Hi guys!
We set up a new nginx web server to run the “NextCloud” application, server with subnet 192.168.40.xxx/22, “http and https” traffic redirection made by firewall pfsense 2.4.4 with subnet192.168. 43.xxx/22, I run the HAProxy service version 1.8.17 to direct external access; There are currently two front end configurations, one for port 80 and one for port 443, which work for other systems already deployed.

Below illustrates the settings of this new backend.

• Configuration Applied to Backend
  

  

  1568236348727-backend.png1154×385 31.4 KB

• Configuration Applied to frontend
  

  

  1568236607637-front_01.png1153×705 80.4 KB

Default backend, access control lists and actions

1568236771145-captura-de-tela-de-2019-09-11-18-19-19.png849×60 5.62 KB

1568236815617-front_03.png1143×145 14.7 KB

Statistics Report

1568236919807-captura-de-tela-de-2019-09-11-18-21-51.png1573×87 18.3 KB

I have already performed the tests below,

root@server:/usr/share/ca-certificates# nc -zv 192.168.40.xx 80

Connection to 192.168.40.xx 80 port [tcp/http] succeeded!

root@server:/usr/share/ca-certificates# netstat -npa |grep 80

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1314/nginx: master
tcp6 0 0 :::80 :::* LISTEN 1314/nginx: master
unix 3 STREAM CONNECTED 20809 1/init /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 18026 1/init /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 18680 712/systemd-timesyn
unix 3 STREAM CONNECTED 20801 1/init /run/systemd/journal/stdout
unix 3 STREAM CONNECTED 19805 1/init
unix 3 STREAM CONNECTED 20805 1/init /run/systemd/journal/stdout

root@server:/usr/share/ca-certificates# nmap localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-11 21:24 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds

best regards,
Wesley Santos

Provide the output of haproxy -vv and the full (haproxy) configuration please.

Hii @lukastribus Thanks for your effort, below the information.

 HA-Proxy version 1.8.17 2019/01/08

Copyright 2000-2019 Willy Tarreau willy@haproxy.org

Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with Lua version : Lua 5.3.4
Built with OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018
Running on OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.

Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe

    # Automaticaly generated, dont edit manually.

Generated on: 2019-09-17 11:48

global
maxconn 1000
log /var/run/log local0 info
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname haproxy
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 5
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend HA_Sistemas-http
bind 189.20.108.xx:80 name 189.20.108.xx:80
bind 187.75.209.xxx:80 name 187.75.209.xxx:80
mode http
log global
option log-separate-errors
option httplog
option http-keep-alive
timeout client 30000
acl projectus var(txn.txnhost) -m str -i projectus.com.br
acl projectus var(txn.txnhost) -m str -i www.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i time-sheet.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i treinamento-qsms.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i qsms.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i proposta.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i treinamento.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i chamado.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i pesquisa.projectus.com.br
acl redirect-to-SSL var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
acl cadcae var(txn.txnhost) -m str -i www.cadcae.projectus.com.br
acl cadcae var(txn.txnhost) -m str -i cadcae.projectus.com.br
acl rh var(txn.txnhost) -m str -i rh.projectus.com.br
acl nxc var(txn.txnhost) -m str -i nextcloud.projectus.com.br
http-request set-var(txn.txnhost) hdr(host)
http-request redirect scheme https if redirect-to-SSL
http-request redirect location http://www.projectus.com.br if !projectus !cadcae !rh !nxc
use_backend HA_Sistemas-45-xx_80-www_ipvANY if projectus
use_backend HA_Sistemas_42-xxx_80-nxc_ipvANY if nxc
use_backend HA_Sistemas_43-xx_80-ged_ipvANY if cadcae
use_backend HA_Sistemas_42-xxx_80-rh_ipvANY if rh

