I’m moving from a working nginx reverse proxy configuration to HAProxy on OPNsense.
After using two different guides i still get “too_many_redirects” error.
1st guide i followed: https://forum.opnsense.org/index.php?topic=23339.0
2nd guide https://community.spiceworks.com/how_to/177181-opnsense-haproxy-as-reverse-proxy-for-self-hosted-services
these are relevant parts of my configuration:
my host file
<VirtualHost *:80>
DocumentRoot "/usr/local/www/nextcloud"
ServerName nextcloud.mysite.com
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
DirectoryIndex /index.php index.php
</VirtualHost>
my config.php
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"10.0.0.48",
"nextcloud.mysite.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "25.0.4.1",
"overwrite.cli.url": "https:\/\/nextcloud.mysite.com",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "nextcloud.mysite.com",
"overwriteprotocol": "https",
"overwritecondaddr": "^10\\.0\\.0\\.1$",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"maintenance": false,
"theme": "",
"loglevel": 2,
"updater.release.channel": "stable",
"default_phone_region": "IT",
"app_install_overwrite": [],
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"twofactor_enforced": "true",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"data-fingerprint": "d1c023081e0c9b662bc8049cf295c443"
}
}
haproxy.conf obtained with first guide
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (listening on 0.0.0.0:80. 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_64188d5dce2390.01132494 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_64188d5dce2390.01132494
# Frontend: 1_HTTPS_frontend (Lisening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64189270e357f4.63771565.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64188dd26c8986.37023969.txt)]
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: Nextcloud_backend ()
backend Nextcloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud_server 10.0.0.48:80 ssl verify none
haproxy.conf obtained with second guide
#
# Automatically generated configuration.
# Do not edit this file manually.
#
#
# NOTE: HAProxy is currently DISABLED
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: proxy ()
frontend proxy
http-response set-header Strict-Transport-Security "max-age=15768000"
bind 10.0.0.1:443 name 10.0.0.1:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/641aa0529dfc73.39354734.certlist
mode http
option http-keep-alive
# logging options
# ACL: nextcloud
acl acl_641a9d77b0a028.21861222 hdr(host) -i nextcloud.aivallecrosia.com
# ACL: nc_caldav
acl acl_641a9da12437f1.67374553 path_end -i /.well-known/caldav
# ACL: nc_nodeinfo
acl acl_641a9dca00e732.15641297 path /.well-known/nodeinfo
# ACL: nc_carddav
acl acl_641a9db24c6f94.95375979 path_end -i /.well-known/carddav
# ACL: nc_webfinger
acl acl_641a9de27e94c3.01726161 path /.well-known/webfinger
# ACTION: nextcloud
use_backend Nextclolud if acl_641a9d77b0a028.21861222
# ACTION: nc_caldav
http-request redirect code 301 location /remote.php/dav if acl_641a9da12437f1.67374553 acl_641a9d77b0a028.21861222
# ACTION: nc_nodeinfo
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_641a9dca00e732.15641297 acl_641a9d77b0a028.21861222
# ACTION: nc_carddav
http-request redirect code 301 location /remote.php/dav if acl_641a9db24c6f94.95375979 acl_641a9d77b0a028.21861222
# ACTION: nc_webfinger
http-request redirect code 301 location /index.php/%[capture.req.uri] if acl_641a9de27e94c3.01726161 acl_641a9d77b0a028.21861222
# Backend: Nextclolud ()
backend Nextclolud
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server Nextcloud 10.0.0.48:80 ssl verify none
# statistics are DISABLED
i suppose something is wired with my php.conf but i can’t unserstand where