HAProxy for IPv4

JamesAtWork · March 8, 2021, 9:06pm

Hi guys!
I need some help in understanding some basics.

I used to have an IPv4 only ISP. I had a nginx reverse proxy with lets encrypt for multiple subdomains.
The nginx proxy would redirect unencrypted to the other hosts. Yeah I know this is not ideal

Now I have a DualStack ISP with static IPv6 /48 prefix. Hurray!
I decided to start to migrate my voice chat software mumble.
mumble.example.com has a AAAA record that directly points to the mumble host and the firewall. It is simple and beautiful in my opinion. No NAT, and it even works if the proxy is down. For the IPv4 only users, there is a NAT with the mumble port 64738. Lets encrypt is done on the mumble host with certbot.

I also have another webpage to track time called time.example.com
Added a AAAA record, and Let's Encrypt cert. Works great. But my cellphone carrier is IPv4 only.
And this time, I can't use a port, because it uses 443.

I tired to proxy pass the traffic with nginx without luck. Somewhere I read that HAProxy is perfect for this. I tried to setup HAProxy on OPNsense but could not get it to work.

Just to nudge me in the right direction, does HAProxy need a cert itself?
Does it just proxy everything without even touching it?
Or does that seem like a man in the middle attack and that is why I need also a cert on HAProxy?
I tried getting a cert for time.example.com on the proxy and the host but that did not work.

schoen · March 8, 2021, 11:42pm

Hi @JamesAtWork,

I'm not sure how to set up HAProxy, but in general reverse proxies could do either of these; the first version would need a cert of its own, while the second version wouldn't. It depends on which layer of the protocol stack the proxying is happening at.

You could probably also choose to configure the web service to listen on another port, and then you could specify this in your web browser with the URL syntax https://time.example.com:port/.

JamesAtWork · March 9, 2021, 7:16am

Thank you for your answer. Great to hear, that in theory the second version is possible.
OPNSense documentation on HAProxy is pretty scare. I will give HAProxy documentation another try

You could probably also choose to configure the web service to listen on another port, and then you could specify this in your web browser with the URL syntax https://time.example.com:port/ .

I could, but then I would need to change the IPv6 Port too, because the mobile app does not know if it should connect to time.example.com via IPv6 or time.example.com:4000 with IPv4.
That seems to much of a hassle just for legacy IP. Before I use ports, I start up my VPN

system · April 8, 2021, 7:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting started with Let's Encrypt and haproxy Help	18	3863	December 16, 2021
The server crashed and attempted to restart from scratch Help	12	472	December 6, 2023
Create & renew certs behind HAProxy reverse proxy help Help	10	6683	February 5, 2017
IPv6 and IPv4 different servers Issuance Tech	3	2413	March 5, 2016
Migrating process from Apache2 reverse proxy to HAproxy, need advice Help	4	1127	January 6, 2022

HAProxy for IPv4

Related topics