Looking for HAProxy behind Cloudflare tutorial / example

Configuration Samples
6

Oh yeah!!! :slight_smile:
It’s working!!
I wasn’t able to rebuild your fancy setup, although I’d like to!
I installed crowdsec, but things with the bouncer didn’t work. However, it would be nice to see the original IPs of the visitor. I set my firewall up do allow access only from certain countries and having them hidden behind cloudflare is not ideal.
The frontend for internal IPs is also neat! But I wasn’t sure what to do with the wildcard certificate. Up to my knowledge it is not possible to download it from cloudflare. I will look into generating my own with the certbot cloudflare plugin/API (Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation, other DNS services here: User Guide — Certbot 2.4.0 documentation)
Thanks for your help! Highly appreciated!

For everyone else looking for a simple working example, see below (it is simplexion’s config, just skimmed + the ssl verify none in the end):

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    user haproxy
    group haproxy
    daemon
    maxconn 40000
    ulimit-n 81000
    crt-base /etc/haproxy/certificates/

    ## Crowdsec bouncer
    #lua-prepend-path /usr/lib/crowdsec/lua/haproxy/?.lua
    #lua-load /usr/lib/crowdsec/lua/haproxy/crowdsec.lua
    #setenv CROWDSEC_CONFIG /etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf

defaults
    mode http
    option httplog
    option forwardfor
    option dontlognull
    log global
    timeout client 30s
    timeout server 30s
    timeout connect 5s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#listen stats
#    bind *:8404
#    stats enable
#    stats hide-version
#    stats realm Haproxy\ Statistics
#    stats uri /haproxy_stats
#    stats auth HAProxy:Password

# Frontend to redirect HTTP to HTTPS with code 301
frontend http-redirect
    bind *:80
    http-request redirect scheme https code 301

# Frontend for redirecting traffic to the required frontend
frontend https-redirect
    bind *:443
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    #acl internal src 192.168.210.0/24
    #IPs from here: https://www.cloudflare.com/ips-v4
    acl cloudflare src -f /etc/haproxy/CF_ips.lst
    use_backend cloudflare if cloudflare
    #use_backend internal if internal

# Frontend for external users that a connecting through Cloudflare
frontend cloudflare
    bind *:7000 accept-proxy ssl crt domain.com.pem

    # SNI ACLs
    acl nextcloud hdr(host) -i nextcloud.domain.com
    acl grafana hdr(host) -i grafana.domain.com

    # Send to backend based on SNI ACL
    use_backend nextcloud if nextcloud
    use_backend grafana if grafana

    # This redirects to a failure page
    default_backend no-match

# Redirect to frontend based on internal or external connections
backend cloudflare
    mode tcp
    server loopback-for-tls 127.0.0.1:7000 send-proxy-v2

# Normal Backends
backend no-match
    http-request deny deny_status 403

backend nextcloud
    server nextcloud 172.16.3.2:443 check ssl verify none

backend grafana
    server grafana 172.168.3.3:443 check ssl verify none
1 Like