Run Apache, Nginx & HAProxy on Same Server

JohnnyBeGood · September 13, 2021, 1:28am

Hey all,

I’ve been struggling to get Run Apache, Nginx & HAProxy on Same Server (Ubuntu 20.04 in my case) on my home network for a week now. I’ve tried following the tutorial but I get stuck on the part:

“You can define a default back end with:” default_backend nginx and " We will use SNI header in the HTTPS request to redirect to the correct back end. For example, if Nginx is serving domain1.com and Apache is serving domain2.com , then you add the following two lines."

because I followed other two tutorials Install NextCloud on Ubuntu 20.04 with Nginx (LEMP Stack) and Install NextCloud on Ubuntu 20.04 with Apache (LAMP Stack)
Both are working when I try to access them via nextcloud.myhomedomain.net and phpmyadmin.myhomedomain.net.

After I follow this tutorial and move them to 127.0.0.2:443 and 127.0.0.1:443 and when I try to access them from outside my network I can access nextcloud.myhomedomain.net and I get the correct LE certificate and it works, but for phpmyadmin.myhomedomain.net I’m getting an error of invalid certificate and it is from HAProxy for my ubuntu.myhomedomain.net located in /etc/haproxy/haproxy.pem

I guess, what I’m unable to find online is how to have HAProxy point to each individual domain because I do not need load balancing.
If anyone can shed some light on this I would really appreciate it!

Here’s what I have in /etc/haproxy/haproxy.cfg

    global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
	tune.ssl.default-dh-param 2048
defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http
    bind 192.168.1.115:80
    mode http
    redirect scheme https code 301

frontend https
    bind 192.168.1.115:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    


backend phpmyadmin
    mode tcp
    option ssl-hello-chk
    server phpmyadmin 127.0.0.1:555 check

backend nextcloud
    mode tcp
    option ssl-hello-chk
    server nextcloud 127.0.0.2:444 check

listen stats
        bind 192.168.1.115:443 ssl crt /etc/haproxy/haproxy.pem 
        stats enable                    # enable statistics reports  
        stats hide-version              # Hide the version of HAProxy
        stats refresh 30s               # HAProxy refresh time
        stats show-node                 # Shows the hostname of the node
        stats auth haadmin:P@ssword     # Enforce Basic authentication for Stats page
        stats uri /stats                # Statistics URL

server phpmyadmin 127.0.0.1:555 send-proxy-v2 check
server nextcloud 127.0.0.2:444 send-proxy-v2 check

LinuxBabe · September 13, 2021, 1:31am

You didn’t follow exactly what I instructed. In my tutorial, TLS termination is done by Apache/Nginx. Your configuration makes HAProxy take care of TLS termination.

I already explained how to make HAProxy point to each individual domain.

use_backend nginx if { req_ssl_sni -i domain1.com }
use_backend apache if { req_ssl_sni -i domain2.com }

JohnnyBeGood · September 14, 2021, 5:23am

Thanks for the reply!

I was thinking I needed to have a separate domain for each service I was pointing to and subdomains would not work. My bad.

Now I have it included:

frontend http
    bind 192.168.1.115:80
    mode http
    redirect scheme https code 301

frontend https
    bind 192.168.1.115:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

use_backend nextcloud if { req_ssl_sni -i nextcloud.myhomedomain.net }
use_backend phpmyadmin if { req_ssl_sni -i phpmyadmin.myhomedomain.net }

backend phpmyadmin
    mode tcp
    option ssl-hello-chk
    server phpmyadmin 127.0.0.1:555 check

backend nextcloud
    mode tcp
    option ssl-hello-chk
    server nextcloud 127.0.0.2:444 check 

listen stats
        bind 192.168.1.115:443 ssl crt /etc/haproxy/haproxy.pem 
        stats enable                    # enable statistics reports  
        stats hide-version              # Hide the version of HAProxy
        stats refresh 30s               # HAProxy refresh time
        stats show-node                 # Shows the hostname of the node
        stats auth haadmin:P@ssword     # Enforce Basic authentication for Stats page
        stats uri /stats                # Statistics URL

server phpmyadmin 127.0.0.1:555 send-proxy-v2 check
server nextcloud 127.0.0.2:444 send-proxy-v2 check