frontend HA_Sistemas-https
bind 189.20.108.90:xxx name 189.20.108.xx:443 ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list
bind 187.75.209.xxx:443 name 187.75.209.xxx:443 ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list
mode http
log global
option log-separate-errors
option httplog
option http-keep-alive
timeout client 300000
acl rootrequested var(txn.txnpath) -m str -i /
acl time-sheet var(txn.txnhost) -m str -i time-sheet.projectus.com.br
acl qsms var(txn.txnhost) -m str -i qsms.projectus.com.br
acl treinamento var(txn.txnhost) -m str -i treinamento.projectus.com.br
acl proposta var(txn.txnhost) -m str -i proposta.projectus.com.br
acl chamado var(txn.txnhost) -m str -i chamado.projectus.com.br
acl pesquisa var(txn.txnhost) -m str -i pesquisa.projectus.com.br
acl pesquisa-ce var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
http-request set-var(txn.txnpath) path
http-request set-var(txn.txnhost) hdr(host)
http-request redirect location /TimeSheet/faces/login.xhtml if rootrequested time-sheet
http-request redirect location /SistemaQSMS/ if rootrequested qsms
http-request redirect location /Treinamento/ if rootrequested treinamento
http-request redirect location /Proposta/ if rootrequested proposta
http-request redirect location /Chamado/ if rootrequested chamado
http-request redirect location /PesquisaClima/ if rootrequested pesquisa
http-request redirect location /PesquisaClimaCE/ if rootrequested pesquisa-ce
http-response add-header Content-Security-Policy upgrade-insecure-requests if !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce
use_backend HA_Sistemas-45-xx_80-www_ipvANY if !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce
default_backend HA_Sistemas_43-xxx_8443_ipvANY

backend HA_Sistemas-45-xx_80-www_ipvANY
mode http
id 103
log global
timeout connect 300000
timeout server 300000
retries 3
option httpchk OPTIONS /
server site 192.168.45.xx:80 id 104 check inter 1000

backend HA_Sistemas_42-xxx_80-nxc_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk GET /
server nxc 192.168.40.xxx:80 id 108 check inter 1000

backend HA_Sistemas_43-70_xx-ged_ipvANY
mode http
id 105
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server ged 192.168.43.xx:80 id 106 check inter 1000

backend HA_Sistemas_42-xxx_80-rh_ipvANY
mode http
id 107
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server rh 192.168.42.xxx:80 id 108 check inter 1000

backend HA_Sistemas_43-xxx_8443_ipvANY
mode http
id 101
log global
timeout connect 300000
timeout server 300000
retries 3
option httpchk OPTIONS /
server Sistemas 192.168.43.xxx:8443 id 102 ssl check inter 1000 verify none
pfSense is developed and maintained by Netgate. © ESF 2004 - 2019 View license.

As per the management guide, this is what L7STS means:

layer 7 response error, for example HTTP 5xx

I assume HA_Sistemas_40-245_80-nextcloud_ipvANY is actually HA_Sistemas_42-xxx_80-nxc_ipvANY now? It would be helful if you’d refrain from renaming your internal sections between the posts, so I don’t have to guess those things.

This test is irrelevant. Haproxy is telling you that there is a layer 7 error, so layer 7 is what you need to verify.

Run:
curl -vv http://192.168.40.xx/

instead.

I apologize for making name changes between posts, but these “HA_Systems_40-245_80-nextcloud_ipvANY are actually HA_Systems_42-xxx_80-nxc_ipvANY” are the same, now online using http, but ACL doesn’t work, redirecting to main page company .

curl command output using http and https:
curl -vv http://192.168.40.xxx

• Rebuilt URL to: http://192.168.40.xx/
• Trying 192.168.40.xxx…
• TCP_NODELAY set
• Connected to 192.168.40.xxx (192.168.40.xxx) port 80 (#0)

GET / HTTP/1.1
Host: 192.168.40.xxx
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 17 Sep 2019 17:17:31 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 17 Apr 2018 15:22:36 GMT
< Connection: keep-alive
< ETag: “5ad6113c-264”
< Accept-Ranges: bytes
<

