Hello Guys!
I need your help, please. I have a opnsense vm with haproxy. All my services works well behind haproxy, but vaultwarden with websocket support dont works well. The HAproxy config works well. The sslqulabs test gives me a 100% certificate in all 4 catecories.
Here is my config:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_backend
# tuning options
timeout client 30s
# logging options
# Frontend: 1_HTTP_frontend (Listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_636976fd9d4d71.97561865 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_636976fd9d4d71.97561865
# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/636aad8d3cbe18.58884679.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: nc_carddav
acl acl_636ba4e5b6aa82.28881573 path_end -i /.well-known/carddav
# ACL: nc_caldav
acl acl_636ba2d9f14933.27250118 path_end -i /.well-known/caldav
# ACL: vw_ws_acl01_condition
acl acl_636c2f2b5accd9.55827620 path_beg -i /notifications/hub
# ACL: vw_ws_acl02_condition
acl acl_636cc909734817.72974823 path_beg -i /notifications/hub/negotiate
# ACL: vw_ws_acl03_condition
acl acl_636ccac64fcd74.27409543 path_beg -i /notifications/hub
# ACL: vw_ws_acl04_condition
acl acl_636ccae443ca48.73072029 path_beg -i /notifications/hub/negotiate
# ACTION: nc_carddav_rule
http-request redirect code 301 location /remote.php/dav if acl_636ba4e5b6aa82.28881573
# ACTION: nc_caldav_rule
http-request redirect code 301 location /remote.php/dav if acl_636ba2d9f14933.27250118
# ACTION: PUBLIC_SUBDOMAINS-map_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63653d33935cd3.47503593.txt)]
# ACTION: vw_ws_acl01_rule
use_backend vw_backend if !acl_636c2f2b5accd9.55827620
# ACTION: vw_ws_acl02_rule
use_backend vw_backend if acl_636cc909734817.72974823
# ACTION: vw_ws_acl03_rule
use_backend vw_ws_backend if acl_636ccac64fcd74.27409543
# ACTION: vw_ws_acl04_rule
use_backend vw_ws_backend if !acl_636ccae443ca48.73072029
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy
# Backend: office_backend (Onlyoffice)
backend office_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server office_server 10.10.20.8:80
# Backend: vw_backend (Vaultwarden)
backend vw_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vw_server 10.10.20.7:80
# Backend: mc_backend (Minecraft Server)
backend mc_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server mc_server 10.10.40.4:80
# Backend: cloud_backend (Nextcloud01)
backend cloud_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server cloud_server 10.10.20.5:80
# Backend: demo_backend (Nextcloud02)
backend demo_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server demo_server 10.10.20.6:80
# Backend: kunden_backend (Nextcloud03)
backend kunden_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server kunden_server 10.10.20.11:80
# Backend: vw_ws_backend (Vaultwarden Websocket)
backend vw_ws_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server vw_ws_server 10.10.20.7:3012
# statistics are DISABLED