It still complains that “Your connection is not private” when I try to visit either of the domains:
This server could not prove that it is nextcloud.myhomedomain .net; its security certificate is from ubuntu.myhomedomain .net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to nextcloud.myhomedomain.net (unsafe))

Is Cloudfare setup section optional? I would prefer not to use it.
If you could take a look over my settings and let me know what I’m doing wrong I would really appreciate it!

johnny@ubuntu:~$ sudo netstat -plnt |grep :443
tcp        0      0 192.168.1.115:443       0.0.0.0:*               LISTEN      966502/haproxy      
tcp        0      0 192.168.1.115:443       0.0.0.0:*               LISTEN      966502/haproxy      
johnny@ubuntu:~$ sudo netstat -plnt |grep :444
tcp        0      0 127.0.0.2:444           0.0.0.0:*               LISTEN      780043/apache2      
johnny@ubuntu:~$ sudo netstat -plnt |grep :555
tcp        0      0 0.0.0.0:555             0.0.0.0:*               LISTEN      966390/nginx: maste 
tcp6       0      0 :::555                  :::*                    LISTEN      966390/nginx: maste 
johnny@ubuntu:~$

/etc/nginx/conf.d/phpmyadmin.conf

server {
  server_name phpmyadmin.myhomedomain.net;
  root /usr/share/phpmyadmin/;
  index index.php index.html index.htm index.nginx-debian.html;

  access_log /var/log/nginx/phpmyadmin_access.log;
  error_log /var/log/nginx/phpmyadmin_error.log;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ ^/(doc|sql|setup)/ {
    deny all;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

  location ~ /\.ht {
    deny all;
  }

    listen [::]:555 ssl ipv6only=on; # managed by Certbot
    listen 127.0.0.1:443 ssl http2 proxy_protocol; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/phpmyadmin.myhomedomain.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/phpmyadmin.myhomedomain.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


    ssl_trusted_certificate /etc/letsencrypt/live/phpmyadmin.myhomedomain.net/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}
server {
    if ($host = phpmyadmin.myhomedomain.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 8888;
  listen [::]:8888;
  server_name phpmyadmin.myhomedomain.net;
  root /usr/share/phpmyadmin/;
  index index.php index.html index.htm index.nginx-debian.html;

  access_log /var/log/nginx/phpmyadmin_access.log;
  error_log /var/log/nginx/phpmyadmin_error.log;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ ^/(doc|sql|setup)/ {
    deny all;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

  location ~ /\.ht {
    deny all;
  }




}

/etc/apache2/sites-available/nextcloud-le-ssl.conf

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost 127.0.0.2:444>
        RemoteIPProxyProtocol On
        RemoteIPHeader X-Forwarded-For
        RemoteIPTrustedProxy 127.0.0.1
        DocumentRoot "/var/www/nextcloud"
        ServerName nextcloud.myhomedomain.net

        ErrorLog ${APACHE_LOG_DIR}/nextcloud.error
        CustomLog ${APACHE_LOG_DIR}/nextcloud.access combined

        <Directory /var/www/nextcloud/>
            Require all granted
            Options FollowSymlinks MultiViews
            AllowOverride All

           <IfModule mod_dav.c>
               Dav off
           </IfModule>

        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
        Satisfy Any

       </Directory>


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/nextcloud.myhomedomain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.myhomedomain.net/privkey.pem
SSLUseStapling on
</VirtualHost>
</IfModule>

Btw, I sent you a beer

LinuxBabe · September 14, 2021, 9:38am

Why are you making Apache listen on port 444 and Nginx listen on port 555?

