Hello Guys!
I use opnsense for my homelab with haproxy as reverse proxy. I had setup all services and everything worked like a charm. I got a 100% test @SSLLabs in all 4 categories, but i didn’t get vaultwarden websocket working. Can anybody of you look at my config? I don’t find the issue.
Unfortunely nobod in the other forums like opnsense or vaultwarden know the issue Image may be NSFW.
Clik here to view.
Here is my config.
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_636976fd9d4d71.97561865 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_636976fd9d4d71.97561865
# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/636aad8d3cbe18.58884679.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: nc_carddav
acl acl_636ba4e5b6aa82.28881573 path_end -i /.well-known/carddav
# ACL: nc_caldav
acl acl_636ba2d9f14933.27250118 path_end -i /.well-known/caldav
# ACL: vw_ws_acl01_condition
acl acl_636c2f2b5accd9.55827620 path -i /notifications/hub
# ACL: vw_ws_acl02_condition
acl acl_636cc909734817.72974823 path -i /notifications/hub/negotiate
# ACTION: nc_carddav_rule
http-request redirect code 301 location /remote.php/dav if acl_636ba4e5b6aa82.28881573
# ACTION: nc_caldav_rule
http-request redirect code 301 location /remote.php/dav if acl_636ba2d9f14933.27250118
# ACTION: vw_ws_acl01_rule
use_backend vw_backend if acl_636c2f2b5accd9.55827620
# ACTION: vw_ws_acl02_rule
use_backend vw_ws_backend if acl_636cc909734817.72974823
# ACTION: PUBLIC_SUBDOMAINS-map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63653d33935cd3.47503593.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: office_backend (Onlyoffice)
backend office_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server office_server 10.10.20.8:80
# Backend: vw_backend (Vaultwarden)
backend vw_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vw_server 10.10.20.7:80
# Backend: mc_backend (Minecraft Server)
backend mc_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server mc_server 10.10.40.4:80
# Backend: cloud_backend (Nextcloud01)
backend cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server cloud_server 10.10.20.5:80
# Backend: demo_backend (Nextcloud02)
backend demo_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server demo_server 10.10.20.6:80
# Backend: kunden_backend (Nextcloud03)
backend kunden_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server kunden_server 10.10.20.11:80
# Backend: vw_ws_backend (Vaultwarden Websocket)
backend vw_ws_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vw_ws_server 10.10.20.7:3012
Thank you!
With best regards,
techsolo12
1 post - 1 participant