Kemp, at least the free one that Networkchuck has, is limited to 20Mbps. You want to proxy your Plex via Cloudflare and Kemp to just 20Mbps? To some, this is less than ideal.
I followed your tutorial (Thanks to you @LTS_Tom!) on HAPRoxy with my pfSense. Other than one issue where I had to “dumb down” the server monitoring to keep one service online (Ombi, the new version didn’t like the default level 7 monitoring), it’s been working extremely well!
Other fatal flaws in the Networkchucks tutorial? Manually setting your external IP address in Cloudflare.
Unfortunately, I don’t use pfSense. My router is a Unifi UDM-Pro.
I’m trying to get this working and I have had some success. I have spun up an Ubuntu Server VM on Proxmox and installed HAProxy, Certbot, and Nginx (changed default config to listen o port 81). Port forwarded 80, 443 to it via the UDM-Pro. External DNS provider is Cloudflare so used the plugin with Certbot and successfully generated certs for mydomain.com and *.mydomain.com. Concatenated the cert.pem and privkey.pem into one file and point the haproxy.cfg to this file. HAProxy frontend listening on 80, 433 etc. Created ACL for sub.mydomain.com and a backend to match pointing the server address and port etc.
It works, but only from outside my network currently. It’s clearly a DNS issue but I’m not sure of the solution. I run two domain controllers (Windows Server 2019) running my internal DNS zone which is also mydomain.com. Are there any solutions to make this work without me changing my internal zone to local.mydomain.com which I think would solve the problem but would prefer not to do that if at all possible.
The Kemp free load balancer and Network Chuck’s video are focused on home/lab use. The throughput limitation does not make this commercially viable unless you have a small business and website. Network Chuck is also focused on the reverse proxy use case which is just one function that a load balancer can perform.
Kemp is a large and well established company. Their load balancer is solid. It is designed for ease of use with full functionality. For privacy, the company adheres to GDPR standards as well as any local standard (based on your location) for data privacy and security.
Speaking of functionality, that is the tradeoff versus NGINX(+) or HAProxy. The Kemp free load balancer is a full featured load balancer that includes global server load balancing (GSLB), edge authentication (2FA and SSO), and web application firewall (WAF) for no cost. This is all based on the same commercial product that Kemp sells.
Security is solid. Load balancers, in general are designed to provide security. Network Chuck did not incorporate additional authentication like 2FA in his configuration, but he could have. WAF could also be added with the OWASP Core Rule Set for more application security.
While the software is not open source, the vendor is open and available for help and feedback.
Disclaimer: I currently work for Kemp and have worked for and with many different load balancing vendors for 20+ years.
I am trying to get HAProxy working but I seem to be failing miserably.
I was definitely having a DNS issues before because I was using a split-brain setup. I have now reconfigured my internal domain to be internal.domain.com.
I have re-run certbot so I now have certs for domain.com, *.domain.com, and *.internal.domain.com. These certs are living on the same machine as my HAProxy instance.
I am starting off with trying to get my Bitwarden installation working through HAProxy. Is anyone able to advise of the best setup on Bitwarden for this to work correctly. Ie what settings to in the config.yml.
Also, at the minute unless I use the DNS only mode on Cloudflare, nothing at all works. Ideally, I want to mask my public IP using that Clourdflare proxy feature as well. Is this possible with my setup?
Any questions please ask. Really pulling my hair out trying to get this working. Haha.
Hi I just saw that video of NetworkChuck and I have to say a lot of the features of the Kemp Load Balancer were very attractive. I think he simplified a lot of the steps a long the way – I mean the video was already 40 minutes long – and I would have changed some things – however the video as a whole was really good.
In terms of your problems with HA proxy – it sounds like a DNS issue if it works from outside your network but not within your network. What are you using as your DNS server? I have a similar setup as yours with pfsense, and a few reverse proxies behind pfsense – both traefik and nginx. I’m running a split DNS however on pfsense. Meaning that for every domain I’m hosting – I have a DNS host override with the domain name pointing to the IP address of the reverse proxy (or appropriate reverse proxy). My LAN clients all have pfsense as their first option for DNS and so for host lookups within the LAN, its going to return a LAN IP address.
When working with reverse proxies – as a trouble shooting step, you want to ensure you can reach the backend server directly — meaning try to reach it via HTTPS via IP address and port number. You’ll get a warning in the browser about the host name of the certificate not matching the IP address (if you’re using LE certs), but who cares – you’re just testing. If you can reach backend server directly from your client then you can be confident that at least the backend is setup correctly. The next step would be to see if you can reach the reverse proxy directly. You’ll need to consult the logs of HA proxy since HA proxy is one of those reverse proxies that does health checks to the back end servers to ensure the backend is reachable. If for whatever reason the healthcheck fails (like the backend server is down, or the healthcheck actually isn’t configured correctly) HA won’t reverse proxy. You might need to consult log files to see if the healthchecks are failing. I’ve really only played around with Ha proxy within pfsense and this has a GUI to see a lot of the logs and healthchecks, so I’m not exactly sure what to tell you to look for within the log files.
You don’t want to ideally use the DNS only mode with CF. CF proxies only http/https connections (well not exactly true since they are expanding their capabilities however for the most part this is true).