HAproxy with WordPress on VM and nginx

Hey Tom, I tried searching for this for last three days and I am not seeing anyone else have this issue and trying to see if you know or can help me.

I have wordpress running on LAN 10.0.30.30, running on VM with ngnix, php, and mariaDB. I am able to do everything using LAN ip.

Now I am trying to use HAproxy to access from outside using my FQDN. I set up jellyfin (docker) , akaunting (vm) , portainer(docker) and other services using your and other videos in combination. Everything works but somehow not working with WordPress VM.

Any suggestions?

You can use this command to probe and see what HA Proxy is sending based on queries.

openssl s_client -servername google.com -host 172.217.4.206 -port 443

Specify the FQDN of what you want it do return and see what it actually does return.

Thanks for reply.

This is what I get. I removed domain and IP and some info:

CLICK HERE - Output of command you asked

[2.5.1-RELEASE][USER@pfSense.localdomain]/home/USER: openssl s_client -servername EXAMPLE.COM -host XX.XX.XX.XX -port 443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = R3
verify return:1
depth=0 CN = DOMAIN.COM
verify return:1

Certificate chain
0 s:CN = DOMAIN.COM
i:C = US, O = Let’s Encrypt, CN = R3
1 s:C = US, O = Let’s Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISA6X23rZHxm0oo1duh4hoM0h/MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
/HCp0hvQq8bLL8PkPPaCoZRC5+WTSTk0AMxhqG73wo1TpVojb5f9hwE+QidP7b8F
s6UdO6TJ3Sp7GS3JMe224vBv0I5zpRvhRzge1wzxf2YxiqDb7721u5DTdKOEtYqb
.
.
.
.
.
HhDWxWZcrDKa/y9tcKKHTiOLrN5zaZjk6EU=
-----END CERTIFICATE-----
subject=CN = DOMAIN.COM

issuer=C = US, O = Let’s Encrypt, CN = R3


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3016 bytes and written 393 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: FBA22E2C52DF2FA1DF439797C7337
Session-ID-ctx:
Resumption PSK: EC3B5F5490E5B679AA02F40259ED3D0E12B8CE3120C8A0E713FF7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 04 50 72 cf c7 49-b0 97 8d b3 07 38 09 ef .Pr…gI…8…
0010 - e5 88 2a 20 e6 1e-22 a4 11 5b 7a a6 e1 ef …* .q…"…[z…
0020 - df ee e2 29 98 80-03 92 ea dc ac 5d 54 cb …)<…]T.
0030 - dc 13 78 3d 2c b2-da d4 e9 73 cd 29 2e 88 …x=*P,…s.)…
0040 - ad ec 5b e99 f4 8f-c8 be a5 d8 5d 8a f4 9d …[…y…]…
0050 - d8 85 cf d6 cf bf-57 90 9b ba 20 5e de 1e …W… ^…
0060 - 55 91 92 f3 ef fb-b2 56 ac 85 e7 af 7e ce U…V…~.
0070 - 19 b1 59 22 37 ac-e8 d7 4a 64 1e 1d 7a c9 …Y"%=7…Jd…z.
0080 - be f9 af ef 46 f7-a4 23 5b 9c 2c 1c 74 c8 …I…#[.,.t.
0090 - 08 f3 a6 13 29 e6-dc f7 47 b9 66 3d 65 59 …)…G.f=eY
00a0 - 62 fe 99 c1 04 14-f8 21 00 72 f8 33 c1 b4 b…r…!.r.3…
00b0 - 6b 4b d7 49 42 76-72 62 49 19 2c 4b 44 08 kK.I.-BvrbI.,KD.
00c0 - a2 04 4d 89 b2 5b-2a 63 8d 39 5b 08 0b bd …M…[*c.9[…
00d0 - 41 b4 ec f5 c9 33-de 6c b5 3b b1 c1 9d d1 A…H…3.l.;…

Start Time: 1622258668
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 86A57A78E56D1013FD280374CA0B7851EE
Session-ID-ctx:
Resumption PSK: 2273FCCB3ABBBEEEC68B1CB708FC42E1CA77F8D87C4937E10A21E79
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 04 50 72 49-b0 97 8d b3 07 38 09 ef .Pr…gI…8…
0010 - 2f 96 84c 96-ed 5a 72 2b 06 43 99 3a /…*…|…Zr+.C.:
0020 - 26 98 c3 b b0 3d-2b fc 6c 6a c3 6c dd 40 &…=+.lj.l.@
0030 - b2 6b eb 05-ba 83 1a e4 66 49 f7 86 .k…/…fI…
0040 - 72 03 02 5-84 26 d1 62 b6 02 3f d6 r…Y…J.&.b…?.
0050 - 4a c1 24 06 70 de 61 90 79 f1 f9 J.$…=…p.a.y…
0060 - a0 5d 4e ba d-34 a1 87 ca c4 f0 75 87 .]N.bi…4…u.
0070 - 42 c9 43 8 18 3f 83 06 12 92 98 B.C…m7.h.?..
0080 - ea 44 63 154-bf ca 4b fb 41 ea d0 25 .Dc…u$…K.A…%
0090 - eb 33 16 a-67 db 41 18 45 b5 f6 08 .3…i…g.A.E…
00a0 - 21 e9 ea a1 add 28 3d e5 d1 46 7c !..6L…(=…F|
00b0 - 04 b1 80 46 f6 ac fd 0a f0 76 13 49 …F…a…v.I
00c0 - e9 b6 33 c7 1 b2-3a e9 3e 94 cd d6 f3 df …3…X…:.>…
00d0 - 73 84 51 d7 6b 93 c6 87 ec 35 67 4f 40 s.Q.k%…5gO@

Start Time: 1622258668
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

408 Request Time-out

Your browser didn't send a complete request in time. closed

As I said I have other services set up such as

jellyfin.domain1.com
account.domain1.com

but when I do wordpress

domain2.com

not working.

Let me know if you need any other output.

if it is not offering up the proper cert, start with the front end setting because it should respond.

Ok Tom, I have good news and bad news. Thanks. It has to do with front end.

So first, I removed shared frontend and only configured the one which isn’t working, so It started working but i want to share front end with other services on different domains. So I went back to original setting and tried different options and I figured out when and how all services work at some point, but I can’t make all work at same time.

This is how frontend looks:

So when these options are like this for frontend: (jellyfin (docker), akauntant (on VM), portainer) works but not HIDDEN WORD wordpress (on VM) doesn’t work.

If I change settings to this: Wordpress site is accessible from my second domain but other services are not working anymore.

If disable http_redirect then, portainer stop working and for my wordpress site, I at least get Error 552 from cloudflare. These are setting for that.

Any suggestion for this mess? Thanks.

When using a shard front end you need an ACL to match each domain and send it to the proper back end. I cover that in my videos on HA Proxy.

I am using proper domain for acl. It works if I change that port to 80, but other services doesn’t work and vice versa.