I recommend:
Nginx: 127.0.0.1:443
Apache: 127.0.0.2: 443

You can remove the following code.

listen stats
        bind 192.168.1.115:443 ssl crt /etc/haproxy/haproxy.pem 
        stats enable                    # enable statistics reports  
        stats hide-version              # Hide the version of HAProxy
        stats refresh 30s               # HAProxy refresh time
        stats show-node                 # Shows the hostname of the node
        stats auth haadmin:P@ssword     # Enforce Basic authentication for Stats page
        stats uri /stats                # Statistics URL

It’s interfering with TLS connection. As I explained before, you need to install TLS certificate on the back end server (Apache/Nginx)

LinuxBabe · September 15, 2021, 1:34am

Yes, Cloudflare is optional.

JohnnyBeGood · September 15, 2021, 2:30am

Ok, the reason I was thinking I need to change it is because I already had HAProxy using port 443, but that was on 192.168.1.1115 interface. I was wrong. Now I changed it to match the tutorial.
As suggested I removed the stats section but I’m getting warnings about the name. I’ve tried changing backend nextcloud to backend next-cloud, but it didn’t make any difference?

johnny@ubuntu:~$ sudo systemctl restart nginx
johnny@ubuntu:~$ sudo systemctl restart apache2
johnny@ubuntu:~$ sudo systemctl restart haproxy
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.
johnny@ubuntu:~$ sudo netstat -plnt |grep :443
tcp        0      0 127.0.0.2:443           0.0.0.0:*               LISTEN      1107702/apache2     
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      1107669/nginx: mast 
tcp6       0      0 :::443                  :::*                    LISTEN      1107669/nginx: mast 
johnny@ubuntu:~$ sudo tail -n 20 /var/log/haproxy.log
Sep 14 19:01:37 ubuntu haproxy[1107559]: [ALERT] 256/190137 (1107559) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud2', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:01:37 ubuntu haproxy[1107559]: [ALERT] 256/190137 (1107559) : Fatal errors found in configuration.
Sep 14 19:01:38 ubuntu haproxy[1107560]: [ALERT] 256/190138 (1107560) : Proxy 'https': unable to find required use_backend: 'nextcloud'.
Sep 14 19:01:38 ubuntu haproxy[1107560]: [ALERT] 256/190138 (1107560) : Proxy 'https': unable to find required use_backend: 'phpmyadmin'.
Sep 14 19:01:38 ubuntu haproxy[1107560]: [ALERT] 256/190138 (1107560) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud2', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:01:38 ubuntu haproxy[1107560]: [ALERT] 256/190138 (1107560) : Fatal errors found in configuration.
Sep 14 19:01:38 ubuntu haproxy[1107561]: [ALERT] 256/190138 (1107561) : Proxy 'https': unable to find required use_backend: 'nextcloud'.
Sep 14 19:01:38 ubuntu haproxy[1107561]: [ALERT] 256/190138 (1107561) : Proxy 'https': unable to find required use_backend: 'phpmyadmin'.
Sep 14 19:01:38 ubuntu haproxy[1107561]: [ALERT] 256/190138 (1107561) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud2', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:01:38 ubuntu haproxy[1107561]: [ALERT] 256/190138 (1107561) : Fatal errors found in configuration.
Sep 14 19:02:46 ubuntu haproxy[1107717]: [ALERT] 256/190246 (1107717) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:02:46 ubuntu haproxy[1107717]: [ALERT] 256/190246 (1107717) : Fatal errors found in configuration.
Sep 14 19:02:46 ubuntu haproxy[1107732]: [ALERT] 256/190246 (1107732) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:02:46 ubuntu haproxy[1107732]: [ALERT] 256/190246 (1107732) : Fatal errors found in configuration.
Sep 14 19:02:46 ubuntu haproxy[1107733]: [ALERT] 256/190246 (1107733) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:02:46 ubuntu haproxy[1107733]: [ALERT] 256/190246 (1107733) : Fatal errors found in configuration.
Sep 14 19:02:47 ubuntu haproxy[1107734]: [ALERT] 256/190247 (1107734) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:02:47 ubuntu haproxy[1107734]: [ALERT] 256/190247 (1107734) : Fatal errors found in configuration.
Sep 14 19:02:47 ubuntu haproxy[1107735]: [ALERT] 256/190247 (1107735) : parsing [/etc/haproxy/haproxy.cfg:61] : backend 'nextcloud', another server named 'nextcloud' was already defined at line 58, please use distinct names.
Sep 14 19:02:47 ubuntu haproxy[1107735]: [ALERT] 256/190247 (1107735) : Fatal errors found in configuration.
johnny@ubuntu:~$

