HAProxy community

Acces of Webserver behind haproxy - timeout

I setup haproxy in order to acces my openvpn as well as my nginx webserver using the TCP protcoll. Nginx is set up to enforce https.
Trying to acces my domian (called by mydomain.de/page), the traffic gets redirected and in the browser address line https://mydomain.de/page:4545 appears, with port 4545 being the configurerd port. This connection runs in a timeout.
Removing the portnumber gives me acces to the page I am trying to open. Openvpn runs fine all the time.
Following my haproxy.cfg

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-options no-sslv3

        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend ssl
        mode tcp
        tcp-request inspect-delay 5s
        tcp-request content accept if HTTP
        tcp-request content accept if { req.ssl_hello_type 1 }
        # use_backend ssh if { payload(0,7) -m bin 5353482d322e30 }
        use_backend main-ssl  if { req.ssl_hello_type 1 }
        default_backend openvpn

backend main-ssl
        mode tcp
        server main-ssl

backend openvpn
        mode tcp
        timeout server 2h
        server openvpn-localhost

This is my nginx config:

upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomian.de localip;

    root /var/www;

    location ^~ /.well-known/acme-challenge {
            proxy_redirect off;

    location / {
            # Enforce HTTPS
            # Use this if you always want to redirect to the DynDNS address (no local access).
            return 301 https://$server_name$request_uri;

            # Use this if you also want to access the server by local IP:
            #return 301 https://$server_addr$request_uri;


server {
listen 4545 ssl http2;
listen [::]:4545 ssl http2;
server_name mydomian.de localip;

    # Certificates used
    ssl_certificate /etc/letsencrypt/mydomian.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/mydomian.de/key.pem;

    ssl_protocols TLSv1.2 TLSv1.3;

    # Max. security, but lower compatibility

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Use multiple curves.
    ssl_ecdh_curve secp521r1:secp384r1;

    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # This should be ca.pem
    # See here: https://certbot.eff.org/docs/using.html
    ssl_trusted_certificate /etc/letsencrypt/mydomian.de/ca.pem;

    # This is the local DNS server (e.g. the IP of the Router if it is used as DNS server in the local network)
    resolver localdnsserver;

    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Add headers to serve security related headers
    # HSTS (ngx_http_headers_module is required)
    # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none always;
    add_header X-Download-Options noopen always;
    add_header X-Permitted-Cross-Domain-Policies none always;
    add_header Referrer-Policy no-referrer always;
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    location = / {
    # Disable access to the web root, otherwise nginx will show the default site here.
            deny all;

    # Nextcloud
    location ^~ /nextcloud/ {
            # Set max. size of a request (important for uploads to Nextcloud)
            client_max_body_size 1G;
            # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
            proxy_connect_timeout 3600;
            proxy_send_timeout 3600;
            proxy_read_timeout 3600;
            send_timeout 3600;
            proxy_buffering off;
            proxy_request_buffering off;
            proxy_max_temp_file_size 1024m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect off;

    # These two location blocks are needed, otherwise you'll get warnings in the Nextcloud admin UI later on
    location = /.well-known/carddav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;

    location = /.well-known/caldav {
            return 301 $scheme://$host/nextcloud/remote.php/dav;

    # Well-known URL for Webfinger
    # Regardless of this rule, you'll get a warning in the admin UI when the social app is not installed
    location = /.well-known/webfinger {
            return 301 $scheme://$host/nextcloud/public.php?service=webfinger;

    location ~ /(ocm-provider|ocs-provider)/ {
            return 301 $scheme://$host/nextcloud/$1/;

Right now, I do not have a clue where to look. Maybe someone has got a hint for me. By the way, the nginx config works, if openvpn is configured to share the port 443.

Thank you in advance.