Accessing Nextcloudpi behind Haproxy

speri · February 13, 2019, 11:18am

I am unable to access Nextcloud behind an Haproxy config. Any pointers would be really helpful!

Here’s my current Hardware setup:

NextcloudPi running on a RaspberryPi3 - Functions perfectly when accessed through the IP address /domain with Haproxy is disabled. Haproxy is installed on this server. If it’s worth mentioning, I am able to access the webUI of NCP at the 4443 port even with haproxy enabled.
YunoHost installed on an Odroid XU4 - Functions perfectly when accessed both before and after Haproxy is enabled.

Here’s my haconfig:

frontend ft_https
mode tcp
option tcplog
bind *:443

tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }

acl domain1_com req.ssl_sni -m end  domain1.com    
acl domain2_com0 req.ssl_sni -i www.domain2.com
acl domain2_com1 req.ssl_sni -i domain2.com 

use_backend b_domain1_com if domain1_com
use_backend b_domain2_com if domain2_com0
use_backend b_domain2_com if domain2_com1
default_backend b_default

backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:1443

backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.254:1443

backend b_domain2_com
mode tcp
option tcplog
server srv_domain2 192.168.1.271:443

I enabled forwarding the port using this:
iptables -t nat -A PREROUTING -p tcp --dport 1443 -j DNAT --to-destination 127.0.0.1:443

I need to rely on Haproxy since both nextcloudpi and yunohost setup their on SSLs and a generic apache reverse proxy using virtual hosts would not help.

Please do let me know if I need to provide any specific details. Thanks!

Starfish · February 13, 2019, 11:34am

Where did you do this? And why?

HAProxy is a reverse proxy in itself. What you want is a basic HAProxy setup listening on 443 (and if user comes in on port 80, redirect to 443 within HAProxy itself) and let you Nextcloud run on basic port 80 in the background. You can then do SSL handoff at HAProxy (easing all sorts of headaches with SSL certs etc on Nextcloud servers).

So it would go:
User requests your nextcloud.your-domain.com (which points to HAProxy), gets rerouted to port 443 if needed, and then is backended to whatever nextcloud instance you have. The user never interacts with NC directly, but only through HAProxy.

And if you need to run a second site through the same HAProxy, lookup source-header ACL in HAProxy docs.

HTH.

speri · February 13, 2019, 2:31pm

First off, thank you for the speedy response!

I initially had it all pointed to 443, like so:

backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:443

backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.254:443

Nextcloud still didn’t work and Yunohost on the other server was way too slow. Researching on that a bit, I read somewhere both haproxy and the apache couldn’t bind to the same 443 port. So set it to 1443 and setup the port forward on the same server [192.168.1.254].

Will lookup the source-header ACL in a bit. It took me a while to realise HAproxy is what I need and I feel I’m so close to getting this to work…just haven’t got the semantics right.I’ve never done this before…So please do let me know if I’ve got this all wrong!!

Appreciate your help!!

budy · February 13, 2019, 6:08pm

I am also using haproxy to access my local NC from abroad and I basically did it this was (for all the services I am running inside my home network):

frontend https-in
        bind *:443 ssl crt /etc/haproxy/certs
        option forwardfor       except 127.0.0.0/8

        # cloud
        use_backend cloud if { ssl_fc_sni cloud.foo.bar }

backend redirect_to_https
        redirect scheme https
backend cloud
        # http-request set-header Host errors.foo.bar
        server server aaa.bbb.ccc.ddd:443 ssl check

where ‘aaa.bbb.ccc.ddd’ is the internal IP of your NC instance. Note, that I am just forwarding the raw traffic based on the SNI. Redirecting all HTTP traffic to HTTPS, is just a security precaution to never have submitted anything via plain HTTP.

In /etc/haproxy/certs is my letsencrypt wildcard cert and key.

Starfish · February 13, 2019, 8:10pm

This is what must be done. I have the same. I just run NC and OnlyOffice through the same loadbalancer.

I am starting to wonder whether OP has HAProxy, NC and Yunohost all running on the same machine. Then, he will need to have different ports and he will need to use src header based ACLs.

budy · February 13, 2019, 8:21pm

True, if the setup is all on one host - which is something, i’d never do, though. I’d always keep the reverse proxy on a seperate host.

speri · February 13, 2019, 9:36pm

Interesting! I currently have the reverse proxy setup on the same pi as the nextcloud server and the other server setup on an odroid. Likely, the port conflict is what is causing my issue?

So I guess the best option is to fire up another pi to just setup the haproxy on it?

Starfish · February 14, 2019, 4:30am

You can have it as follows:

HAProxy = Server 1
Nextcloud + anything else = Server 2

Let HAProxy listen on 80 and 443, and if request comes in on 80 redirect to 443 IN HAPROXY, NOT IPTABLES.
Then, if the request is for Nextcloud server (hdr acl) backend to nextcloud port 80 (NON-SSL)
If the request is for other server, backend to that (NON-SSL).

Do not put reverse proxies anywhere else, not needed.
Does this make more sense?

speri · February 16, 2019, 12:23pm

Absolutely does! I’d have to setup different servers for NexcloudPi and Yunohost since both need to run on 443. WIll spin that up over the weekend. Thank you!