Here’s my new haproxy.cfg

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
	tune.ssl.default-dh-param 2048
defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http
    bind 192.168.1.115:80
    mode http
    redirect scheme https code 301

frontend https
    bind 192.168.1.115:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

use_backend nextcloud if { req_ssl_sni -i nextcloud. myhomedomain.net }
use_backend phpmyadmin if { req_ssl_sni -i phpmyadmin. myhomedomain.net }

backend phpmyadmin
    mode tcp
    option ssl-hello-chk
    server phpmyadmin 127.0.0.1:443 check

backend nextcloud
    mode tcp
    option ssl-hello-chk
    server nextcloud 127.0.0.2:443 check 

server phpmyadmin 127.0.0.1:443 send-proxy-v2 check
server nextcloud 127.0.0.2:443 send-proxy-v2 check

LinuxBabe · September 15, 2021, 3:31am

Remove the following two lines.

server phpmyadmin 127.0.0.1:443 send-proxy-v2 check
server nextcloud 127.0.0.2:443 send-proxy-v2 check

The send-proxy-v2 parameter should be placed in the backend definition.

backend phpmyadmin
    mode tcp
    option ssl-hello-chk
    server phpmyadmin 127.0.0.1:443 send-proxy-v2 check

backend nextcloud
    mode tcp
    option ssl-hello-chk
    server nextcloud 127.0.0.2:443 send-proxy-v2 check

Then restart HAProxy.

JohnnyBeGood · September 15, 2021, 5:43am

Thank you! It works now!

The only issue that I have discovered once I tried connecting from outside my LAN is that I have other services that I would like to go through HAProxy i.e. thinkserver.myhomedomain.net, but I’m getting “This site can’t be reached”. Most likely below is incorrect.
Would you know what else I can try?

use_backend nextcloud if { req_ssl_sni -i nextcloud.myhomedomain.net }
use_backend phpmyadmin if { req_ssl_sni -i phpmyadmin.myhomedomain.net }
use_backend thinkserver if { req_ssl_sni -i thinkserver.myhomedomain.net }



backend phpmyadmin
    mode tcp
    option ssl-hello-chk
    server phpmyadmin 127.0.0.1:443 send-proxy-v2 check

backend nextcloud
    mode tcp
    option ssl-hello-chk
    server nextcloud 127.0.0.2:443 send-proxy-v2 check 

backend thinkserver
    mode tcp
    option ssl-hello-chk
    server thinkserver 192.168.111:443 send-proxy-v2 check

LinuxBabe · September 15, 2021, 6:35am

If you have Apache and Nginx web servers, then you need only two backends: one for Apache and one for Nginx.

When you need to add another domain ( or sub-domain), you don’t need to add a new backend. Instead, you should create a new virtual host for the new domain (or sub-domain) in Apache or Nginx.

frontend http
    bind 12.34.56.78:80
    mode http
    redirect scheme https code 301

frontend https
    bind 12.34.56.78:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nginx

    use_backend nginx if { req_ssl_sni -i domain1.com }
    use_backend nginx if { req_ssl_sni -i sub.domain1.com }
    use_backend apache if { req_ssl_sni -i domain2.com }
    use_backend apache if { req_ssl_sni -i sub.domain2.com }

backend nginx
    mode tcp
    option ssl-hello-chk
    server nginx 127.0.0.1:443 check

backend apache
    mode tcp
    option ssl-hello-chk
    server apache 127.0.0.2:443 check

I recommend using apache and nginx as the backend name like in the above code, so you know which web server is hosting which application.