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

curl -vv https://192.168.40.xxx

• Rebuilt URL to: https://192.168.40.xxx/
• Trying 192.168.40.xxx…
• TCP_NODELAY set
• Connected to 192.168.40.245 (192.168.40.xxx) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: C=BR; ST=Sao Paulo; L=Sao Paulo; O=Projectus Consultoria LTDA; OU=Engenharia; OU=Hosted by Comodo Brasil Tecnologia Ltda; OU=PremiumSSL Wildcard; CN=*.projectus.com.br
• start date: Sep 11 00:00:00 2019 GMT
• expire date: Jan 8 23:59:59 2020 GMT
• subjectAltName does not match 192.168.40.xxx
• SSL: no alternative certificate subject name matches target host name ‘192.168.40.xxx’
• stopped the pause stream!
• Closing connection 0
• TLSv1.2 (OUT), TLS alert, Client hello (1):
  curl: (51) SSL: no alternative certificate subject name matches target host name ‘192.168.40.xxx’

best regards,
Wesley Santos

Please try:

curl --http1.0 -vv https://192.168.40.xxx/

curl --http1.0 -vv https://192.168.40.xxx/

• Rebuilt URL to: https://192.168.40.xxx/
• Trying 192.168.40.xxx…
• TCP_NODELAY set
• Connected to 192.168.40.245 (192.168.40.xxx) port 443 (#0)
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: C=BR; ST=Sao Paulo; L=Sao Paulo; O=Projectus Consultoria LTDA; OU=Engenharia; OU=Hosted by Comodo Brasil Tecnologia Ltda; OU=PremiumSSL Wildcard; CN=*.projectus.com.br
• start date: Sep 11 00:00:00 2019 GMT
• expire date: Jan 8 23:59:59 2020 GMT
• subjectAltName does not match 192.168.40.xxx
• SSL: no alternative certificate subject name matches target host name ‘192.168.40.xxx’
• stopped the pause stream!
• Closing connection 0
• TLSv1.2 (OUT), TLS alert, Client hello (1):
  curl: (51) SSL: no alternative certificate subject name matches target host name ‘192.168.40.xxx’

Sorry I meant http:

curl --http1.0 -vv http://192.168.40.xxx/

# curl --http1.0 -vv http://192.168.40.xxx

• Rebuilt URL to: http://192.168.40.xxx/
• Trying 192.168.40.245…
• TCP_NODELAY set
• Connected to 192.168.40.xxx (192.168.40.xxx) port 80 (#0)

GET / HTTP/1.0
Host: 192.168.40.xxx
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 17 Sep 2019 19:36:00 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 17 Apr 2018 15:22:36 GMT
< Connection: close
< ETag: “5ad6113c-264”
< Accept-Ranges: bytes
<

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

Not entirely sure why you keep trying to hide the last octet of the ip address, this is RFC1918 addressing nobody can do anything with this information. You also keep forgetting to replace all of them, so everybody reading this thread no knows that it’s 192.168.40.245 by now.

Ok, so the health check issue is now gone?

Which ACL does not work EXACTLY and what main page page are you referring to?

“Health check” resolved when using port 80.

