Another Synology behind HAproxy on pfSense question

Saw this, and I think my issues are not too far off, but I am still lost.

I have seen Tom’s videos on HAProxy (old, new, and troubleshooting). I setup several services already which are working fine. Most of these are using my wildcard cert for my domain hosted at Cloudflare.

Two things giving me problems… My Synology and Setting up Bitwarden with a Let’s Encrypt cert.

I run pfSense and the Synology DSM webGUIs on ports other than 80/443.

For the Synology
HAproxy backend is set to the local IP, the non-standard port mentioned above, the Encrypt box is checked, SSL checks is not set, and Health check is set to none. The frontend is the same as all of the other services mentioned above. There is a DNS entry for the host on the same domain just as I have done for all of the other services, and if I ping the url it replies with the pfSense IP.

When browsing the URL, I get “Sorry, the page you are looking for is not found.” I typically see this when the port is not set. Additionally, on the synology, I have the url set to the same in Login Portal → DSM → Domain.

QuickConnect is my fallback option if I can’t get that working.

For BitWarden
This is the full official version running on Alpine on a dedicated VM on Proxmox. No Firewalls on Proxmox or Alpine. The reason for this is just to get it working on a dedicated IP and then lock down the firewalls later.

I set a Backend up just the same as the other services except that I have added to ports in the server list for 80 and 443. The frontend shares the same as the other services. The install script fails at Certbot with “Some challenges have failed.” I believe that the issue here is that 80 and 443 aren’t making it back to the VM or is it that I can’t have a specific SSL setup for the same domain as I have a Wildcard already setup for?

Any help is greatly appreciated!

I think bitwarden also uses websocket. Have you tried configuring that?

no, oblivious to it. :slight_smile: thanks for the lead… I’m reading up on it now.

sorry for the late response…

so I found this:

If you want to pass the IP arriving to HAproxy to the nas, you just have to add “option forwardfor” in the desired backend section:

Blockquote
backend https_nas
mode tcp
option forwardfor
# source 0.0.0.0 usesrc clientip
server nas.office 192.168.0.11:443 check # send-proxy-v2-ssl

-NAS behind and HAProxy L4 with PROXY protocol

But I don’t know where this forwardfor option can be set in the GUI. Do I just put “option forward” in the Per server pass thru box?

also…

Tried creating a new frontend and checking “Shared Frontend” and selecting the same frontend that works for my other hosts. In this front end I created a “host matches” ACL and for the action pointed it at a new backend.

For the backend I added the Synology to the server list pointing at the DSM port and checked SSL. I created another “host matches” ACL and for the action set as “http-request header add” matched the ACL and set the “name” field to X-CLIENT-IP and the “fmt” field to %[src]

I set “Health check method” to none.

When I browse to the URL I get “Synology - Sorry, the page you are looking for is not found.”

Here are some of the posts I have been working with:
-https://www.reddit.com/r/PFSENSE/comments/u3efv3/custom_headers_in_haproxy/
-https://www.reddit.com/r/PFSENSE/comments/e55wca/link_synology_services_to_custom_url/f9j453i/
-https://community.synology.com/enu/forum/1/post/150860

tried turning on logging for haproxy at debugging level, and running tail and I see only an entry from my laptop coming from some random port to the pfsense IP on 443, then no other lines.

If there is another way to grab info from the box, please let me know and I will post it.

Hi @Jo_Bots I have been putting this issue off for a bit and I am super interested to know if you are able to figure it out.

I have a Synology and I also host ScreenConnect both of which don’t retain the client IP when I put HA Proxy in front of them. I have found the “Use “forwardfor” option” option in the GUI. It’s under Advanced settings within your frontend. However I have found that it doesn’t make a difference.

For what it’s worth I have been successful in getting the client IP to show in Invoice Ninja with HAProxy in front of it. The trick there was adding this to the NGINX virtual host configuration:

set_real_ip_from 127.0.0.1;
set_real_ip_from <my haproxy interface ip>; 
real_ip_header X-Forwarded-For;
real_ip_recursive on;

As I explained above though the “Use “forwardfor” option” didn’t make a difference in Invoice Ninja before adding this additional code I pointed out above.

I am not sure if this helps at all but I figured it would give you some drive to keep looking since you aren’t the only one with this problem.

ok thanks for that. I will work on playing around with that this week for my stuff and report back.

I tried it with the same backend settings I mentioned above with the ACL on the backend to set “http-request header add” with the “name” field to X-CLIENT-IP and the “fmt” field to %[src]

Then I tried removing those settings and mirroring the basic settings that I have used for other services as Tom described in his video.

…but it does the same thing:

image

I tried this work around, but unfortunately it has changed a bit with 7 and I can only set these for other applications on the Synology not for the main page.

My apologies @Jo_Bots I admit I didn’t read all of your posts in this thread. I thought your main issue was passing the IP address to the Synology for logging purposes. After reading the entire thread it seems like you are having trouble getting the Synology to work behind HAProxy all together.

Have you tried accessing the Synology directly with its IP address and port number? Does that work? I am wondering if there is something weird going on with your Synology and the web server it runs. Have you tried restarting it?

If you can get to the DSM GUI I’d double check the ports it’s using for Https and confirm they are correct in the corresponding HAProxy backend.

The message it shows, “Sorry, the page you are looking for is not found.” sounds to me like the proxy is setup to access a web server path that doesn’t exist. I’d double check the actions in your backend to make sure you don’t have anything extra going on.

If none of that works it’s time to start posting some screenshots of your configurations both on HAProxy and your Synology.

Synology works fine via the direct browsing the IP address https://192.168.0.2:5050.

Synology has been rebooted several times since I started down this path. It is running 7.0. I have Auto redirection to https turned on. I have the customized domain field filled out with the host and domain that it should be according to the SSL cert. I have HSTS disabled for now. Under the Applications tab I don’t have any apps configured as I didn’t want to use the builtin reverse proxy…yet. I don’t have access control profiles configured…yet. I don’t have anything including custom headers configured in the Advanced tab. I am not sure how to see if the reverse proxy that is built in is actually enabled. It seems a bit more obscured in 7 than it was in 6.

At my FW in the backend I don’t have anything on the backend other than SSL enabled, IP, and port configured. I have health check disabled.

backend Synology_ipvANY
mode http
id 105
log global
timeout connect 30000
timeout server 30000
retries 3
server yukon 192.168.0.2:5050 id 123 ssl verify none

and here is the front end for context.

frontend HTTPs_Private_Servers-merged
bind 192.168.0.1:443 name 192.168.0.1:443 ssl crt-list /var/etc/haproxy/HTTPs_Private_Servers.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl Synology var(txn.txnhost) -m str -I Synology.different.url
acl aclcrt_HTTPs_Private_Servers var(txn.txnhost) -m reg -i ^([^.]*).different.url(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend Synology_ipvANY if Synology aclcrt_HTTPs_Private_Servers

ok thanks for making me do this exercise. In writing out the reply the Customized domain part made me think a bit more. I reread the documentation and it looks like I was thrown off and assumed they wanted an entire fqdn.

I tried removing that contents of the “Customized domain” field entirely and saved, it is now working through HAProxy.