HAProxy only working locally with Nextcloud

I’ve setup HAproxy hoping to do https for my nextcloud server. I’m using pfsense 2.5.1 and cloudflare DNS. I’ve setup my acme cert using cloudflareDNS and my API key. After setting up HAProxy and Resolver Host Overides to point to a virtual IP, I can reach the nextcloud server with https on my LAN. My Cloudflare account points cloud.mydomain.com to my WAN IP address and I have a NAT rule for 80 and 443 that send all to the virtual IP.

Why can’t I reach my nextcloud from outside my LAN?

Make sure the port forward is going to where you have HA Proxy bound. I cover all of that in this video.

Thanks Tom. I have watched your video more times that I can count and few other just to completely confuse myself. Must be missing something obvious.

When I select in the Frontend a Listening address of WAN port of 443 with ssl offloading I get the error “Starting frontend Cloud2: cannot bind socket” for my WAN IP. That’s why I used a virtual IP. I’d prefer to make it simpler and use the WAN address but don’t know how to fix that error. I placed a rule in the WAN interface : Souce *, Destination this firewall HTTPS. Thanks for your help.

Turns out I had an openvpn on port 443 that never worked so I deleted it. Now the error is gone.

When using setting up cloudflare, do I create an A record for cloud.mydomain.com or is a CNAME good enough?

As long as you a already have a an A record. The ‘canonical name’ (CNAME) record is used in lieu of an A record, when a domain or subdomain is an alias of another domain. All CNAME records must point to a domain, never to an IP address.
https://www.cloudflare.com/learning/dns/dns-records/dns-cname-record/

Couldn’t get this to work, I think my client VPN was the issue. When I turned it off my RP FreeNAS jail worked for nextcloud. I decided not to break the RP for nextcloud trying to get HAProxy working and instead I’m trying to get HAProxy to dish out trusted certs for my local servers.

  1. Created a Acme Cert for *.mydomain.com and the issue date is current (ie. acme worked with wildcard cert using DNS validation in my cloudflare account)
  2. Created a Backend for freenas with it’s IP on port 80 no ssl and one for unifi with it’s IP on port 8443 no ssl.
  3. Created a frontend with LAN port 443 SSL offloading as the external address. ACL freenas host matches freenas.mydomain.com and unifi host name matches unifi.mydomain.com. Actions use backend FreeNAS with condition ACL freenas and unifi. Cerficate =Wildcard Cert
  4. Add a DNS Resolver that point to my pfsense IP for freenas.mydomain.com and unifi.mydomain.com

When I go to https://unifi.mydomain.com I get the lock symbol with the valid date of when my wildcard cert was issued but the browser gives an error “Bad Request
This combination of host and port requires TLS.”

Any idea what I’m doing wrong?

The UniFi using port 8443 should have “Encrypt(SSL)” set to yes and “SSL checks” set to no because it is a self signed certificate.

1 Like

Thanks Tom I got Unifi working finally but can’t get sites on port 80 working.

  1. Do you have to have a separate Backend for Encrypt (SSL) sites and port 80 non Encrypt (SSL) or can they be in the same Backend?

  2. Do you also need a separate Frontend where the listening address in port 80 without SSL Offloading?

No, you just need to enable HTTP to HTTPS Redirect. I did not validate this site, but it looks correct pfSense-2.4 + HAProxy - A walkthrough on how to proxy https traffic to multiple sites