JohnnyBeGood · September 15, 2021, 11:40pm

I appreciate your patiance!
I do want to have both Apache and Nginx.
My other services are VMs with different services ie. FreePBX, ESXi, TrueNAS etc.
Each one has its own SSL on its VM and internal IP ie. 192.168.1.111 is ESXi, 192.168.1.104 is FreePBX and so on.
When I leave bind 192.168.1.115:443 on both frontend http and https, I no longer can open neither of the subdomains ie. nextcloud.myhomedomain.net I get “This site can’t be reached”

If I change it to bind my.public.ip:443 it complains about not being able to bind.
Although port 443 is on 127.0.0.1 and 127.0.0.2 interfaces?

johnny@ubuntu:~$ sudo tail -n 14 /var/log/haproxy.log
Sep 15 16:24:23 ubuntu haproxy[1242222]: [WARNING] 257/162423 (1242222) : parsing [/etc/haproxy/haproxy.cfg:23] : 'option httplog' not usable with frontend 'https' (needs 'mode http'). Falling back to 'option tcplog'.
Sep 15 16:24:23 ubuntu haproxy[1242222]: [ALERT] 257/162423 (1242222) : Starting frontend http: cannot bind socket [my.public.ip:80]
Sep 15 16:24:23 ubuntu haproxy[1242222]: [ALERT] 257/162423 (1242222) : Starting frontend https: cannot bind socket [my.public.ip:443]
Sep 15 16:24:24 ubuntu haproxy[1242222]: Proxy nginx started.
Sep 15 16:24:24 ubuntu haproxy[1242222]: Proxy nginx started.
Sep 15 16:24:24 ubuntu haproxy[1242222]: Proxy apache started.
Sep 15 16:24:24 ubuntu haproxy[1242222]: Proxy apache started.
Sep 15 16:24:24 ubuntu haproxy[1242224]: [WARNING] 257/162424 (1242224) : parsing [/etc/haproxy/haproxy.cfg:23] : 'option httplog' not usable with frontend 'https' (needs 'mode http'). Falling back to 'option tcplog'.
Sep 15 16:24:24 ubuntu haproxy[1242224]: [ALERT] 257/162424 (1242224) : Starting frontend http: cannot bind socket [my.public.ip:80]
Sep 15 16:24:24 ubuntu haproxy[1242224]: [ALERT] 257/162424 (1242224) : Starting frontend https: cannot bind socket [my.public.ip:443]
Sep 15 16:24:24 ubuntu haproxy[1242224]: Proxy nginx started.
Sep 15 16:24:24 ubuntu haproxy[1242224]: Proxy nginx started.
Sep 15 16:24:24 ubuntu haproxy[1242224]: Proxy apache started.
Sep 15 16:24:24 ubuntu haproxy[1242224]: Proxy apache started.
johnny@ubuntu:~$ sudo netstat -plnt |grep :443
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      1208712/nginx: mast 
tcp        0      0 127.0.0.2:443           0.0.0.0:*               LISTEN      1208662/apache2     
tcp6       0      0 :::443                  :::*                    LISTEN      1208712/nginx: mast 
johnny@ubuntu:~$ sudo netstat -plnt |grep :80
johnny@ubuntu:~$

I can’t enter another line use_backend apache or ngnix for ie. TrueNAS in haproxy.cfg because that service is not served via apache or ngnix

frontend http
    bind bind my.public.ip:80
    mode http
    redirect scheme https code 301

frontend https
    bind my.public.ip:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nginx



    use_backend nginx if { req_ssl_sni -i phpmyadmin.myhomedomain.net }
    use_backend apache if { req_ssl_sni -i  nextcloud.myhomedomain.net }
    



backend nginx
    mode tcp
    option ssl-hello-chk
    server nginx 127.0.0.1:443 check

backend apache
    mode tcp
    option ssl-hello-chk
    server apache 127.0.0.2:443 check

LinuxBabe · September 16, 2021, 2:16am

You should configure HAProxy to bind the LAN IP address as usual.

bind 192.168.1.115:443

Then you need to add a backend for ESXi and FreePBX. HAProxy can also redirect traffic to other hosts in the LAN.

