I have a router running OpenWrt which also establishes my internet connection.
There are two interfaces, eth0 and pppoe-wan.
I have uhttpd running on the router, set up to bind only on the IP-address of the interfaces eth0 (192.168.0.1:80 and 192.168.0.1:443). So far so good.
I want haproxy to listen on port 443, only on the interface pppoe-wan, and not bind to anything on interface eth0, so I came up with the following configuration.
bind :443 interface pppoe-wan ssl crt /etc/ssl/certs/mycert.pem
Now when I start it, it complains with the following message:
[ALERT] 230/220855 (19971) : Starting frontend fe_xxxxx: cannot bind socket [0.0.0.0:443]
I can not specify the IP-address to bind to since it changes every day.
How can I make sure haproxy binds only to the pppoe-wan interface on port 443 and not on any other interface as well?
You cannot do this, that is not how the socket API works. Even if you specify the interface, the socket needs to bind to 0.0.0.0, which conflicts with any other IP, including your LAN IP.
Forget the interface keyword, it does not help you here.
Maybe the easiest way to achieve this would be to have haproxy listen on an internal IP (even localhost), and make a standard destination NAT from WAN port 443 to that localhost IP:port combination where haproxy listens (and binds successfully). This can be a non-443 port as well.
Thanks for your reply! The idea with listening on localhost is good, I will look into that.
Thanks again!
Little update on how I got it working at the end:
/etc/firewall.user:
sysctl -w net.ipv4.conf.pppoe-wan.route_localnet=1
iptables -t nat -I PREROUTING -p tcp -i pppoe-wan --dport 443 -j DNAT --to-destination 127.0.0.1:443
And the bind-parameter in haproxy.cfg being simply:
bind 127.0.0.1:443 ssl crt /etc/ssl/certs/mycert.pem
Thanks for the help.
1 Like