haproxy and vaultwarden - no connection over haproxy

BerndHu

Hello,

I run pfsense 2.8.1 and HAproxy (0.63_11, 2.9.14-7c591d5) and setup in HAProxy a third backend for Vaultwarden. Both other backends, Nextcloud and Contao, runs great with a Wildcard Lets Encrypt SSL Certificate.

But Vaultwarden is not reachable from outside. Some infos, relevant parts from /var/etc/haproxy/haproxy.cfg:

global
        maxconn                 1000
        log                     /var/run/log    local1  debug
        stats socket /tmp/haproxy.socket level admin  expose-fd listeners
        uid                     80
        gid                     80
        nbthread                        1
        hard-stop-after         15m
        chroot                          /tmp/haproxy_chroot
        daemon
        tune.ssl.default-dh-param       2048
        server-state-file /tmp/haproxy_server_state

frontend https.example.org
        bind                    10.1.1.2:443 name 10.1.1.2:443   ssl crt-list /var/etc/haproxy/https.example.org.crt_list
        mode                    http
        log                     global
        option                  http-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http-request set-header         X-Forwarded-Proto http if !https
        http-request set-header         X-Forwarded-Proto https if https
        timeout client          30000
        acl                     cloud.example.org       var(txn.txnhost) -m str -i cloud.example.org
        acl                     vw.example.org  var(txn.txnhost) -m str -i vw.example.org
        acl                     example.org     var(txn.txnhost) -m str -i example.org
        acl                     aclcrt_https.example.org        var(txn.txnhost) -m reg -i ^([^\.]*)\.example\.org(:([0-9]){1,5})?$
        acl                     aclcrt_https.example.org        var(txn.txnhost) -m reg -i ^example\.org(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        use_backend cloud-example-org_ipvANY  if  cloud.example.org aclcrt_https.example.org
        use_backend vw-example-org_ipvANY  if  vw.example.org aclcrt_https.example.org
        use_backend example-org_ipvANY  if  example.org aclcrt_https.example.org

backend vw-example-org_ipvANY
        mode                    http
        id                      102
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        load-server-state-from-file     global
        http-request set-header X-Real-IP %[src]
        server                  vw.example.org 192.168.1.12:11001 id 103 check inter 1000 alpn http/1.1

I can access Vaultwarden from a LAN-VM and I can connect from pfsense:

[2.8.1-RELEASE][root@pfSense.home.arpa]/root: curl 192.168.1.12:11001
[...]
><title page-title>Vaultwarden Web</title>
[...]
[2.8.1-RELEASE][root@pfSense.home.arpa]/root:

I read the configuration help from Vaultwarden: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
And set "http-request set-header X-Real-IP %[src]" and "alpn http/1.1" (see config above).

The compose.yml from Vaultwarden have set:

  DOMAIN: "https://vw.example.org"  # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments
  IP_HEADER: "X-Forwarded-For" # “ip_header”: “X-Forwarded-For”,X-Real-IP

I try different settings, but I got no connection from outside. I think its a pfsense problem..

The file /var/log/haproxy.log shows only a line like:

Dec  3 13:57:42 pfSense haproxy[59066]: Connect from 217.11.22.33:35967 to 10.1.1.2:443 (https.example.org/HTTP)
Dec  3 13:57:42 pfSense haproxy[59066]: Connect from 217.11.22.33:35967 to 10.1.1.2:443 (https.example.org/HTTP)

Not really much (Syslog level Debugging) ..

Its strange, because haproxy say, the backend is down. But with "curl -I 192.168.1.12:11001" I get a

HTTP/1.1 200 OK
server: Rocket
[...]

Its the same ip:port from the backend.

Any ideas?

BerndHu

Really really strange .. after I filter in the Stats Table to "192.168.1.12", I saw connections to 192.168.1.12:443. Now i change the port from Vaultwarden to 443 and .. I can connect? And in the backend, I connect to port 80? incomprehensible...

And there is no port 80 open on the vaultwarden machine:

[root@vaultwarden:/opt/vaultwarden]$ ipa|grep ens18
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.1.12/24 brd 192.168.1.255 scope global ens18
[root@vaultwarden:/opt/vaultwarden]$ netstat -tulpn
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      667/sshd: /usr/sbin
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      819/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      87382/docker-proxy
tcp        0      0 127.0.0.1:33233         0.0.0.0:*               LISTEN      657/containerd
tcp6       0      0 :::22                   :::*                    LISTEN      667/sshd: /usr/sbin
tcp6       0      0 :::25                   :::*                    LISTEN      819/master
tcp6       0      0 :::5000                 :::*                    LISTEN      644/docker-registry
[root@vaultwarden:/opt/vaultwarden]$

and the backend from vaultwarden in /var/etc/haproxy/haproxy.cfg have a "192.168.1.11:80" too...