frontend http
    bind 192.168.1.115:80
    mode http
    redirect scheme https code 301

frontend https
    bind 192.168.1.115:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nginx

    use_backend nginx if { req_ssl_sni -i phpmyadmin.myhomedomain.net }
    use_backend apache if { req_ssl_sni -i  nextcloud.myhomedomain.net }
    use_backend exsi if { req_ssl_sni -i virtual.host.on.exsi }
    use_backend freepbx if { req_ssl_sni -i virtual.host.on.freebpx }
   
backend nginx
    mode tcp
    option ssl-hello-chk
    server nginx 127.0.0.1:443 check

backend apache
    mode tcp
    option ssl-hello-chk
    server apache 127.0.0.2:443 check

backend esxi
    mode tcp
    option ssl-hello-chk
    server exsi 192.168.1.111:443 check

backend freepbx 
     mode tcp
     option ssl-hello-chk
     server freebpx 192.168.1.104:443 check

The virtual hosts on EXSi and FreePBX should also enable HTTPS.

JohnnyBeGood · September 16, 2021, 4:35am

I wish I can report this working, but it’s not

If I try to access truenas.myhomedomain.net from the outside my LAN it opens. When I open a new tab and try to access freepbx.myhomedomain.net it tries again to open truenas and it adds sign in URL automatically at the end of the domain ie. freepbx.myhomedomain.net/ui/sessions/signin. If I wait few minutes and try again in the new tab it opens freepbx.myhomedomain.net.
thinkserver.myhomedomain.net never opens. Same with nextcloud.myhomedomain.net and phpmyadmin.myhomedomain.net “This site can’t be reached”

Each host has a valid certificate.

frontend http
    bind 192.168.1.115:80
    mode http
    redirect scheme https code 301

frontend https
    bind 192.168.1.115:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nginx

    use_backend nginx if { req_ssl_sni -i phpmyadmin.myhomedomain.net }
    use_backend apache if { req_ssl_sni -i  nextcloud.myhomedomain.net }
    use_backend thinkserver if { req_ssl_sni -i thinkserver.myhomedomain.net }
    use_backend freepbx if { req_ssl_sni -i freepbx.myhomedomain.net }
    use_backend truenas if { req_ssl_sni -i truenas.myhomedomain.net }

   
backend nginx
    mode tcp
    option ssl-hello-chk
    server nginx 127.0.0.1:443 check

backend apache
    mode tcp
    option ssl-hello-chk
    server apache 127.0.0.2:443 check

backend thinkserver
    mode tcp
    option ssl-hello-chk
    server thinkserver 192.168.1.111:443 check

backend freepbx 
     mode tcp
     option ssl-hello-chk
     server freebpx 192.168.1.104:443 check

backend truenas 
     mode tcp
     option ssl-hello-chk
     server truenas 192.168.1.113:443 check




