Help with getting HTTPS working through PHPIPAM/Docker using HAProxy


I’m trying something a bit funky with PHPIPAM and there’s a specific issue with HTTPS via HAProxy that I’m hoping someone might be able to give me some assistance with.

I’m trying to do an eval build out of PHPIPAM for potential use at my company. It’s in a lab environment for now, running primarily in a Docker setup on my laptop. I’m using the PHPIPAM team’s stock docker images for the buildout (Docker Hub) as well as a stock MySQL container for the backend. I’ve created a separate user defined network for the build (net-phpipam)

I’m not using compose just yet - it’s been easier for me to troubleshoot by building the containers separately and then fiddling with settings and logs individually. I’ll likely end up switching to compose once I have all the particulars sorted out.

The build works fine when I use straight HTTP to connect to the environment (tcp/80) - I can get to the PHPIPAM main page, login and interact with the system. I’ve run into issues with trying to get HAProxy running in front of it acting as an SSL/TLS front-end. The HAProxy based access works fine if just front-ending PHPIPAM with HTTP (tcp/80) (Connect to HAProxy via tcp/80 and then on through to PHPIPAM via tcp/80). But if I try to force a switch to HTTPS through HAProxy (Connect to HAProxy via tcp/443, SSL/TLS negotiate and then through on to PHPIPAM via tcp/80), then things go screwy.

Just to confirm that HAProxy is working, I’ve build a test Apache docker instance and switched HAProxy to front end that instead of PHPIPAM with HTTPS - that works fine. It’s only when I try to front-end PHPIPAM with HAProxy that I start to run into issues.

I’ll attach the docker container build scripts, flow diagram, HAProxy config and a screenshot of the error that I’m getting. I’m hoping someone can take a look and give me some suggestions as to what to try to solve it. The solution I’m looking for us to be able to connect to PHPIPAM using HTTPS so that I can pass things like authentication credentials to the system over the network in an encrypted format.



/# HAProxy configuration for phpipam - reverse proxy with an HTTPS front-end, proxying to an HTTP backend
maxconn 256

mode http
log syslog-ng:514 local0 info
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend phpipam-rp
/# bind *:80
bind *:443 ssl crt /etc/ssl/certs
http-request redirect scheme https code 301 unless { ssl_fc }
default_backend phpipam-web

backend phpipam-web
server server1 phpipam-web:80 maxconn 32
/# server server1 httpd-test:80 maxconn 32

/# Create the HAPROXY reverse proxy for TLS connection termination

docker create
–name haproxy-phpipam
–network net-phpipam
-v /opt/haproxy-etc:/usr/local/etc/haproxy:ro
-v /opt/haproxy-certs:/etc/ssl/certs:ro
–sysctl net.ipv4.ip_unprivileged_port_start=0
-p 80:80
-p 443:443

/# Creation of the PHPIPAM web front-end

docker create
–name phpipam-web
–network net-phpipam
-e TZ=America/New_York
-e IPAM_DATABASE_HOST=mysql-phpipam

/# Create the MYSQL container to be used for PHPIPAM

docker create
–name mysql-phpipam
–network net-phpipam
-e MYSQL_USER=phpipam
-v /opt/mysql-data:/var/lib/mysql

PHPIPAM points to http on port 80, because it doesn’t know better. Try adding the following header, to see if PHPIPAM understands it:

http-request set-header X-Forwarded-Proto https if { ssl_fc }

Otherwise check PHPIPAM documenation and support channels for advice on how to configure it for a reverse proxy configuration with SSL offload.

That did the trick :slight_smile:

My thanks.

I’d posted a similar query to the PHPIPAM forum - I’ll point to this answer for that group’s edification as well.