I have a simple requirement & semi-working setup which made me think I knew what I was doing, but this is clearly not true.
I am adequately savvy i.t.o CLI/linux, but in HAproxy terms, I am (as I discovered), at best, a complete moron - apologies.
- OpenWRT(192.168.1.100) port forward of 80/443 → HAproxy(192.168.1.1) which must decide where to send things
- HAproxy(192.168.1.1) v2.6.15 on a debian VM
- ~4 websites which are on debian VM’s
- 192.168.1.20 (nextcloud.domain.co.za:443) configured for SSL in nginx
- 192.168.1.30 (jellyfin.domain.co.za) configured in nginx as a reverse proxy to mangle 80 ->jellyfin:8096
- 192.168.1.40 (domain.co.za) configured as a http:80 service
- 192.168.1.40 (nginx.domain.co.za:443) configured for SSL in nginx (shared SNI nginx vhost with above machine)
- nextcloud: config has a few extra config bits that I found on the NC setup docs - but it works OK. However, if I attempt to use the send-proxy, the whole thing fails - which I’d like to address if possible.
- jellyfin: also works OK - with the send-proxy which I assume is because it’s :80, but I’d like to get that to work “properly” via HAproxy.
- nginx:443 also works OK.
- The http://domain.co.za:80 link fails - if I try to force it to https, it bypasses this and goes to https://nginx.domain.co.za:443
- I assume it has to do with the scheme redirect but despite how dismally simple the config seems, I cannot get it to stay on http for that link
I currently use DNS01 wildcard LE certs which I manually update every ~3 months (and often forget to do, hence the desire to automate).
What I’d like to achieve is to
- get any http://domain:80 to work (with and/or without redirect) so that I can experiment with auto-certs
- apply the SSL certs via HAproxy instead of nginx and let HAproxy renew them
- I tried the acme.sh but since I can’t get the basic :80 working, I didn’t get very far
- get send-proxy to work on SSL items too
- figure out how/where to put multiple certs (possibly wildcard certs too?) so that SNI works automatically for multiple sites and still does renews
Thanks and sorry in advance
HAproxy config looks like this…
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-server-verify none
# this is for letsencrypt/acme requests
setenv ACCOUNT_THUMBPRINT 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
defaults
log global
option httplog
option dontlognull
# option forwardfor except 127.0.0.0/8
option redispatch
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend stats
bind *:9000
mode http
stats enable
stats uri /stats
stats refresh 30s
stats auth admin:password
stats hide-version
stats realm HAproxy\ Statistics
frontend http_in
bind *:80 alpn h2,h2c,http/1.1
mode http
option forwardfor
acl test_acme path_beg /.well-known/acme-challenge/
acl domain_acl hdr_end(host) -i domain.co.za
# redirect scheme https code 301 if !test_acme
use_backend letsencrypt_BE if test_acme
use_backend domain_http if domain_acl !test_acme
default_backend default
frontend https_in
bind *:443 transparent
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend nextcloud if { req_ssl_sni -i nextcloud.domain.co.za }
use_backend jellyfin if { req_ssl_sni -i jellyfin.domain.co.za }
default_backend default
backend letsencrypt_BE
mode http
server letsencrypt 127.0.0.1:9875
backend domain_http
mode http
server domain domain.co.za:80 check send-proxy-v2
backend jellyfin
mode tcp
option tcp-check
option ssl-hello-chk
option httpchk GET /
server jellyfin jellyfin.domain.co.za:80 verify none send-proxy-v2
backend nextcloud
mode tcp
option tcp-check
option ssl-hello-chk
option httpchk GET /
http-check send hdr Host nextcloud.domain.co.za
server nextcloud nextcloud.domain.co.za:443 check-ssl verify none check-sni nextcloud.domain.co.za sni str(nextcloud.domain.co.za) # send-proxy-v2
backend default
mode tcp
option tcp-check
option ssl-hello-chk
option httpchk GET /
http-check send hdr Host nginx.domain.co.za
server nginx nginx.domain.co.za
and the failing nginx config looks like this…
server {
listen 80;
server_name domain.co.za www.domain.co.za;
root /var/www/html/domain.co.za;
index index.html index.htm index.php;
# return 301 https://$server_name$request_uri; # Enforce HTTPS
access_log /var/log/nginx/domain.co.za-access.log;
error_log /var/log/nginx/domain.co.za-error.log error;
location / {
try_files $uri $uri/ =404;
# try_files $uri $uri/ /index.php$is_args$args;
}
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
}
the nginx logs specific to this vhost never get reached, so I guess the error is in my HAproxy config.
If I enable the redirect scheme then the requests go to nginx.domain.co.za:443
If I don’t then attempts to reach the domain.co.za:80 give a browser error (but nothing in the nginx vhost logs)
400 Bad Request
nginx/1.18.0
1 post - 1 participant