Hi all, I’ve had my single server nextcloud up and runnng for a few weeks now, the HAProxy SSL passthrough was a bit tricky to get working so here is my experience so far.
My basic network setup, all servers are LXC s on proxmox using ubuntu 20.04.
My plan was to use haproxy to allow me to route multiple incoming URLs to different servers, nextcloud is the first server to go in, but needed haproxy working before I add other servers. Before putting haproxy in I set up portforwarding on the router for port 80 and port 443 directly to the nextcloud server. Once the letsencrypt certificate was set up for ssl the port 80 forward was removed. I then tried various configs on haproxy, many youtubes and blog posts latter found a config that works. More importantly gets A+ on nextcloud when I test security.
Note that I’m not doing healthchecks as I’m only running one server at present. Happy to change this if someone thinks its a good idea.
Here is my haproxy.cfg as I add future servers I will add more backends.
global
maxconn 5000
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemondefaults
log global
mode tcp
option tcplog
option dontlognull
timeout http-request 5s
timeout connect 5000
timeout client 2000000
timeout server 2000000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.httpfrontend homeserver443
bind *:443 mode tcp option tcplog tcp-request inspect-delay 10s tcp-request content accept if { req_ssl_hello_type 1 } use_backend nextcloud if { req_ssl_sni -m end nextcloud.domain.site }backend nextcloud
mode tcp
server nextcloud-server 10.0.1.88:443