truenas. One of the sites on Truenas (Scale) is not working- NextCloud.

I can get to it via https://10.2.2.4:9001 but not https://nc.mydomain.net. Instead, when I go to the URL it redirects to the IP.

Screenshot 2024-11-26 at 13-37-15 TrueNAS - nas.jrfam.net.png

Screenshot 2024-11-26 at 13-39-13 TheWall.jrfam.net - Services HAProxy Backend Edit.png

magickarle

can you send a screenshot of frontend ACL and action

CreationGuy

This post is deleted!

CreationGuy

@magickarle Is this what you're looking for?

viragomann

@CreationGuy
Did you add the hostname to the Nextcloud config?

CreationGuy

@viragomann Yes, that is under the DNS Resolver section. When going to the domain it talks about too many redirections.

viragomann

@CreationGuy
I'm talking about the Nextcloud config.
<rootdir>/config/config.php

section 'trusted_domains'

CreationGuy

@viragomann I forgot to do that. It's in there now. I don't get the too many redirects but now it just spins.

magickarle

Nextcloud’s overwriteprotocol setting in config.php. Add this if HAProxy handles SSL termination:

'overwriteprotocol' => 'https',

Ensure HAProxy isn't re-redirecting to itself. This can happen if the frontend or backend rules conflict.

What's does this return:
curl -v -H "Host: nc.zzzzz.net" https://nc.zzzzz.net

viragomann

@magickarle said in HAProxy not working for 1 site:

Nextcloud’s overwriteprotocol setting in config.php. Add this if HAProxy handles SSL termination:

'overwriteprotocol' => 'https',

Ensure HAProxy isn't re-redirecting to itself. This can happen if the frontend or backend rules conflict.

This seems not to be necessary, however.

I'm running Nextcloud behind HAproxy. HAproxy does TLS offloading with redirecting http to https, and the backend server requires https as well. But I don't have this in my NC config.

CreationGuy

@magickarle

The connection has timed out

An error occurred during a connection to nc.mydomain.net:9001.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

root@truenas[~]# curl -v -H "Host: nc.mydomain.net" https://nc.mydomain.net
*   Trying 10.2.2.1:443...
* Connected to nc.mydomain.net (10.2.2.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.mydomain.net
*  start date: Nov 24 22:20:11 2024 GMT
*  expire date: Feb 22 22:20:10 2025 GMT
*  subjectAltName: host "nc.mydomain.net" matched cert's "*.mydomain.net"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: nc.mydomain.net]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55a290830ce0)
> GET / HTTP/2
> Host: nc.mydomain.net
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 307
< server: nginx/1.27.3
< date: Wed, 04 Dec 2024 13:34:43 GMT
< content-type: text/html
< content-length: 171
< location: https://nc.mydomain.net:9001/
< strict-transport-security: max-age=15552000; includeSubDomains; preload
<
<html>
<head><title>307 Temporary Redirect</title></head>
<body>
<center><h1>307 Temporary Redirect</h1></center>
<hr><center>nginx/1.27.3</center>
</body>
</html>
* Connection #0 to host nc.mydomain.net left intact

magickarle

@CreationGuy

I'm not a pro here but it seems the 307 redirect issue is related to the backend server (Nextcloud) redirecting HAProxy to https://nc.mydomain.net:9001/. This is causing the incorrect redirection loop because:

HAProxy is already terminating SSL, and the backend is attempting to enforce HTTPS on port 9001.
This setup conflicts with HAProxy's expected behavior as the frontend URL https://nc.mydomain.net is supposed to mask the backend address.

If that's the case:
Nextcloud doesn’t recognize that HAProxy has already handled the SSL termination. So you need to force Nextcloud to treat requests as coming from https://nc.mydomain.net and prevent it from redirecting to https://nc.mydomain.net:9001/ (if that makes sense)

viragomann

@magickarle said in HAProxy not working for 1 site:

I'm not a pro here but it seems the 307 redirect issue is related to the backend server (Nextcloud) redirecting HAProxy to https://nc.mydomain.net:9001/.

Good shot!
Yeah, NC directs the client to the next page using its known hostname and port. But it doesn't know the hostname and port, which HAproxy is listening on.

There is another overwrite option, which can be used in the config.php to avoid this.

  'overwritehost' => 'nc.zzzzz.net:443',

You have to insert this into your config, replacing the hostname with your public one.

For reference: Nextcloud docs Reverse proxy

CreationGuy

@viragomann Unfortunately it still just adds the :9001 at the and redirects. Do I need to change anything in HAproxy?

viragomann

@CreationGuy
What did you try?
How did you access the server? From inside your network or from outside? Which URL?
What exactly did you get?