SSL Offloading stopped working after some time (update?!)

Hello together :wink:

I have an issue with my (once working) HA-Proxy on my opensense firewall :roll_eyes: It is used to offload the (Letsencrypt) SSL certificate for my server instances (nextcloud and truenas) - I thought this is the more elegant way, then copying the certificate to the servers on every Letsencrypt update. But it stopped working (I have automativ updates activated) with following error message:

[NOTICE] (46781) : haproxy version is 2.4.15
[NOTICE] (46781) : path to executable is /usr/local/sbin/haproxy
[ALERT] (46781) : parsing [/usr/local/etc/haproxy.conf.staging:44] : 'bind' : invalid address: 'nextcloud.<domain>.de' in 'nextcloud.<domain>.de:443'
[ALERT] (46781) : parsing [/usr/local/etc/haproxy.conf.staging:45] : 'bind' : invalid address: 'truenas.<domain>.de' in 'truenas.<domain>.de:443'
[ALERT] (46781) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (46781) : Fatal errors found in configuration.

I don’t really understand this Error. For sure the address is not present - HA-Proxy should listen at this adress.

When I give the servers the hostname (used for listening) in the static dhcp table or via Unbound DNS, the Error vanishes and I can safe the config. …but HA - Proxy does not start up, because there is a conflict with the name (surprise! :grimacing:).

I think a good analysis start is the config opnsense generates:

# Automatically generated configuration.
# Do not edit this file manually.

    uid                         80
    gid                         80
    chroot                      /var/haproxy
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: frontend_ssl_injection ()
frontend frontend_ssl_injection
    bind nextcloud.<domain>.de:443 name nextcloud.<domain>.de:443 ssl  crt-list /tmp/haproxy/ssl/620b750b826711.38878536.certlist 
    bind truenas.<domain>.de:443 name truenas.<domain>.de:443 ssl  crt-list /tmp/haproxy/ssl/620b750b826711.38878536.certlist 
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: nextcloud_bedingung
    acl acl_620ba6f6251f72.51186815 hdr_beg(host) -i nextcloud
    # ACL: truenas_bedingung
    acl acl_620bbec7c8bf05.22443063 hdr_beg(host) -i truenas

    # ACTION: nextcloud_regel
    use_backend nextcloud_backend if acl_620ba6f6251f72.51186815
    # ACTION: truenas_regel
    use_backend truenas_backend if acl_620bbec7c8bf05.22443063

# Backend: nextcloud_backend ()
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server nextcloud_server XX.XX.XX.XX:443 ssl verify none

# Backend: truenas_backend ()
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance uri
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server truenas_server YY.YY.YY.YY:443 ssl verify none

# Backend (DISABLED): brother_backend ()

listen local_statistics
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# statistics are DISABLED

I might have missunderstood this proxy completely :grimacing: Hopefully you can help - please :coffee:

Have a nice day!

It seemed to have worded because of a kernel setting, that might have changed later on (the kernel seems to prevent now from binding haproxy to an adress used anywhere else).

I found a solution on my own now… Read the tutorial: OPNsense - Router - and came to the idea to add a virtual IP (Interfaces / Virtual IPs / Settings → Add, Mode IP Alias).
This virtual address is now used to let haproxy listen on.
Via Unbound DNS (Services / Unbound DNS / Overrides / Host Overrides → Add) I map my subdomains to this one virtual Adress and erverything is working like charm!

Have a nice day!