HAProxy, OPNsense and a blocked port 443

Would greatly appreciate some additional pairs of eyes.

I have HAProxy set up on OPNsense, been trying to translate guides from pfsense to opnsense, but I’ve been running into multiple issues. HAProxy definitely makes more sense on pfsense (opnsense’s gui seems nice but a bit convoluted at times), but I’d like to really not reinstall and set up all over again.

Right now I’m stuck on receiving a 503 error while trying to access my nextcloud server on port 9001 (that’s what the docker came with) from directly port forwarding port 9001 from a DynDNS (no-ip) because FiOS unfortunately blocks incoming port 443 connections.

Willing to try any solutions and I’ll provide any data necessary to get this accomplished (within reason of course) when I directly port forward from either the direct wan ip or the dyndns it works fine but obviously it isn’t encrypted.

I wanted to post my haproxy config, but there doesn’t seem to be a spoiler or codeblock tag.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbproc                      1
    nbthread                    1
    maxconn                     10
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info
    ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
cache opnsense-haproxy-cache
    total-max-size 32
    max-age 60

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: WWSSL (Weekend Wayfarers SSL Offload)
frontend WWSSL
    bind 127.0.0.1:9001 name 127.0.0.1:9001 ssl  crt-list /tmp/haproxy/ssl/608201d169adf9.95307353.certlist 
    bind 127.0.0.1:443 name 127.0.0.1:443 ssl  crt-list /tmp/haproxy/ssl/608201d169adf9.95307353.certlist 
    mode http
    option http-keep-alive
    default_backend wwnextcloudpool
    option forwardfor
    # tuning options
    maxconn 20
    timeout client 30s

    # logging options
    # ACL: WW Condition
    acl acl_608206c1ed1a83.32483164 path_beg -i /*

    # ACTION: WW Rule
    use_backend wwnextcloudpool if acl_608206c1ed1a83.32483164

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

# Backend: wwnextcloudpool (Virtual Backend Pool for NextCloud Server)
backend wwnextcloudpool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: WW Condition
    acl acl_608206c1ed1a83.32483164 path_beg -i /*

    # ACTION: WW Rule
    use_backend wwnextcloudpool if acl_608206c1ed1a83.32483164
    http-reuse safe
    server wwnextcloud 192.168.0.25:9001

Use the </> button for preformatted text, it will intend everything with 4 spaces which will show the configuration correctly.

Appreciate it, edited my main post.

Well, I’ve asked a number of places regarding HAProxy and have gotten no responses, I’ve reread the outdated documentation and tried for another 2 days to get it to work. Checked with 2 different networking communities and no one has any idea. Unfortunately, I can’t rely on HAProxy and will have to move to nginx on OPNsense.

You can close this topic, I might come back to HAProxy sometime in the future. Have a good day.

The config shared is only listening on localhost so it won’t be accessible from anywhere else…but that seems unusual based on my experience with Opnsense.

To be honest however, trying to wrestle what should be a very simple HAproxy config via the Opnsense UI is something I’ve struggled with in the past so I feel your pain.

Hi - I use opnsense and HAPROXY and it is working pretty well. Regarding the provided information I have some questions / proposals.

1.) As andrewheberle already stated:
Why do you use “loopback” in the frontend? I would suggest to use * (for all) or another external ip.

2.) The opnsense GUI for HAPROXY IS a pain in the ass - but it does work flawless - if used correctly.

3.) Does your opnsense has more than one IP? If not - as an example:
We use ours only as hosts for HAPROXY and with CARP for some relays - so in our setup the webinterface has to move from default to 8443 because only one listening IP (besides CARP) is configured for the host. (More is not needed due to NAT and other perimeters in front of the system and would just increase complexity.) As already mentioned - this is only an example to show that you have to consider already used ports on your IPs.