HAProxy community

HAProxy with OPNSense and DMZ?

Hi.
I tried to install HAProxy on our OPNSense-FW and found a step-by-step-instruction…
now some things are working while others dont. I cant’ find the mistake – maybe one of the wizzzards here?

I have a DMZ with 172.17.17.0/24 and OPNSense on .254
I used two virtual devices: 172.17.17.252 and .253 and as a Test-Server 172.17.17.5 (later for nextcloud)

When I use http(s)://nextcloud2.linux.my-domain.com in my LAN everything works fine. The apache2 answers correctly for Port 80 and 443. So I guess the configuration is ok?

I also already set a CNAME to *.linux.my-domain.com on our external Server (my-domain.com) and a port forwading for 80 and 443 to the WAN-IP of the OPNSense.

So ping nextcloud2.linux.my-domain.com works everywhere.

Nevertheless I can’t access the nextcloud-Host behind the Rev.Proxy from my DMZ, WAN or from outside.
Can anyone tell me what’s wrong or missing?
DMZ: HTTP/1.1 301 Moved Permanently
WAN: No route to host.

Thanks for a hint.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: http_DMZ_WAN (internal and external http)
frontend http_DMZ_WAN
    bind 172.17.17.252:80 name 172.17.17.252:80 
    bind 172.17.17.253:80 name 172.17.17.253:80 
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_45e5bfd9525e2e7.18783878 path_beg -i /.well-known/acme-challenge/
    # ACL: Nextcloud_Bedingung
    acl acl_5ebafdd99a40d7.14505678 hdr_end(host) -i nextcloud2.linux.my-domain.com

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_45e5bfd9525e2e7.18783878
    # ACTION: Nextcloud
    use_backend Nextcloud_Backend if acl_5ebafdd99a40d7.14505678

# Frontend: https_DMZ_WAN (internal and external https)
frontend https_DMZ_WAN
    bind 172.17.17.252:443 name 172.17.17.252:443 ssl  crt-list /tmp/haproxy/ssl/4baf2ad81dea1.61416316.certlist 
    bind 172.17.17.253:443 name 172.17.17.253:443 ssl  crt-list /tmp/haproxy/ssl/4baf2ad81dea1.61416316.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Nextcloud_Bedingung
    acl acl_5ebafdd99a40d7.14505678 hdr_end(host) -i nextcloud2.linux.my-domain.com

    # ACTION: Nextcloud
    use_backend Nextcloud_Backend if acl_5ebafdd99a40d7.14505678

# Frontend: https_DMZ (internal https)
frontend https_DMZ
    bind 172.17.17.253:443 name 172.17.17.253:443 ssl  crt-list /tmp/haproxy/ssl/5dbaf62c571809.61471992.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

# Backend: Nextcloud_Backend (Nextcloud_Backend)
backend Nextcloud_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: not-SSL
    acl acl_5dbaf90c2d38c3.66671068 req.proto_http

    # ACTION: redirect_SSL
    http-request redirect scheme https code 301 if acl_5dbaf90c2d38c3.66671068

    http-reuse safe
    server nextcloud_Host 172.17.17.5:443 

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

No idea?
Is the bind address correct like this?

Meanwhile I’m able to connect via
curl -v <from LAN>, <from DMZ> and from another <WAN-IP>-address without problems via http (80) and https (443) – but when I try it from “outside” via
curl -v http(s)://nextcloud2.linux.my-domain..com
I always get Connection refused … but no hint in the Logs.

Who can help?