Hi guys,
I have a question concerning hosting a Nextcloud AiO behind HAProxy.
On the github page of the Nextcloud AiO I found this guide. This is the expected setup:
global
chroot /var/haproxy
log /var/run/log audit debug
lua-prepend-path /tmp/haproxy/lua/?.lua
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
option redispatch -1
retries 3
default-server init-addr last,libc
# Frontend: LetsEncrypt_443 ()
frontend LetsEncrypt_443
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /tmp/haproxy/ssl/605f6609f106d1.17683543.certlist
mode http
option http-keep-alive
default_backend acme_challenge_backend
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: find_acme_challenge
acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/
# ACL: Nextcloud
acl acl_60604e669c3ca4.13013327 hdr(host) -i <your-nc-domain>
# ACTION: redirect_acme_challenges
use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
# ACTION: Nextcloud
use_backend Nextcloud if acl_60604e669c3ca4.13013327
# Frontend: LetsEncrypt_80 ()
frontend LetsEncrypt_80
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend acme_challenge_backend
# tuning options
timeout client 30s
# logging options
# ACL: find_acme_challenge
acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/
# ACTION: redirect_acme_challenges
use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
# Frontend (DISABLED): 1_HTTP_frontend ()
# Frontend (DISABLED): 1_HTTPS_frontend ()
# Frontend (DISABLED): 0_SNI_frontend ()
# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: Nextcloud ()
backend Nextcloud
mode http
balance source
server Nextcloud localhost:11000 # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
I tried to set it up in OPNSense, but unfortunately, the error “400 Bad request” occurs.
Now I would like to ask, if you could check my configuration and help me to set it up correctly.
For this, I put my current configuration in the annex.
If you need more information, just ask.
I used these guides for the setup of haproxy:
#1
#2
#3
In the logs of the nextcloud aio mastercontainer I found the following:
NOTICE: PHP message: The response of the connection attempt to "https://nextcloud.xyz.cc:443" was: <!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8" /> <title>400 Bad Request</title> </head> <body> <h1>400 Bad Request</h1> </body></html>
NOTICE: PHP message: Expected was: fe6210d73356ad54fafe06268a516c6c9ec6b6eb98ecb27f
NOTICE: PHP message: The error message was:
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!
Thank you for your help.
Maginos
This is the configuration I have right now:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
ocsp-update.mindelay 300
ocsp-update.maxdelay 3600
httpclient.resolvers.prefer ipv4
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: Public_facing_Pool ()
frontend Public_facing_Pool
bind 0.0.0.0:80 name 0.0.0.0:80 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66b27d2fad3150.94967269.certlist
mode http
option http-keep-alive
# logging options
# ACL: nextcloud2
acl acl_66be5bfb83c992.25957275 hdr_beg(host) -i nextcloud2.xyz.cc
# ACL: nextcloud-aio-docker
acl acl_66be5cd316acb9.27188494 hdr_beg(host) -i nextcloud.xyz.cc
# ACTION: httpsredirect
http-request redirect scheme https code 301 if !acl_66b4b049acd730.71159202
# ACTION: nextcloud2
use_backend nextcloud2 if acl_66be5bfb83c992.25957275
# ACTION: nextcloud-aio-docker
use_backend nextcloud-aio-docker if acl_66be5cd316acb9.27188494
# Frontend: SSL ()
frontend SSL
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66b4ee8b0a4796.92529650.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACL: nextcloud2
acl acl_66be5bfb83c992.25957275 hdr_beg(host) -i nextcloud2.xyz.cc
# ACL: nextcloud-aio-docker
acl acl_66be5cd316acb9.27188494 hdr_beg(host) -i nextcloud.xyz.cc
# ACTION: nextcloudls
use_backend NextcloudLS if acl_66b4a4a52852b9.64013797
# ACTION: nextcloud2
use_backend nextcloud2 if acl_66be5bfb83c992.25957275
# ACTION: nextcloud-aio-docker
use_backend nextcloud-aio-docker if acl_66be5cd316acb9.27188494
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
option log-health-checks
# health check: Acme Challenge Host
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server acme_challenge_host 127.0.0.1:43580 check inter 10000 downinter 900000 port 43580
# Backend: nextcloud2 ()
backend nextcloud2
option log-health-checks
# health check: Nextcloud 2
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
server nextcloud2 10.50.1.4:11000 check inter 10000 port 11000 ssl alpn h2,http/1.1 verify required ca-file /usr/local/etc/ssl/cert.pem
# Backend: nextcloud-aio-docker ()
backend nextcloud-aio-docker
option log-health-checks
# health check: Nextcloud AiO Docker
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
option forwardfor
server nextcloud-aio-docker 10.50.1.2:11000 check inter 10000 port 11000 send-proxy-v2 check-send-proxy
# statistics are DISABLED