Captura de tela de 2019-09-17 17-26-52.png1578×97 20.3 KB

    frontend HA_Sistemas-http
bind			189.20.108.xx:80 name 189.20.108.xx:80   
bind			187.75.209.xxx:80 name 187.75.209.xxx:80   
mode			http
log			global
option			log-separate-errors
option			httplog
option			http-keep-alive
timeout client		30000
acl			projectus	var(txn.txnhost) -m str -i projectus.com.br
acl			projectus	var(txn.txnhost) -m str -i www.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i treinamento-qsms.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i qsms.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i proposta.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i treinamento.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i chamado.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i  pesquisa.projectus.com.br
acl			redirect-to-SSL	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
acl			cadcae	var(txn.txnhost) -m str -i www.cadcae.projectus.com.br
acl			cadcae	var(txn.txnhost) -m str -i cadcae.projectus.com.br
acl			rh	var(txn.txnhost) -m str -i rh.projectus.com.br
acl			nxc	var(txn.txnhost) -m str -i nextcloud.projectus.com.br
http-request set-var(txn.txnhost) hdr(host)
http-request redirect scheme https  if  redirect-to-SSL 
http-request redirect location http://www.projectus.com.br  if  !projectus !cadcae !rh !nxc 
use_backend HA_Sistemas-45-14_80-www_ipvANY  if  projectus 
use_backend HA_Sistemas_40-245_80-nxc_ipvANY  if  nxc 
use_backend HA_Sistemas_43-70_80-ged_ipvANY  if  cadcae 
use_backend HA_Sistemas_42-226_80-rh_ipvANY  if  rh 


backend HA_Sistemas_40-245_80-nxc_ipvANY
mode			http
id			100
log			global
timeout connect		30000
timeout server		30000
retries			3
option			httpchk GET / 
server			nxc 192.168.40.245:80 id 108 check inter 1000  

Main website of the company page, which should be accessed by typing the address projectus.com.br.

site_projectus.jpg1583×595 383 KB

Website of the page that my ACL should direct, typing the address nextcloud.projectus.com.br.

nextcloud_projectus.jpg1597×485 228 KB

I hope the information can help.

best regards,
Wesley Santos

You would have to explain a little bit more in detail what actually happens (which EXACT URL you type into your browser and which EXACT url you get redirected too), but I’d guess you just need to configure nextcloud for SSL?

Below I will describe in more detail:
This is a nginx server with “nextcloud” application inside my LAN subnet, it works on LAN subnet with link https://nextcloud.projectus.com.br, this web server already responds to requests on port 443 which I set up on the HAproxy front end, but responding with the “fL7STS / 404 in 2ms” error, as it didn’t work, I chose to set up the backend on port 80, which responds successfully, but the redirects are not done externally.

nmap no servidor nginx 192.168.40.245

nginx server configuration

server {
listen 80;
server_name nextcloud.projectus.com.br;
return 301 https://nextcloud.projectus.com.br$request_uri;

server {
listen 443 ssl; # managed by Certbot
ssl_certificate /root/certificado/2019-2020/ssl_bundle.crt;
ssl_certificate_key /root/certificado/2019-2020/server.key;
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

#This header is already set in PHP, so it is commented out here.
#add_header X-Frame-Options "SAMEORIGIN";

# Path to the root of your installation
root /usr/share/nginx/nextcloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

Hope this can be made clearer, tomorrow I can try deleting this backend setting on port 80 and setting outa on port 443

I understand you made adjustments to “fix” things, like enable port 80 for nextcloud in your backend, but by not sharing this in the first place you only made this troubleshooting harder and longer.

This thread is a good example of the XY problem.

Let’s summarize what I believe to have understood:

• you have nextcloud HTTPS backend server, without HTTP
• a haproxy HTTP and HTTPS frontend

Now you need to decide what you want to do:

• should haproxy communicate with nextcloud via HTTPS? This means you will install the same certificate on both nextcloud and haproxy, and haproxy terminate SSL and reencrypt for the backend
• should haproxy communicate with nextcloud in cleartext, without SSL? So you need to tell nextcloud (and nginx) not to redirect and consider everything from haproxy secure (as well as configuring nginx for plaintext, of course)

Hi man, really the lack of information just made the problem more complex. Based on your last interaction, I think you understand my problem.

• Summary of what I own:
  I have a nextcloud backend using https certificate and also http, I also have a haproxy front end with https and http interfaces.

• Now I say what I want to do:
  Yes, my nextcloud should only communicate using https, the certificate that is installed on haproxy is the same one already used by my nextcloud server.

