Cloudflare —> pfsense —> nextcloud

Website, Application, Performance Security
1

Hi,
I’ve a problem for certificate a CT who nextcloud is installed

I’ve a dedicated server with proxmox
On proxmox all the traffic is routed on pfsense and i’ve configured the ca cloudflare on my ip and that’ work : proxmox.xxxx.be is well secured
But I’m like to have access on my cloud (nextcloud in a ct) by external and use a second sub domain : cloud.xxxx.be who would be routed to a internal Ip.
For now my two sub domain are configured to my public Ip in cloudflare

So is that possible ? I need to use another tool like ha proxy ?
Thanks for your help :stuck_out_tongue:

2

Do you have multiple WAN IPs?
Does your pfsense run on the proxmox host or is it a seprate server?

3

I ve just a wan IP with a lan IP on the pfsense interface
Pfsense IS installed in a vm in a proxmox node

4

Well then.

You either need to forward different ports to your LAN IPs, for example

https://proxmox…be:8443 → 192.168.0.10:443
https://cloud…be:443 → 192.168.11:443

Or use nginx as a reverse proxy, or haproxy (which I prefer because basic confiuration is easier). Advantage of a reverse proxy is that you can point as many sub domains as you like to the same IP and you would not have to add the alternative HTTP (8081 f.e.) or HTTPS ports (8443 for example) to your URL when you want to access your hosts.

Another option to avoid entering the port can be a Page Rule which will forwad you. But the URL remains ugly then :sweat_smile:

Just a few examples

5

Hi,
yes i saw the HAPROXY on pfsense and i’ve installed the package

But the configuration is a problem lol

First question: I need to create another certificate with the id cloudflare or i can keep who works already for proxmox.xxx.be ?
Here my configuration on HAPROXY:

SETTINGS: NO CHANGE
FRONT END:
in detail:

image
image.png1413×904 80.2 KB

My configuration for the port 443 is right ? I need to configure the port 80 too ?

6

‘Problem’ with HAproxy is that SNI support is needed in order to handle ecrypted requests. I don’t know the pfsense frontend unfortunately, i use the old fashioned way ^^.

If you are using Cloudflare’s origin certificates, you don’t need a new one as they are wildcard. Just generate one and install it on all your hosts.

It’s fine, if you don’t use HTTP for something.

Here’a small part of my config.

global

daemon
maxconn 2560

defaults

option httplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend http_in

mode tcp
bind *:80
bind *:443

tcp-request inspect-delay 5s
acl sslv3 req.ssl_ver 3
tcp-request content reject if sslv3
tcp-request content accept if { req_ssl_hello_type 1 }

acl  pihole hdr(host) -i pihole.xxxxx.de
acl  piholecf hdr(host) -i piholecf.xxxxx.cf
acl  overwatch req_ssl_sni -i overwatch.xxxxx.de
acl  vault req_ssl_sni -i vault.xxxxx.de
acl  virt1 req_ssl_sni -i virt1.xxxxx.de

use_backend pihole if pihole
use_backend piholecf if piholecf
use_backend overwatch_ssl if overwatch
use_backend vault_ssl if vault
use_backend virt1_ssl if virt1


###################################
# pihole  #
###################################
backend pihole
mode tcp
server  pihole 172.30.0.150
###################################
###################################

backend piholecf
mode tcp
server pihole 172.30.0.150

###################################
# vault                           #
###################################
backend vault
mode tcp
server vault 172.30.0.153
###################################
###################################
backend vault_ssl
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello req_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server vault 172.30.0.153:443 check 

###################################
# virt1                           #
###################################
backend virt1
mode tcp
server virt1 172.30.0.201
###################################
###################################
backend virt1_ssl
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello req_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server virt1 172.30.0.201:443 verify none

pihole and pihole are HTTP only
vault is HTTP and HTTPS
virt1 is HTTP and HTTPS without certificate verification. (Similar to Cloudflare’s ‘Full’. SSL mode. Use it for self-signed or expired certificates)

Probably this can help to click through the frontend

7

This topic was automatically closed after 30 days. New replies are no longer allowed.