Can't change lighttpd's port for HaProxy reverse proxy Topic is solved

Having issues with your DietPi installation, or, found a bug? Post it here.
User avatar
Joulinar
Posts: 2077
Joined: Sat Nov 16, 2019 12:49 am

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Joulinar »

no i don't have this issue. You could exclude port 443 in your haproxy config, as well ensure you are using http on your web browser.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
Rilic
Posts: 42
Joined: Thu May 07, 2020 4:14 pm

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Rilic »

I got HaProxy working thanks to some amazing people over on the /r/homelab discord! I have one last question to do with dietpi, though.

Can I have a certificate for each domain, one for git.example.com and another for example.com, using dietpi-letsencrypt? Or is there a command that will do that for me with autorenewal?
User avatar
Joulinar
Posts: 2077
Joined: Sat Nov 16, 2019 12:49 am

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Joulinar »

yes that should be possible to have more than one certificate created.

Maybe you can share your amazing HaProxy configuration. Just in case someone else is looking for a similar setup ;)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
Rilic
Posts: 42
Joined: Thu May 07, 2020 4:14 pm

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Rilic »

I got a second cert for my gitea instance, but it can't access it, probably due to file permissions. Is there a quick command I can use for gitea to be able to access it?

Here's some output from gitea's log:

Code: Select all

Failed to start server: open /etc/letsencrypt/live/git.example.com/privkey.pem: permission denied
User avatar
Rilic
Posts: 42
Joined: Thu May 07, 2020 4:14 pm

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Rilic »

Figured it out on my own! I'll post my haproxy config now:

Code: Select all

global

	# rsyslog is required for logging
	#log /var/log    local0
	#log /var/log    local1 notice
	maxconn 64
	log 127.0.0.1 local0 notice
	# Jail directory
	chroot /var/lib/haproxy
	stats socket /run/haproxy.sock mode 660 level admin
	stats timeout 30s
	user root
	group root
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL).
	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults

	log     global
	mode    tcp
	option  tcplog
	option  dontlognull
	timeout connect 5000
	timeout client  50000
	timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend https-in
	bind *:80
	bind *:443
	mode tcp
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	use_backend lighttpd_backend if { req_ssl_sni -i example.com }
	use_backend gitea_backend if { req_ssl_sni -i git.example.com }

backend lighttpd_backend
	mode tcp
	server lighttpd_server 127.0.0.1:8080 check

backend gitea_backend
	mode tcp
	server gitea_server 127.0.0.1:3000 check

# Admin web page

	#listen stats
	#bind *:4264
	#stats enable
	#stats uri /
	#stats hide-version
	#stats auth admin:dietpi

User avatar
Joulinar
Posts: 2077
Joined: Sat Nov 16, 2019 12:49 am

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Joulinar »

where do you do SSL termination now? On HaProxy?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
Rilic
Posts: 42
Joined: Thu May 07, 2020 4:14 pm

Re: Can't change lighttpd's port for HaProxy reverse proxy

Post by Rilic »

SSL is now passing through to each service so HAProxy doesn't do anything other than pass the encrypted data through. lighttpd and Gitea get their certificates in their own config files and decrypt the data themselves.
Post Reply