Would greatly appreciate some additional pairs of eyes.
I have HAProxy set up on OPNsense, been trying to translate guides from pfsense to opnsense, but I’ve been running into multiple issues. HAProxy definitely makes more sense on pfsense (opnsense’s gui seems nice but a bit convoluted at times), but I’d like to really not reinstall and set up all over again.
Right now I’m stuck on receiving a 503 error while trying to access my nextcloud server on port 9001 (that’s what the docker came with) from directly port forwarding port 9001 from a DynDNS (no-ip) because FiOS unfortunately blocks incoming port 443 connections.
Willing to try any solutions and I’ll provide any data necessary to get this accomplished (within reason of course) when I directly port forward from either the direct wan ip or the dyndns it works fine but obviously it isn’t encrypted.
I wanted to post my haproxy config, but there doesn’t seem to be a spoiler or codeblock tag.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 1
maxconn 10
tune.ssl.default-dh-param 2048
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
cache opnsense-haproxy-cache
total-max-size 32
max-age 60
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: WWSSL (Weekend Wayfarers SSL Offload)
frontend WWSSL
bind 127.0.0.1:9001 name 127.0.0.1:9001 ssl crt-list /tmp/haproxy/ssl/608201d169adf9.95307353.certlist
bind 127.0.0.1:443 name 127.0.0.1:443 ssl crt-list /tmp/haproxy/ssl/608201d169adf9.95307353.certlist
mode http
option http-keep-alive
default_backend wwnextcloudpool
option forwardfor
# tuning options
maxconn 20
timeout client 30s
# logging options
# ACL: WW Condition
acl acl_608206c1ed1a83.32483164 path_beg -i /*
# ACTION: WW Rule
use_backend wwnextcloudpool if acl_608206c1ed1a83.32483164
# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: wwnextcloudpool (Virtual Backend Pool for NextCloud Server)
backend wwnextcloudpool
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
# ACL: WW Condition
acl acl_608206c1ed1a83.32483164 path_beg -i /*
# ACTION: WW Rule
use_backend wwnextcloudpool if acl_608206c1ed1a83.32483164
http-reuse safe
server wwnextcloud 192.168.0.25:9001