Haproxy - access within LAN, not through WAN

Networking & Firewalls
1

Hello,
I’ve watched 3 of your videos about HAProxy and I thank you. They’ve help me greatly and I really like your your depth of knowledge and the additional pointers. I feel like I’m so close, but…

There are a lot of moving pieces so I’ll go with the most obvious first. I can currently access servers configured with HAProxy from inside my LAN with https, full domain names, and with proper valid certs (the wildcard), but when I try it from my phone sans wifi, OTA, no go. It says:

This site can't be reached. - dns_probe_finished_nxdomain

I think I’ve done it all, but something’s just.not.right!

I’m now using Digital Ocean for free DNS although I tried CloudFlare first and because of lack of progress, I switched to DO to be more in line with your setup. I now have dns records like this:

  • A - ddns.example_com which is working for my pfsense dynamic dns. I set it to 0.0.0.0 - within minutes it was set to provider IP address and ddns client is green in pfsense
  • A - nextcloud.example_com - pointing to my ddns IP
  • A - gitlab.example_com - pointing to my ddns IP
  • A - photos.example_com’- pointing to my ddns IP

I have a wildcard cert: *.example_com - validated by acme green screen

Backends

  • I have 3 backends: nextcloud, gitlab, photos.
  • All are VMs running in a KVM server with registered DHCP addresses, and
    • defined with address+port and all use port 80.
  • They also have a CA (Acmecert) and a client certificate (the same wildcard) defined for each.

Frontend

  • I have all 3 backends defined in a single frontend.
  • It’s listening on my WAN (IPv4), port 433,
  • type: http / https(offloading)

The ACL is configured:

  • name: nextcloud_acl, host matches nextcloud.example_com
  • name: gitlab_acl, host matches gitlab.example_com
  • name: photos_acl, host matches photos.example_com

Next actions:

  • Use backend nextcloud, condition acl name: nextcloud_acl
  • Use backend gitlab, condition acl name: gitlab_acl
  • Use backend photos, condition acl name: photos_acl
  • I added the extra _acl so I remembered they’re different but must match.
  • SSL Offloading Certificate is: Wildcard cert

Oh, and I have a WAN rule - IPv4 TCP, Source: any, Destination: 443.

Please, for the love of mercy, what am I missing? :blush:

Any tips appreciated.

[dinged because I’m a beginner w/ limit of 2 links, so example_com… I’m sure you’ll understand]

2

If it works internally but not externally it’s either the WAN firewall rule or your DNS does not point to the WAN ip.

From a system outside the firewall you could test what cert is being returned by using this command
openssl s_client -servername mail.google.com -host 142.250.190.69 -port 443
Replace 142.250.190.69 with your WAN ip and mail.google.com with each FQDN you have HAProxy handling.

3

OK. First thing, this morning… IT’S WORKING! Thank you!

I think it was a confluence of things. On my phone with wifi off, I was getting this:
dns_probe_finished_nxdomain - which seems to be something about dns confused.

Next on my work machine, a linux server, the openssl command was waiting and after minutes returning socket: Bad file descriptor, connect:error=9

For the first answer, I went into the abandoned cloudflare account last night and cleared all the dns records I had created and then used their flush cache option to clear any lingering dns confusion. I had already redirected the domain name servers on my registrar to Digital Ocean.

As for the failing openssl command on my work server, I now suspect it’s strong secureity has it fairly well isolated from the internet and wasn’t a good place to test.

I used my phone as a hotspot, disconnected my laptop from the wired connection, connected to the hotspot, and voila; IT WORKS! Now it even works from my mobile phone, OTA. Woohoo. Thank you.

1 Like