Please help to configure HAProxy to serve certifficate on internal LAN too

ha11oga11o

Hello all,

please dont shoot me on sight, im one of those who kinda set up things by following tutorials and actually see things how they look like on screen. And English is not my native language either.

I setted up HAProxy with pfSense package for Nextcloud which works as VM at ip 192.168.1.214. It has self signed cert.
I created ACME with Porkbun as wildcard and all that works totally fine.

BUT i have big issue which i dont know how to solve. When im acessing by nextcloud.mydomain.xx in LOCAL LAN it serves page fine, but it uses self signed cert.

Will someone, please, by example show me how to create working rule which will force pfSense to serve 192.168.1.214 and all its translation or whatever exclusively outside? Bare in mind that 214 has to be able to lurk in 192.168.1.0/24 also, since data storage is served by NFS on TrueNas.

192.168.1.1 (pfSense IP),
192.168.1.214 (Nextcloud IP)

All works fine from outside, but from local LAN it bypase HAProxy, and serve nextcloud internal cert with correct domain name nextcloud.mydomain.xx . Well it seems that only bypas cert part since domain works. Somehow it resolve.

This is what dig command does from local lan:

;; ANSWER SECTION:
nextcloud.domain.xx. 3600    IN      A       192.168.1.1
nextcloud.domain.xx. 3600    IN      A       192.168.1.214

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Oct 30 08:48:37 CET 2025
;; MSG SIZE  rcvd: 83

Main problem here is that Nextcloud app go stuck when we are on local network. It does not work since it gets different cert. It does not even ask do we want to accept it or not. Even if does it will be bit weird to do that every time we come home.

Many thnx in advance!

Jaritura

@ha11oga11o Your LAN DNS returns both pfSense and Nextcloud IPs, so clients bypass HAProxy. Add a host override in DNS Resolver for nextcloud.mydomain.xx pointing only to 192.168.1.1. Flush DNS, restart Unbound, and all local traffic will use HAProxy with the correct certificate.

ha11oga11o

@Jaritura

Many thnx for reply. Im kinda sure i did that already. Did i do any mistake here? After doing all this i even rebooted box. That counts as restart unbound?

tinfoilmatt

@ha11oga11o Now remove the record for 192.168.1.214.

ha11oga11o

@tinfoilmatt

Wait, what? Where to remove it?

I have only this

tinfoilmatt

@ha11oga11o Post the updated answer of an nslookup or a dig querying domain nextcloud.domain.xx.

The only A record that should be returned is 192.168.1.1.

ha11oga11o

@tinfoilmatt

dig goes with this ansver:

; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> nextcloud.mydomain.xx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26902
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1424
;; QUESTION SECTION:
;nextcloud.mydomain.xx.                IN      A

;; ANSWER SECTION:
nextcloud.mydomain.xx. 3600    IN      A       192.168.1.214
nextcloud.mydomain.xx. 3600    IN      A       192.168.1.1

;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Tue Nov 04 20:52:42 CET 2025
;; MSG SIZE  rcvd: 83

nslookup goes like this:

Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   nextcloud.mydomain.xx
Address: 192.168.1.214
Name:   nextcloud.mydomain.xx
Address: 192.168.1.1

My problem is that it returns both. If i do dig from outside only resolve it to my public IP which is fine.

Remember, all works fine from outside. Only local LAN is bypasing in some reason.

Thank you for helping me with this demonic issue :)

tinfoilmatt

@ha11oga11o Your next troubleshooting step is to figure out who or what is serving the 192.168.1.214 record, and why, and then remove it.

ha11oga11o

@tinfoilmatt

Yeah, i agree. Something is serving my whole LAN not only 214. Any other server i add to proxy behave totally same.

TBH i have no idea what can serve my LAN in loopback. And i dont dare to experiment with any of setting at General or Advanced because i dont know 80% what they actually do.
But, could this do something like this?

tinfoilmatt

@ha11oga11o I suspect your DHCP configuration.

ha11oga11o

@tinfoilmatt

Nothing there that i can see. Nothing is added all is actually unticked. Only i tweaked was long time ago to define static pool and thats it.

tinfoilmatt

@ha11oga11o What version of pfSense is this system running?

ha11oga11o

@tinfoilmatt

2.8.1-RELEASE (amd64)
built on Thu Aug 28 18:09:00 CEST 2025
FreeBSD 15.0-CURRENT

haproxy net 0.63_11

Fair question. I did not found it important because one should not seek advices at forums if at least box is not upto date.

ha11oga11o

I changed this from manual to automatic and got different response from dig.

it went from

;; ANSWER SECTION:
nextcloud.xxx. 3600    IN      A       192.168.1.214
nextcloud.xxx. 3600    IN      A       192.168.1.1

to

;; ANSWER SECTION:
nextcloud.xxx. 3600    IN      A       192.168.1.1
nextcloud.xxx. 3600    IN      A       192.168.1.214

They switched place, but still it redirects same.

johnpoz

@ha11oga11o you are prob registering dhcp in unbound. Or you are registering statics if you have a reservation which is why your seeing both.

Look in your unbound settings - do you have this checked?

Is then yeah you would have your host override you created and also the dhcp entry - which is why you would get 2 answers.. And yeah they could flip flop with .1 being first one query, and .214 being first next query, or 3 queries latter etc..

This is one of the perfect examples of why you shouldn't use your pubic domain internally.. Then you never can run into such problems.

I have multiple public domains where I can point records at my public IP.. But I use home.arpa internally.

ha11oga11o

@johnpoz
Yes, it seems i have. Should i uncheck it?

Are other things ok?

johnpoz

@ha11oga11o you can uncheck that - but you would then loose ability to resolve any resources internally unless you create host overrides for them.

Or set reservations for them and register those.

See my edit of previous post - not a fan of using the same domain public and internal if you are going to have stuff on that domain that resolves on the public side - I would suggest you just use say home.arpa as your internal name - then you would never run into such an issue.

ha11oga11o

@johnpoz

Mine goal is only to be able to use nextcloud.mydomain.xx both outside and inside LAN.
Outside all works fine. As i understand if im at local LAN with phone we will not be able to resolve nextcloud.mydomain.xx. It will be not reachable?
That is different issue with same outcome then.
We are in need to be able to use it out and in house without VPN fiddling.

I did create host override. You can see on posts above. I did place bunch of pictures. Is that what you are talking about?

Thanks!

ha11oga11o

oh yeah, 192.168.1.214 is static bounded with its MAC address.

I untick both DHCP Registration and Static DHCP registration and now dig returns only 192.168.1.1 but i cant access it from LAN anymore. I do have Host override as posted in pics above. But we cannot resolve it anymore.
Is there anything else i need to do so we gain access to nextcloud.mydomain.xx within local LAN?

Guys, thank you in advance.

johnpoz

@ha11oga11o if you resolve nextcloud.mydomain.xx to your external IP, ie the same one public people do then it would be handled by your haproxy.

Example I have ssl offloading for external users for the public fqdn something.mydomain.tld - this resolves externally to my public IP that hits pfsense wan, this also resolves to my public IP when on my local network, so again haproxy handles the ssl, etc.

But if I wanted or needed to access that directly on my local lan then I use its name.home.arpa:port that the service is on that doesn't do ssl, etc.

What is the point of using the same fqdn internally and externally? What do you think that gets you other than issues?