HAProxy community

Problem with my backend

Hello,

I just bought a domain for my personal blog.

I point my domain to my firewall that hosts my haproxy.

However, my domain can’t reach my backend, it’s running in a loop.

Here is my haproxy configuration :

global
        log 127.0.0.1   local0 debug
        log /dev/log    local0 notice
        maxconn 1024
        chroot /var/haproxy
        uid 604
        gid 604
        daemon
        stats socket /var/run/haproxy.sock mode 666 level admin
        pidfile /var/run/haproxy.pid
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

        tune.ssl.default-dh-param 2048
        tune.maxrewrite 16384
        tune.bufsize 65535

defaults
        log     global
        mode    http
        option  redispatch
        option  forwardfor
        retries 3
        maxconn 2000
        timeout server 60s
        timeout connect 5s
        timeout client 10s
        log-format "%ci [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

frontend http-s-domain

        bind *:80
        bind *:443 ssl crt /etc/haproxy/ssl/storage.domain.com.haproxy.pem crt /etc/haproxy/ssl/another.com.haproxy.pem crt-list /etc/haproxy/ssl/client_crt no-sslv3
        mode    http
        option  httplog clf
        option  forwardfor
        option  http-keep-alive

        capture request header Host len 64
        capture request header Referer len 128
        capture request header User-Agent len 128
        capture request header X-Hit-Front len 128

        acl letsencrypt-acl path_beg /.well-known/acme-challenge/

        acl storage-domain hdr(host) -i storage.domain.com

        ###################
        ### ACL CLIENTS ###
        ###################
        acl another-blog hdr(host) -i another.com

        # HTTP->HTTPS
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request add-header X-Forwarded-Proto http unless { ssl_fc }
        #www to non-www
        #catch all domains that begin with 'www.'
        acl host_www      hdr_beg(host) -i www.

        #remove 'www.' part from host name
        reqirep ^Host:\ www.(.*)$ Host:\ \1 if host_www
        #now hostname does not contain 'www.' so we can
        #redirect to the same url
        redirect code 301 prefix / if host_www

        use_backend letsencrypt-backend if letsencrypt-acl

        use_backend nextcloud-storage-domain if storage-domain

        use_backend another-blog-prod if another-blog

backend nextcloud-storage-domain
        http-response set-header Referrer-Policy no-referrer-when-downgrade
        http-response set-header X-Content-Type-Options: nosniff
        http-response set-header X-XSS-Protection: 1;mode=block
        http-response set-header X-Frame-Options: SAMEORIGIN
        http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
        default-server inter 4s
        timeout server 2h
        http-check expect status 200
        server ncd01 X.X.X.X:8080 cookie A check port 8080 fall 5 rise 3

backend another-blog-prod
        mode http
        default-server inter 4s
        timeout server 2h
        http-check expect status 200
        server web01 X.X.X.X:443 cookie A check port 443 fall 5 rise 3

backend letsencrypt-backend
server letsencrypt 127.0.0.1:1375 check
root@haproxy:~# curl -ILk https://X.X.X.X
HTTP/1.1 200 OK
Etag: 22164-46b9-5e58d731
Content-Type: text/html; charset=utf-8
Content-Length: 18105
Last-Modified: Fri, 28 Feb 2020 09:02:41 GMT
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Server: WEBrick/1.4.2 (Ruby/2.5.5/2019-03-15) OpenSSL/1.1.1d
Date: Fri, 28 Feb 2020 09:15:37 GMT
Connection: Keep-Alive

Is it possible to get your opinion on it?

Your curl call does not show the issue. For it to be useful, it would have to show the actual issue, which is endless redirects, is that correct?

internal network : work

external network : doesn’t work

You’d have to elaborate.

As I said, I can’t access my web server behind my haproxy from the outside.

However, if I connect to my vpn in order to access my network, I access my web server.

On my haproxy I have linked my two domains.

On my main domain, my backend redirects well.

On my secondary domain, I encounter the problem I mentioned.