I’ve been running the Hansson IT OVF template for some years now on my esxi host. This instance has a public IP address, so I don’t have to worry about portforwards etc. This works flawless.
Now I want to re deploy this instance (by setting up a new one) behind a pfSense HAproxy.
However, I cannot get this to work. I’ve searched and read many topics about this, but none of them seem to suit my case.
I am able to login if I use to the local ip address of this new setup.
I am not able to login if I use the HAProxy. I can’t reach the login page. The apache seems to be stuck at the default Hannson IT page:
“Thank you for downloading the Nextcloud VM, you made a good choice! If you see this page, you have run the first setup, and you are now ready to start using Nextcloud on your new server. Congratulations! :)”
It seems that there is no redirect to cloud.mydomain.tld/login.
If I manually enter “cloud.mydomain.tld/login”, I get “Not Found” error in chrome/firefox.
I’m quite stuck for the moment. None of the solutions I’ve found seem to do the trick.
And the backend:
It does not matter if I enable SSL or not at the backend, in this picture the acme certs are configured, but this has no influence.
If you want to continue with the Hansson VM and its built-in Let’s encrypt SSL configuration, I would consider setting up HAproxy in TCP mode, not in https mode. In this way, HAproxy doesn’t interfere at all with the handling and updates of certificates; this is done exclusively by the VM. To this end, you need to choose the TCP type in HAproxy.
Unfortunately, I am not familiar with how exactly to set up HAproxy using the pfsense GUI, but here’s a configuration file that works in my case for two different hosts which both manage their own SSL/TLS termination:
frontend ft_tcp_ssl
mode tcp
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_otherhost_ssl if { req_ssl_sni -i otherhost.yourdomain.tld }
use_backend bk_nextcloud_ssl if { req_ssl_sni -i nextcloud.yourdomain.tld }
default_backend bk_otherhost_ssl
backend bk_otherhost_ssl
mode tcp
# needs to terminate TLS for otherhost.yourdomain.tld
server otherhost.yourdomain.tld [otherhost-IP]:443
backend bk_nextcloud_ssl
mode tcp
# needs to terminate TLS for nextcloud.yourdomain.tld
server nextcloud.yourdomain.tld [nextcloud-IP]:443
frontend ft_http
mode tcp
bind *:80
use_backend bk_otherhost if { hdr(host) -i otherhost.yourdomain.tld }
use_backend bk_nextcloud if { hdr(host) -i nextcloud.yourdomain.tld }
default_backend bk_otherhost
backend bk_otherhost
server otherhost.yourdomain.tld [otherhost-IP]:80
backend bk_nextcloud
server nextcloud.yourdomain.tld [nextcloud-IP]:80
If you can’t import an HAproxy configuration, you could try adjusting the GUI settings until the resulting config file looks like the above. You may need this hint to achieve the desired result:
https://www.reddit.com/r/PFSENSE/comments/yfnnzr/haproxy_ssl_passthrough_finally_works_fine/
1 Like
