Haproxy, Nginx & Apache - SSL issue

Debian Server
#1

Hello,

I have been very happy to find this tutorial on how to have Nginx & Apache run on the same machine (a RPi 4 with up to date Raspbian OS in my case) with the help of Haproxy.

As in the tutorial’s use case, I have a webapp running on Nginx which cannot be migrated to Apache, and I would like to install Nextcloudpi (which requires Apache).
At the end of step 4, Nginx (127.0.0.1 for Haproxy); Apache (127.0.0.2 for Haproxy) and Haproxy are indicated as “Active” on the machine when checking “systemctl status”. However I cannot access any webapp with my browser at this point. I tend to believe this is due to Nextcloudpi’s install.sh script (run priori to following the tutorial) which installed some certificates and somehow forced https authentification on the machine, as when trying to access a URL which was working when I had only my Nginx webapp (let’s call it “nginxws.local”), Firefox displays PR_END_OF_FILE_ERROR, which seems to be related to SSL auth.
I guess I should generate new certificates after the changes made regarding webservers & Haproxy configuration. However, despite the dedicated chapter in the tutorial I am kind of lost.

Indeed, so far I have no domain name and I am trying to set all up on my local network for the moment.

  1. I feel the section of the tutorial in which is created an DNS .ini file for Certbot is not necessary in my case (in the end the local network DNS is managed by my router - set to default ISP values - I believe?) , although I am not sure about it.

  2. What is more, I don’t know whether I should generate a certificate as indicated per the tutorial, or as per Nextcloudpi instructions.

  3. On local network, SNI request should point to domain names as defined in the machine’s /etc/hosts file?

  4. I would be curious to read - if you have an opinion on the topic - why here it does not seem to be an issue to install Haproxy on the same machine than the webservers it points to, while some people seem to discourage it.

PS: FYI, I cross-posted my issue in slightly different terms on Nextcloud’s forum.

#2

I run Nextcloud on nginx. I followed these LinuxBabe instructions, Nextcloud.

I am not sure about the raspberry pi Nextcloud.py On nginx, maybe you can mod it, but I would build nextcloud with the instructions above.

I run haproxy for a different reason, two servers on one pubic ip, but I did set up a file in etc/host with local private machine addresses.

#3

This post might help

#4

I strongly recommend buying a domain name, if you really want to tinker with server software. HAProxy SNI can not work without a domain name.

The section about the DNS .ini file is for obtaining a TLS certificate from Let’s Encrypt. You must have a domain name in order to get a TLS certificate from Let’s Encrypt. The DNS validation is for domain name owners to get TLS certifiate, and isn’t about DNS resolution for the client.

You must have a registered domain name in order to use SNI. Fake domain names defined in /etc/hosts file won’t work.

Unfortunately, the Nextcloud forum website won’t load in my web browser. I have two Nextcloud instances running behind HAProxy, which doesn’t cause any extra problems. HAProxy is a very popular reverse proxy software for setting up load balancing and high availability. I can’t think of a reason why it would cause trouble for Nextcloud, other than making careless mistakes.

If you want to custom your server setup, like using HAProxy, I would recommend you learn the basics of servers and set everything up from scratch, so you understand how it works under the hood. Installer scripts can be useful for beginners, but if you don’t understand the basics, it’s hard for you to customize your server setup.

#5

Sorry for never coming back to both you, so better late than never… I read & appreciated your feedbacks even though if it did not immediately helped me in managing to setup a fully local configuration (I noted your point about SNI without domain name, LinuxBabe) for test purposes. I thought I would come back to you after some outcomes but then this project went though a long break… hopefully to be reopened soon!

Best,
Daokj