Nextcloud 12 keeps banning my reverse proxy

mleone87 · September 11, 2017, 2:28pm

Hi,
I’ve a problem between my NC server and my HAproxy.

If i go trough HAproxy, the logins fails with error

504 bad gateway

if i login trough NC address, the login succedes.

I think there is somewere a configuration thats blocks HAproxy thinking it’s a DOS attack.

I’ve already tried to disable mod_evasive and to add trusted proxy ip to configuration, but no luck

where can i set php/apache connections limits?

thanks

JasonBayton · September 12, 2017, 6:59am

Are you positive it’s not a misconfiguration? HAProxy handles connections to 6 copies of Nextcloud for me with no problem.

mleone87 · September 12, 2017, 7:42am

I’m not sure since I’m still in testing with the actual configuration, but I think that the problem was that I was missing the option to enable x-forward-for in haproxy configuration. My proxy is a pfsense module.
Somehow i think that the php/apache processes were overloaded in terms of memory and/or connection traking since all clients where tracked as the same IP(haproxy one).

Can you provide a sample of your frontend/backend options? I’m only using ssl offloading, xforwarfor option and ssl connection tracking.

Thanks

JasonBayton · September 12, 2017, 9:44am

Mine isn’t using SSL as it’s just a PoC, but hope this helps regardless. I can show an SSL config for another solution if you wish, also working fine.

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen nccluster
    bind 10.10.40.8:80
    mode http
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    balance leastconn
    option httpclose
    option forwardfor
    server web1 10.11.12.13:80 check fall 1 rise 2
    server web2 10.11.12.14:80 check fall 1 rise 2
    server web3 10.11.12.15:80 check fall 1 rise 2
    server web4 10.11.12.16:80 check fall 1 rise 2
    server web5 10.11.12.17:80 check fall 1 rise 2
    server web6 10.11.12.18:80 check fall 1 rise 2