I have set up HAproxy on my pfSense gateway and now I don’t seem to be able to access mytools.management. My HAproxy set up is (more or less):
I did have an http → https redirect on my LAN excluding mytools.management but it did not work
I now have a front-end on my WAN port 80 which does an http→https redirect
I have a front end on all https to redirect https to my internal servers and to add my Lets Encrypt certificate to the traffic.
With this setup, if I go to http://mytools.management, I get redirected to https://gateway-a650fvtn.2my.network/ which fails with a certificate warning as the certificate is only valid for my domain. If I accept the certificate, I then get a 503 Service Unavailable.
I would like to reinstate LAN front-end with some sort of exception for mytools.management and whatever else it takes to allow me to see logs.
If I add an acl to the LAN frontend to exclude mytools.management, I get a 503 for mytools.management
If I stop HAproxy and restart anmuscle.sh so it binds to port 80, mytools.management redirects to https://gateway-a650fvtn.2my.network/ and, after a while, starts working.
I have also tried setting up a backend for anmuscle listening on LAN:853 and on 127.0.0.2:853 but this was shooting in the dark and both failed.
@NickH normally HAProxy is used when exposing services to the Internet, is there a reason you’re running it on the LAN interface? I’ve set it up before and as long as you use it on non-LAN interfaces it’s fine.
Otherwise you’ll need to either setup an alias IP address to run it on, or setup an alias IP for adam:ONE to run on.
It is also running on the LAN interface because it is looking after the LE certification. I can then use the same url from inside and outside my LAN, avoiding switching between http and https depending on where I am.
If I set up an alias IP, how do I get mytools.management to listen on it? Is it just a question of of editing /etc/adamone/anmuscle.conf? If so, which entry? I’d guess http-listener, but what about dot-listener?
You would normally keep the IPs for http-listener and dot-listener the same. And you’re right just edit the conf file and run service anmuscle.sh restart
If you edit dns-listener then your endpoints/DHCP will also need to be updated to point to the new IP for DNS.
I have a feeling that would be bad news as it would move the DNS server to to .253? Some of that could be handled by updating the DHCP server, but not the static hosts.
I still don’t see it would work as I have nothing listening on .253:80. At my end, I could try setting the hosts file on my PC to override mytools.management and gateway-a650fvtn.2my.networkgateway-a650fvtn.2my.network to point to .253, but, if nothing is listening there, I can’t see it will help.
BTW another use case for HAProxy on your LAN is if you have multiple web servers running on different ports on the same machine. You can then use HAProxy to map the external URL to the internal server:port.
Remove the split DNS for the web server FQDNs, so they all resolve to the external IP. You can then bind HAProxy only to the external IP for both HTTP→HTTPS and the HTTPS rules, including adding the SSL cert. This means HAProxy is not listening on the LAN interface at all allowing mytools.management and https://gateway-a650fvtn.2my.network/log/traffic to work.
You shouldn’t have to do this. Really there should be a neat way to allow the proxy to bind to the pfSense LAN interface.
If I remember correctly, when I was using HAProxy, I had a virtual IP setup on lan interface with an authoritative entry setup on adam dashboard that pointed the domain to virtual IP. HAProxy was listening on the virtual IP.
I am afraid I am feeling stupid. Do you mean all subdomains of my domain are served from your virtual IP and you get HAProxy to bind to the virtual IP. Then adamOne can respond on the principle LAN IP? Or have I missed something?
@atw Perhaps there should be a howto around this. I think you can use the pfSense hosts file instead of an authoritative list but the end result is the same. I would guess the solution would work with any reverse proxy running on the router on any of the O/Ss you support.