Hello,
I setup haproxy in order to acces my openvpn as well as my nginx webserver using the TCP protcoll. Nginx is set up to enforce https.
Trying to acces my domian (called by mydomain.de/page), the traffic gets redirected and in the browser address line https://mydomain.de/page:4545 appears, with port 4545 being the configurerd port. This connection runs in a timeout.
Removing the portnumber gives me acces to the page I am trying to open. Openvpn runs fine all the time.
Following my haproxy.cfg
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend ssl mode tcp bind 0.0.0.0:443 tcp-request inspect-delay 5s tcp-request content accept if HTTP tcp-request content accept if { req.ssl_hello_type 1 } # use_backend ssh if { payload(0,7) -m bin 5353482d322e30 } use_backend main-ssl if { req.ssl_hello_type 1 } default_backend openvpn backend main-ssl mode tcp server main-ssl 127.0.0.1:4545 backend openvpn mode tcp timeout server 2h server openvpn-localhost 127.0.0.1:1193
This is my nginx config:
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomian.de localip;root /var/www; location ^~ /.well-known/acme-challenge { proxy_pass http://127.0.0.1:81; proxy_redirect off; } location / { # Enforce HTTPS # Use this if you always want to redirect to the DynDNS address (no local access). return 301 https://$server_name$request_uri; # Use this if you also want to access the server by local IP: #return 301 https://$server_addr$request_uri; }
}
server {
listen 4545 ssl http2;
listen [::]:4545 ssl http2;
server_name mydomian.de localip;# Certificates used ssl_certificate /etc/letsencrypt/mydomian.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/mydomian.de/key.pem; ssl_protocols TLSv1.2 TLSv1.3; # Max. security, but lower compatibility ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384';; # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits ssl_dhparam /etc/nginx/ssl/dhparams.pem; # Use multiple curves. ssl_ecdh_curve secp521r1:secp384r1; # Server should determine the ciphers, not the client ssl_prefer_server_ciphers on; # OCSP Stapling # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # This should be ca.pem # See here: https://certbot.eff.org/docs/using.html ssl_trusted_certificate /etc/letsencrypt/mydomian.de/ca.pem; # This is the local DNS server (e.g. the IP of the Router if it is used as DNS server in the local network) resolver localdnsserver; # SSL session handling ssl_session_timeout 24h; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # # Add headers to serve security related headers # # HSTS (ngx_http_headers_module is required) # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Robots-Tag none always; add_header X-Download-Options noopen always; add_header X-Permitted-Cross-Domain-Policies none always; add_header Referrer-Policy no-referrer always; add_header X-Frame-Options "SAMEORIGIN" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; location = / { # Disable access to the web root, otherwise nginx will show the default site here. deny all; } # # Nextcloud # location ^~ /nextcloud/ { # Set max. size of a request (important for uploads to Nextcloud) client_max_body_size 1G; # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well proxy_connect_timeout 3600; proxy_send_timeout 3600; proxy_read_timeout 3600; send_timeout 3600; proxy_buffering off; proxy_request_buffering off; proxy_max_temp_file_size 1024m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:82; proxy_redirect off; } # These two location blocks are needed, otherwise you'll get warnings in the Nextcloud admin UI later on location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; } # Well-known URL for Webfinger # Regardless of this rule, you'll get a warning in the admin UI when the social app is not installed location = /.well-known/webfinger { return 301 $scheme://$host/nextcloud/public.php?service=webfinger; } location ~ /(ocm-provider|ocs-provider)/ { return 301 $scheme://$host/nextcloud/$1/; }
Right now, I do not have a clue where to look. Maybe someone has got a hint for me. By the way, the nginx config works, if openvpn is configured to share the port 443.
Thank you in advance.
Krischan