Hello,
I just bought a domain for my personal blog.
I point my domain to my firewall that hosts my haproxy.
However, my domain can’t reach my backend, it’s running in a loop.
Here is my haproxy configuration :
global
log 127.0.0.1 local0 debug
log /dev/log local0 notice
maxconn 1024
chroot /var/haproxy
uid 604
gid 604
daemon
stats socket /var/run/haproxy.sock mode 666 level admin
pidfile /var/run/haproxy.pid
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
tune.maxrewrite 16384
tune.bufsize 65535
defaults
log global
mode http
option redispatch
option forwardfor
retries 3
maxconn 2000
timeout server 60s
timeout connect 5s
timeout client 10s
log-format "%ci [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
frontend http-s-domain
bind *:80
bind *:443 ssl crt /etc/haproxy/ssl/storage.domain.com.haproxy.pem crt /etc/haproxy/ssl/another.com.haproxy.pem crt-list /etc/haproxy/ssl/client_crt no-sslv3
mode http
option httplog clf
option forwardfor
option http-keep-alive
capture request header Host len 64
capture request header Referer len 128
capture request header User-Agent len 128
capture request header X-Hit-Front len 128
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
acl storage-domain hdr(host) -i storage.domain.com
###################
### ACL CLIENTS ###
###################
acl another-blog hdr(host) -i another.com
# HTTP->HTTPS
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http unless { ssl_fc }
#www to non-www
#catch all domains that begin with 'www.'
acl host_www hdr_beg(host) -i www.
#remove 'www.' part from host name
reqirep ^Host:\ www.(.*)$ Host:\ \1 if host_www
#now hostname does not contain 'www.' so we can
#redirect to the same url
redirect code 301 prefix / if host_www
use_backend letsencrypt-backend if letsencrypt-acl
use_backend nextcloud-storage-domain if storage-domain
use_backend another-blog-prod if another-blog
backend nextcloud-storage-domain
http-response set-header Referrer-Policy no-referrer-when-downgrade
http-response set-header X-Content-Type-Options: nosniff
http-response set-header X-XSS-Protection: 1;mode=block
http-response set-header X-Frame-Options: SAMEORIGIN
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
default-server inter 4s
timeout server 2h
http-check expect status 200
server ncd01 X.X.X.X:8080 cookie A check port 8080 fall 5 rise 3
backend another-blog-prod
mode http
default-server inter 4s
timeout server 2h
http-check expect status 200
server web01 X.X.X.X:443 cookie A check port 443 fall 5 rise 3
backend letsencrypt-backend
server letsencrypt 127.0.0.1:1375 check
root@haproxy:~# curl -ILk https://X.X.X.X
HTTP/1.1 200 OK
Etag: 22164-46b9-5e58d731
Content-Type: text/html; charset=utf-8
Content-Length: 18105
Last-Modified: Fri, 28 Feb 2020 09:02:41 GMT
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Server: WEBrick/1.4.2 (Ruby/2.5.5/2019-03-15) OpenSSL/1.1.1d
Date: Fri, 28 Feb 2020 09:15:37 GMT
Connection: Keep-Alive
Is it possible to get your opinion on it?