I just can't get pfSense, HAproxy, and LAN only subdomains to work

I’ve bought myself my first domain name and all I really want to be able to do is to make it simply for the less tech savvy folks around me, to access various service such as Plex and Vaultwarden. Rather than having to direct the to something like 192.168.0.25:32400, I want to tell them to just go to plex.mydomain.com… or better yet, dashboard.mydomain.com which would have links that redirect to the likes of plex.mydomain.com or vaultwarden.mydomain.com.

As my family have no really use for said service outside of our LAN, I also wanted to make the varius subdomains only accessible to LAN. So in preperation, I’ve done the following…

  • Bought domain name via Namecheap
  • Signed up to Cloudflare
  • On pfSense / Cloudflare, I have setup Drynamic DNS.
  • Set A Records for the root domain, and for each subdomain I plan to use. All of which are currently proxied by Cloudflare.
  • Install HAProxy on pfSense

Then I’ve tried following Tom’s videos on HAProxy multiple times… I’ve tried following various different guides multiple times… I want to use Vaultwarden, so I’ve tried following the Vaultwarden wiki’s pfsense+HAProxy numerous times…

I’ve checked and rechecked all the HAProxy settings the various videos and tutorials show, and I’ve tried adding, chancing, and unproxying A Records on Cloudflare. I’ve tried NAT Port Forwards for port 80, 443, and the various service specific ports (in Vaultwarden’s case, 8000), I’ve also messed around with adding Outbound NAT rules but I’m really starting to spin my wheels and I can no longer think straight… I’m just not knowledgable enough about routing to understand everything I’m trying or where the problem might be,

The only modicum of success I’ve had so far is that when I installed TurkeyLinux’s DokuWiki image in another LXC container on my Proxmox host, and then configured it to use my domain via the DokuWiki admin page. When I entered mydomain.com into Firefox (screw Chrome), the DokuWiki frontpage came up, complete with HTTPS connection using my Let’s Encrypt cert… then I mananged to break it somehow.

So I either need some help or a nice soft pillow to place on my desk so that slamming my head against it in frustration doesn’t hurt quite so much.

Currently, I find myself having once again follewed the “HAproxy inside PfSense (by [@RichardMawdsley]” here (inlcuding the required “HTTP>HTTPS Redirection” which I had to find on the Wayback Machine), and again… it’s not working!!!

My plan of action now is to delete the HAProxy frontends and backends, and the various NAT entries, and start from scratch. I’m going to follow Tom’s video to the letter, and when it still doesn’t work… hopefully then some of you kind people might please help a sore headed newbie out?

In the meantime, I’d be really grateful if any of you could offer suggestions as to where else this noob might be going wrong?

I have something that might make it easier.

Cloud Flare

When you are setting your subdomains make sure to set them as CNAME’s to your root domain. In this way when your IP address changes then it will inherit the root domain. If you left them as A records and are specifying the IP for each then it will be a mess later.

Example:

Type Name Content Proxy status
A example.com 189.252.214.23 DNS Only
CNAME games example.com DNS Only
CNAME nextcloud example.com DNS Only

pfSense

Make sure you are setting your dynamic DNS in pfsense to use the @. I.E. @.example.com

HAproxy

  1. When serving service on your firewall that also has VLANs and for best practices you need to create a VIP (Virtual IP) and use that IP as the entry point for you LAN/VLAN’s.

  2. Once you do that you will need to create rules on each VLAN you want to allow HTTP and HTTPS traffic to this VIP

  3. Backend example for home assistant

Notice the CA and certificate selected from letsencrypt.

  1. Frontend example for home assistant



4.1 Frontend auto redirect to HTTPS from HTTP
Create a new frontend and name it something different


Hope this helps!

2 Likes

Thank you for the detailed post xMAXIMUSx, I appreciate the effort you went to.

I had a chance to run through it before I had to go away over the weekend. I don’t use VLANs yet so I had to work my way round the use of a VIP but I still ended up failing… this time with a 522 error rather than the Cloudflare host unavailable error. I hope that counts as some form of progress because this whole thing is really kicking my ass.

I feel like I’m missing something obvious, and that maybe I should just go back to basics in regards to the application I’m trying to make accessible. Rather than Vaultwarden, perhaps I should try with something like Nextcloud or Plex?