• Now I say what I did:
  I set the backend to use https certificate, it works on sub-LAN, but when creating haproxy https settings, the backend returns L7STS/400 in 45ms

Since it was not possible to communicate between the backend and the haproxy frontend using https, I opted to run a test using only http, so my backend works perfectly even when accessing outside my subnet LAN.

error information from my https backend:

Captura%20de%20tela%20de%202019-09-18%2021-48-211347×90 16.7 KB

conf623×661 53 KB

Output from nmap command in my nextcloud backend:

Through this image, I can validate that on my LAN subnet it is possible to access nextcloud via an https connection.

200_2019919-03032%2C1879091366×768 126 KB

• Settings between backend and haproxy frontend https:

frontend HA_Sistemas-https
bind 189.20.108.90:443 name 189.20.108.90:443 ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list
bind 187.75.209.246:443 name 187.75.209.246:443 ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list
mode http
log global
option log-separate-errors
option httplog
option http-keep-alive
timeout client 300000
acl rootrequested var(txn.txnpath) -m str -i /
acl time-sheet var(txn.txnhost) -m str -i time-sheet.projectus.com.br
acl qsms var(txn.txnhost) -m str -i qsms.projectus.com.br
acl treinamento var(txn.txnhost) -m str -i treinamento.projectus.com.br
acl proposta var(txn.txnhost) -m str -i proposta.projectus.com.br
acl chamado var(txn.txnhost) -m str -i chamado.projectus.com.br
acl pesquisa var(txn.txnhost) -m str -i pesquisa.projectus.com.br
acl pesquisa-ce var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
acl nxc var(txn.txnhost) -m str -i nextcloud.projectus.com.br
http-request set-var(txn.txnpath) path
http-request set-var(txn.txnhost) hdr(host)
http-request redirect location /TimeSheet/faces/login.xhtml if rootrequested time-sheet
http-request redirect location /SistemaQSMS/ if rootrequested qsms
http-request redirect location /Treinamento/ if rootrequested treinamento
http-request redirect location /Proposta/ if rootrequested proposta
http-request redirect location /Chamado/ if rootrequested chamado
http-request redirect location /PesquisaClima/ if rootrequested pesquisa
http-request redirect location /PesquisaClimaCE/ if rootrequested pesquisa-ce
http-response add-header Content-Security-Policy upgrade-insecure-requests if !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce
use_backend HA_Sistemas-45-14_80-www_ipvANY if !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce
use_backend HA_Sistemas_40-245_443-nxc_ipvANY if !nxc
default_backend HA_Sistemas_43-235_8443_ipvANY

backend HA_Sistemas_40-245_443-nxc_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server nxc 192.168.40.245:443 id 102 ssl check inter 1000 verify none

best regards,
Wesley Santos

The supplemental information, after applying the changes below to the backend, is now in active status, but the ACL still does not point to the correct page.

http check version.png1142×116 16.4 KB

• backend status:
  
  

  backend_UP.png1348×118 21.7 KB

I am using this documentation as a reference.

https://serverfault.com/questions/664332/haproxy-returns-bad-request-invalid-host-for-seemingly-no-reason

Ok, good, then all you need to do is configure haproxy appropriately.

backend HA_Sistemas_40-245_80-nxc_ipvANY
mode			http
id			100
log			global
timeout connect		30000
timeout server		30000
retries			3
option			httpchk GET / 
server			nxc 192.168.40.245:443 ssl verify optional sni str(nextcloud.projectus.com.br) id 108

If you need health checking (although it’s useless with only one backend server), add:

check-sni nextcloud.projectus.com.br check inter 1000

Hey man!
Thanks for your feedback!
Can you help me with this setting? I have a little doubt about integrity checking, the setting is add line, as imgaem below?

check.png1141×114 16.6 KB

I can help with haproxy. I cannot help with the webinterface of pfsense.

I understand you, is that in this case I use haproxy in my pfsense.