johnny@ubuntu:~$ sudo tail -n 14 /var/log/haproxy.log
Sep 15 21:14:18 ubuntu haproxy[1274560]: 192.99.18x.xxx:52086 [15/Sep/2021:21:14:17.960] https freepbx/freebpx 90/0/251 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:23 ubuntu haproxy[1274560]: 192.99.18x.xxx:57061 [15/Sep/2021:21:14:23.256] https freepbx/freebpx 81/0/250 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:28 ubuntu haproxy[1274560]: 192.99.18x.xxx:64188 [15/Sep/2021:21:14:28.574] https freepbx/freebpx 76/1/243 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:34 ubuntu haproxy[1274560]: 192.99.18x.xxx:58043 [15/Sep/2021:21:14:33.886] https freepbx/freebpx 86/1/250 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:39 ubuntu haproxy[1274560]: 192.99.18x.xxx:61930 [15/Sep/2021:21:14:39.280] https freepbx/freebpx 75/0/236 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:44 ubuntu haproxy[1274560]: 192.99.18x.xxx:49473 [15/Sep/2021:21:14:44.667] https freepbx/freebpx 82/0/245 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:50 ubuntu haproxy[1274560]: 192.99.18x.xxx:65421 [15/Sep/2021:21:14:50.081] https freepbx/freebpx 81/0/247 593 -- 1/1/0/0/0 0/0
Sep 15 21:14:55 ubuntu haproxy[1274560]: 192.99.18x.xxx:55622 [15/Sep/2021:21:14:55.441] https freepbx/freebpx 91/0/252 593 -- 1/1/0/0/0 0/0
Sep 15 21:15:01 ubuntu haproxy[1274560]: 192.99.18x.xxx:58101 [15/Sep/2021:21:15:01.137] https freepbx/freebpx 77/0/247 593 -- 1/1/0/0/0 0/0
Sep 15 21:15:47 ubuntu haproxy[1274560]: 192.99.18x.xxx:55323 [15/Sep/2021:21:15:02.929] https freepbx/freebpx 85/0/44937 658 -- 1/1/0/0/0 0/0
Sep 15 21:16:38 ubuntu haproxy[1274560]: 192.99.18x.xxx:51746 [15/Sep/2021:21:15:47.866] https freepbx/freebpx 84/0/50981 105103 cD 1/1/0/0/0 0/0
Sep 15 21:19:01 ubuntu haproxy[1274560]: 192.99.18x.xxx:61275 [15/Sep/2021:21:18:09.910] https truenas/truenas 84/0/51383 890958 cD 2/2/1/1/0 0/0
Sep 15 21:19:17 ubuntu haproxy[1274560]: 106.0.59.xxx:34235 [15/Sep/2021:21:19:17.065] http http/<NOSRV> 0/-1/-1/-1/0 301 86 - - LR-- 3/2/0/0/0 0/0 "GET / HTTP/1.0"
Sep 15 21:20:48 ubuntu haproxy[1274560]: 103.219.217.xxx:46959 [15/Sep/2021:21:20:48.884] http http/<NOSRV> 0/-1/-1/-1/0 301 86 - - LR-- 3/2/0/0/0 0/0 "GET / HTTP/1.0"
johnny@ubuntu:~$

LinuxBabe · September 19, 2021, 2:27am

If you have enabled fetching real IP in Nginx/Apache, then you should add the send-proxy-v2 parameter in HAProxy.

backend nginx
    mode tcp
    option ssl-hello-chk
    server nginx 127.0.0.1:443 send-proxy-v2 check

backend apache
    mode tcp
    option ssl-hello-chk
    server apache 127.0.0.2:443 send-proxy-v2 check

JohnnyBeGood · September 20, 2021, 5:32am

Ok, I already have fetching real IP in Nginx and Apache enabled as per tutorial. When I try to access ie. thinkserver.myhomedomain.net from outside my LAN it does not load “This site can’t be reached”.
I still have unexplaied behavior between freepbx and truenas as explained in my previous reply.
Both nextcloud and phpmyadmin are now loading!

frontend http
    bind 192.168.1.115:80
    mode http
    redirect scheme https code 301

frontend https
    bind 192.168.1.115:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nginx

    use_backend nginx if { req_ssl_sni -i phpmyadmin.myhomedomain.net }
    use_backend apache if { req_ssl_sni -i  nextcloud.myhomedomain.net }
    use_backend thinkserver if { req_ssl_sni -i thinkserver.myhomedomain.net }
    use_backend freepbx if { req_ssl_sni -i freepbx.myhomedomain.net }
    use_backend truenas if { req_ssl_sni -i truenas.myhomedomain.net }

   
backend nginx
    mode tcp
    option ssl-hello-chk
    server nginx 127.0.0.1:443 send-proxy-v2 check

backend apache
    mode tcp
    option ssl-hello-chk
    server apache 127.0.0.2:443 send-proxy-v2 check

backend thinkserver
    mode tcp
    option ssl-hello-chk
    server thinkserver 192.168.1.111:443 check

backend freepbx 
     mode tcp
     option ssl-hello-chk
     server freebpx 192.168.1.104:443 check

backend truenas 
     mode tcp
     option ssl-hello-chk
     server truenas 192.168.1.113:443 check