I also suspect that perhaps I should be making some config changes to the server itself? Perhaps adding my domain name to one of Vaultwarden or Nextcloud’s .conf files?.. I don’t know.

Quite frankly, I’m feeling really frazzled, so I’m gonna give it a day and come back to the problem with a slightly fresher head.

You could build a simple nginx webserver to test with. This video might help

Good news, eveeryone!

Through a careful process of simply not being able to call it a night until I tried one last thing, I’ve somehow managed to get it working.

Thanks again xMAXIMUSx, your post was an important part of the equation, along with the “HAproxy inside PfSense” tutorial in the Vaultwarden wiki, this video by OMG the Cloud!, a few snippets I found here and there (including from our benevolent ruler, Tom Lawrence), and I can’t stress this enough… a timely reboot (see note). Now I just want to test everything for a little while… I’m still getting the odd moment here and their where I get a 522 error from Cloudflare but I find it seams to disapear by itself after a while, which is confusing. [EDIT] The 522 issue occurs after testing HAProxy by tring to access the Vaultwarden domain via my phone’s data connection. For some reason, it stops me from being able to access it from my LAN too.

I also want to systemically go through the setup and make sure there are no questionable config settings or mistakes, that may weaken security. I especially want to make sure that the ACL / Action I’m using to accept connections that come from a specific IP range, is working and as robust as desired.

I do plan to document the setup in more details, as much for my own future reference as in the hopes that it may help fellow noobies. I’m also looking into whether limiting the HTTP and HTTPS firewall rules to an Alias might be a good idea?.. do I even need the Rules if I don’t actually want WAN access? [EDIT… before even posting] I forgot to re-enable the rules today but everything is working… but it was also still working before I added the ACL / Action I mentioned previously. Again, I’m confused. yeah… I think that might have been nonsense as I’ve just had to reneable them in order to get it working again.

I should also note that I have this working with Cloudflare’s A Records and CNAMEs set as proxied, and “SSL / TLS” set to “Full (strict)”.

NOTE: In regards to the timely reboot. I’m not referring to that which is seen in OMG the Cloud!'s video, which I just skipped to be honest as I don’t think I’ve ran into the issues he mentioned. However after I was unable to access Vaultwarden via it’s domain, and when changes I was making to HAProxy weren’t taking effect, I did reboot. Everything started working again but I am starting to wonder whether the issue may have been with Cloudflare? Heck, I just wanted to call it a night, sit down with my roast dinner and watch the Monaco Grand Prix.

I think I’ve made progress in regards to restricting access to my services / servers to only users inside my LAN. I think it does what I want it to do but I’m not sure (so don’t blindly follow my lead!).

Here’s what I did-

  1. In the Vaultwarden front end (which was created having followed the “HAproxy inside PfSense” guide I mentioned in my first post), I change the External address Listen address from WAN to LAN.
  2. Under Access Control Lists, I added an entry with the following details - NAME: LAN-Only Expression Custom acl: Value: src 192.168..0.0/24.
  3. Then in the DNS Resolver menu, under Host Overrides, I added an entry for subdomain.example.tld and set it’s “IP to return to host” to the IP address of my pfSense firewall, as it’s the same as the IP address that HAProxy listens on (form what I understand).

Now, when I access subdomain.example.tld from within my LAN, it loads normally but when trying to access it via a data connection, or over Tor, I get a Cloudflare 522 error.

So… is this a sane and secure setup, or is there a better way of doing it?

I have the same setup as you. Separate frontend for the LAN interface, but no acl (since it only listens on that interface anyway). The DNS Resolver host overrides points to the pfSense.
I think (and hope I guess) that this is a sane setup :slight_smile:
The only thing I have issues with is to properly forward the address example.tld - I have no issues with any host with the name hostname.example.tld. I try using host matches for it (like I do for other hosts), but it doesn`t work :frowning:

I’m happy to help if I can but as I’m a noob on the subject, take everything I say with a grain of salt, as they’re at best barely educated guesses.

I don’t actually use my non-subdomain tld, so I can’t speak from experience but… my first thought or the first thing I’d try is using www instead of subdomain for the various host matches / DNS Host Overrides.

I wish I could :frowning: The issue I’m facing is that some external validation services check for an answer on port 80 at example.tld :frowning: